73979ef05ff6e528a344ccbc00d4b28b4203884a78f88bd87ce262111717a736

Analysis

max time kernel
102s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.86-Installer-1.0.exe
Size

21.7MB
MD5

54686b90f8d52d9489a4e8f41738d0da
SHA1

6931287434aa17f3681dde38710224165cb368ee
SHA256

73979ef05ff6e528a344ccbc00d4b28b4203884a78f88bd87ce262111717a736
SHA512

ee9a2f658bd7f695c5a5bef480b4189724fcdb3ac9be916e6a2575f34737107bd35f8f388b42c3c4f6464051d24221a34992baf8ccb18efdcf854cfe8e25d700
SSDEEP

393216:tXemKme/RtYto0fs/dQETVlOBbpFEj9GZdqV56HpkbGCST7yuk9sLe:tOmsJWTHExiTTqqHpMs6

Score

8^/10

adware discovery persistence spyware stealer upx

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

50 2656 msiexec.exe
52 2656 msiexec.exe
54 2656 msiexec.exe
56 2656 msiexec.exe
Downloads MZ/PE file

flow	pid	process
50	2656	msiexec.exe
52	2656	msiexec.exe
54	2656	msiexec.exe
56	2656	msiexec.exe

Executes dropped EXE 23 IoCs

Processes:

irsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeAssistant_96.0.4693.50_Setup.exe_sfx.exejre-windows.exeassistant_installer.exeassistant_installer.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exe

pid	process
844	irsetup.exe
1960	AdditionalExecuteTL.exe
896	irsetup.exe
1516	opera-installer-bro.exe
1712	opera-installer-bro.exe
1532	opera-installer-bro.exe
1184	opera-installer-bro.exe
1684	opera-installer-bro.exe
2968	Assistant_96.0.4693.50_Setup.exe_sfx.exe
2560	jre-windows.exe
2644	assistant_installer.exe
1816	assistant_installer.exe
2360	installer.exe
2212	bspatch.exe
1264	unpack200.exe
1880	unpack200.exe
2420	unpack200.exe
2488	unpack200.exe
2528	unpack200.exe
2140	unpack200.exe
2208	unpack200.exe
2384	unpack200.exe
2212	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-2.86-Installer-1.0.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeassistant_installer.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exe

pid	process
1704	TLauncher-2.86-Installer-1.0.exe
1704	TLauncher-2.86-Installer-1.0.exe
1704	TLauncher-2.86-Installer-1.0.exe
1704	TLauncher-2.86-Installer-1.0.exe
844	irsetup.exe
844	irsetup.exe
844	irsetup.exe
844	irsetup.exe
844	irsetup.exe
844	irsetup.exe
844	irsetup.exe
844	irsetup.exe
1960	AdditionalExecuteTL.exe
1960	AdditionalExecuteTL.exe
1960	AdditionalExecuteTL.exe
1960	AdditionalExecuteTL.exe
896	irsetup.exe
896	irsetup.exe
896	irsetup.exe
896	irsetup.exe
896	irsetup.exe
896	irsetup.exe
896	irsetup.exe
896	irsetup.exe
1516	opera-installer-bro.exe
1516	opera-installer-bro.exe
1712	opera-installer-bro.exe
1516	opera-installer-bro.exe
1532	opera-installer-bro.exe
1516	opera-installer-bro.exe
1184	opera-installer-bro.exe
1184	opera-installer-bro.exe
1684	opera-installer-bro.exe
1516	opera-installer-bro.exe
1516	opera-installer-bro.exe
1516	opera-installer-bro.exe
844	irsetup.exe
1516	opera-installer-bro.exe
2644	assistant_installer.exe
1344
1344
2656	msiexec.exe
2212	bspatch.exe
2212	bspatch.exe
2212	bspatch.exe
2360	installer.exe
1264	unpack200.exe
1880	unpack200.exe
2420	unpack200.exe
2488	unpack200.exe
2528	unpack200.exe
2140	unpack200.exe
2208	unpack200.exe
2384	unpack200.exe
2360	installer.exe
2360	installer.exe
2360	installer.exe
812
812
2212	javaw.exe
2212	javaw.exe
2212	javaw.exe
2212	javaw.exe
2212	javaw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0098-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0069-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0086-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0087-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0083-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBA}\InprocServer32	installer.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/844-73-0x0000000000CC0000-0x00000000010A8000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/844-367-0x0000000000CC0000-0x00000000010A8000-memory.dmp	upx
behavioral1/memory/844-369-0x0000000000CC0000-0x00000000010A8000-memory.dmp	upx
behavioral1/memory/844-384-0x0000000000CC0000-0x00000000010A8000-memory.dmp	upx
behavioral1/memory/844-401-0x0000000000CC0000-0x00000000010A8000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/896-462-0x00000000012B0000-0x0000000001698000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/896-499-0x00000000012B0000-0x0000000001698000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
behavioral1/memory/1532-541-0x0000000000D10000-0x0000000001248000-memory.dmp	upx
behavioral1/memory/1516-551-0x0000000000C40000-0x0000000001178000-memory.dmp	upx
behavioral1/memory/844-561-0x0000000000CC0000-0x00000000010A8000-memory.dmp	upx
behavioral1/memory/1532-560-0x0000000000D10000-0x0000000001248000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/1712-594-0x0000000000C40000-0x0000000001178000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/1184-1383-0x0000000000C40000-0x0000000001178000-memory.dmp	upx
behavioral1/memory/1684-1385-0x0000000000C40000-0x0000000001178000-memory.dmp	upx
behavioral1/memory/844-1400-0x0000000000CC0000-0x00000000010A8000-memory.dmp	upx
behavioral1/memory/844-1575-0x0000000000CC0000-0x00000000010A8000-memory.dmp	upx
behavioral1/memory/844-1690-0x0000000000CC0000-0x00000000010A8000-memory.dmp	upx
behavioral1/memory/844-1711-0x0000000000CC0000-0x00000000010A8000-memory.dmp	upx
behavioral1/memory/2212-1838-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2212-1847-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/844-2141-0x0000000000CC0000-0x00000000010A8000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeopera-installer-bro.exeopera-installer-bro.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\WindowsAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\PYCC.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dcpr.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JAWTAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfr.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management-agent.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\ffjcext.zip	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfxswt.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\snmp.acl.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jabswitch.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfxwebkit.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\plugin2\npjp2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\sunec.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\GRAY.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\logging.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\psfont.properties.ja	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\klist.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\cursors.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\sound.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\zipfs.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\hijrah-config-umalqura.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\decora_sse.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jdwp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\net.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\npt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JavaAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2native.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\rmiregistry.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\dnsns.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_es2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\zip.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_MoveNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javafx.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\resources.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\bci.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javacpl.cpl	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\LINEAR_RGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dt_shmem.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\keytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\Xusage.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\glass.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jawt.dll	installer.exe

Drops file in Windows directory 6 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\6d81be.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6d81be.msi	msiexec.exe
File created	C:\Windows\Installer\6d81c0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI88BB.tmp	msiexec.exe
File created	C:\Windows\Installer\6d81c2.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exeirsetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0098-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_08"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled.1.8.0.0\CLSID	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0098-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_98"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_52"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_37"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_47"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_94"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0098-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0042-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0053-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_38"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0053-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

irsetup.exeopera-installer-bro.exeirsetup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2560	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2560	jre-windows.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeSecurityPrivilege	2656	msiexec.exe
Token: SeCreateTokenPrivilege	2560	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2560	jre-windows.exe
Token: SeLockMemoryPrivilege	2560	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2560	jre-windows.exe
Token: SeMachineAccountPrivilege	2560	jre-windows.exe
Token: SeTcbPrivilege	2560	jre-windows.exe
Token: SeSecurityPrivilege	2560	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2560	jre-windows.exe
Token: SeLoadDriverPrivilege	2560	jre-windows.exe
Token: SeSystemProfilePrivilege	2560	jre-windows.exe
Token: SeSystemtimePrivilege	2560	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2560	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2560	jre-windows.exe
Token: SeCreatePagefilePrivilege	2560	jre-windows.exe
Token: SeCreatePermanentPrivilege	2560	jre-windows.exe
Token: SeBackupPrivilege	2560	jre-windows.exe
Token: SeRestorePrivilege	2560	jre-windows.exe
Token: SeShutdownPrivilege	2560	jre-windows.exe
Token: SeDebugPrivilege	2560	jre-windows.exe
Token: SeAuditPrivilege	2560	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2560	jre-windows.exe
Token: SeChangeNotifyPrivilege	2560	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2560	jre-windows.exe
Token: SeUndockPrivilege	2560	jre-windows.exe
Token: SeSyncAgentPrivilege	2560	jre-windows.exe
Token: SeEnableDelegationPrivilege	2560	jre-windows.exe
Token: SeManageVolumePrivilege	2560	jre-windows.exe
Token: SeImpersonatePrivilege	2560	jre-windows.exe
Token: SeCreateGlobalPrivilege	2560	jre-windows.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

irsetup.exeirsetup.exe

pid process

844 irsetup.exe
844 irsetup.exe
844 irsetup.exe
844 irsetup.exe
844 irsetup.exe
844 irsetup.exe
896 irsetup.exe
896 irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-2.86-Installer-1.0.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exe

description	pid	process	target process
PID 1704 wrote to memory of 844	1704	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 1704 wrote to memory of 844	1704	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 1704 wrote to memory of 844	1704	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 1704 wrote to memory of 844	1704	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 1704 wrote to memory of 844	1704	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 1704 wrote to memory of 844	1704	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 1704 wrote to memory of 844	1704	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 844 wrote to memory of 1960	844	irsetup.exe	AdditionalExecuteTL.exe
PID 844 wrote to memory of 1960	844	irsetup.exe	AdditionalExecuteTL.exe
PID 844 wrote to memory of 1960	844	irsetup.exe	AdditionalExecuteTL.exe
PID 844 wrote to memory of 1960	844	irsetup.exe	AdditionalExecuteTL.exe
PID 844 wrote to memory of 1960	844	irsetup.exe	AdditionalExecuteTL.exe
PID 844 wrote to memory of 1960	844	irsetup.exe	AdditionalExecuteTL.exe
PID 844 wrote to memory of 1960	844	irsetup.exe	AdditionalExecuteTL.exe
PID 1960 wrote to memory of 896	1960	AdditionalExecuteTL.exe	irsetup.exe
PID 1960 wrote to memory of 896	1960	AdditionalExecuteTL.exe	irsetup.exe
PID 1960 wrote to memory of 896	1960	AdditionalExecuteTL.exe	irsetup.exe
PID 1960 wrote to memory of 896	1960	AdditionalExecuteTL.exe	irsetup.exe
PID 1960 wrote to memory of 896	1960	AdditionalExecuteTL.exe	irsetup.exe
PID 1960 wrote to memory of 896	1960	AdditionalExecuteTL.exe	irsetup.exe
PID 1960 wrote to memory of 896	1960	AdditionalExecuteTL.exe	irsetup.exe
PID 896 wrote to memory of 1516	896	irsetup.exe	opera-installer-bro.exe
PID 896 wrote to memory of 1516	896	irsetup.exe	opera-installer-bro.exe
PID 896 wrote to memory of 1516	896	irsetup.exe	opera-installer-bro.exe
PID 896 wrote to memory of 1516	896	irsetup.exe	opera-installer-bro.exe
PID 896 wrote to memory of 1516	896	irsetup.exe	opera-installer-bro.exe
PID 896 wrote to memory of 1516	896	irsetup.exe	opera-installer-bro.exe
PID 896 wrote to memory of 1516	896	irsetup.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1712	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1712	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1712	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1712	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1712	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1712	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1712	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1532	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1532	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1532	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1532	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1532	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1532	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1532	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1184	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1184	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1184	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1184	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1184	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1184	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 1184	1516	opera-installer-bro.exe	opera-installer-bro.exe
PID 1184 wrote to memory of 1684	1184	opera-installer-bro.exe	opera-installer-bro.exe
PID 1184 wrote to memory of 1684	1184	opera-installer-bro.exe	opera-installer-bro.exe
PID 1184 wrote to memory of 1684	1184	opera-installer-bro.exe	opera-installer-bro.exe
PID 1184 wrote to memory of 1684	1184	opera-installer-bro.exe	opera-installer-bro.exe
PID 1184 wrote to memory of 1684	1184	opera-installer-bro.exe	opera-installer-bro.exe
PID 1184 wrote to memory of 1684	1184	opera-installer-bro.exe	opera-installer-bro.exe
PID 1184 wrote to memory of 1684	1184	opera-installer-bro.exe	opera-installer-bro.exe
PID 1516 wrote to memory of 2968	1516	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1516 wrote to memory of 2968	1516	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1516 wrote to memory of 2968	1516	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1516 wrote to memory of 2968	1516	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1516 wrote to memory of 2968	1516	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1516 wrote to memory of 2968	1516	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1516 wrote to memory of 2968	1516	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 844 wrote to memory of 2560	844	irsetup.exe	jre-windows.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1908426 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.exe" "__IRCT:3" "__IRTSS:22693245" "__IRSID:S-1-5-21-1914912747-3343861975-731272777-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1814730 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1839152" "__IRSID:S-1-5-21-1914912747-3343861975-731272777-1000"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=97.0.4719.28 --initial-client-data=0x1a4,0x1a8,0x1ac,0x178,0x1b0,0x71b333e0,0x71b333f0,0x71b333fc
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe" --version
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1516 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230324195136" --session-guid=cab93c08-e52f-4c7f-8142-066c274e223a --server-tracking-blob=OTJlM2Y5Yjg2MDQwNjJmZjFjMmIxOGVmY2ExZmQ1YTI2MzcxN2YzYTE3MmVlODY2MTJiNTA5MTg2NWY2YjAwOTp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjciLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNjc5NjgzODk0LjgwMTYiLCJ1c2VyYWdlbnQiOiJTZXR1cCBGYWN0b3J5IDkuMCIsInV0bSI6eyJjYW1wYWlnbiI6Ik9wZXJhRGVza3RvcCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Ik1TVEwifSwidXVpZCI6IjdiYmE0MTdlLWVhMDItNDc2MS1hOTc4LTI2ZTE0YzVlNTY1NiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0403000000000000
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=97.0.4719.28 --initial-client-data=0x1b0,0x1b4,0x1b8,0x178,0x1bc,0x710b33e0,0x710b33f0,0x710b33fc
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe"
6⤵
- Executes dropped EXE
PID:2968

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\assistant_installer.exe" --version
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=96.0.4693.50 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0xbc6c28,0xbc6c38,0xbc6c44
7⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Program Files\Java\jre1.8.0_51\installer.exe
"C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" STATIC=1 REPAIRMODE=0
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2360

C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2528

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
PID:2608

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
4⤵
PID:2084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll
Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe
Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
471B

MD5
6c901265114228103d2ef632217e527d

SHA1
1318098c003505269a5043052002cbe5869612cd

SHA256
070837c0cd2e7d678ac8ac68b7c2f3d077abd576f193f68c46d12eb140153deb

SHA512
e46b7dfe5d76761938ff4e3e564db6014e0ef734a5d986a55508840fcc69ae2e590604b2c019f0c3a272dcb5ca1b06385eb6ab2ed34ff6eb052d36db61f0461c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
577df8c165727512814d02393ead316d

SHA1
1271b161551705dce881889090e4f47acb5675b5

SHA256
0f00286fa6ffbded54d99f3c374587f044ce82486446d73098a197da897ef143

SHA512
9c737f1941022c241d8ec0a80b17a105eb07a36a8385fb587998c48bd36203ab14c1e09946956dcab161dfa2a4f2e5e9364e9baf994288b30a0d7c1c276863e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9f02adbdddea614c2f858d83df24f62f

SHA1
c6b7ae102c833f980d998a77d4e0c8eb97ef5d31

SHA256
3e59563dcdae5c6632013ec5e82e7b83e1d8aba133fc672410cb7d0aa39e2e7c

SHA512
6c9ceecda2d5d53bfcd74e60d52ff112afbdbb4a91b0f2615a4068bdf5bd0e60fc373fe566c620217f56f8a05e7bed109a3b164812e4ff4de03f8ffc71ccecc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
434B

MD5
7011e763bced99b3df908b405f4d22e6

SHA1
52c5885d672f11ddd1f097d026510ed44c97a2e1

SHA256
f58bbbee5f8bdb52e4dc0bf1faaab184ac33cf606e14b9c152144bba3b54c284

SHA512
5f1ed1364b530eebff792b425129ee6f121efa83ec55942a84feb79c33df38ff8b38fb083fb207274a352ca8aea7538f18227a8236f473c8b96e5cf0c9a95562

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
37f9d87588aa44ba4a3a5397e7d0b967

SHA1
2514438f7b87ab2bcea352a5d7910feb33c16a5b

SHA256
c393a3c976002d19af28102f65c562708c65b3880a6d1ec450d4ade3e7cdee82

SHA512
e1bb65153ff3a073b0f951c22109c8d39262d13d85119e9d0faaaacc51c77ede00acb3b8539e533711dfbe2852ade85e34a067af87c17bc7959a98117e3a78d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\additional_file0.tmp
Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe
Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe
Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\assistant_installer.exe
Filesize
2.1MB

MD5
2f3d9e21e232b9bfea064d3b2264db06

SHA1
bafddc657d8d1bb531683b29b0342cc065ee51d2

SHA256
25528c314aed2b5391ca1d08c736a3807142aab21ae99d5970f2a862c8258d5d

SHA512
94e81aa3015b7e112bf772b52b2dd6092f5634746e201171b34b2493a62b08fbbf53a6d6c60c904c424c06e802aae6810c6dd88cf7a882846bc0a4793c3b32e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\assistant_installer.exe
Filesize
2.1MB

MD5
2f3d9e21e232b9bfea064d3b2264db06

SHA1
bafddc657d8d1bb531683b29b0342cc065ee51d2

SHA256
25528c314aed2b5391ca1d08c736a3807142aab21ae99d5970f2a862c8258d5d

SHA512
94e81aa3015b7e112bf772b52b2dd6092f5634746e201171b34b2493a62b08fbbf53a6d6c60c904c424c06e802aae6810c6dd88cf7a882846bc0a4793c3b32e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\opera_package
Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1099.tmp
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE330.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2303241951359761532.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1109.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE332.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG
Filesize
339B

MD5
f7ae33e5dc26017806d2d66baa1e29bf

SHA1
79c926f3d533e3ee79f7e688b8731096819cecb7

SHA256
dbdd6f54cd024ef67b8806ba4c8759b30faa8f47d22a28fed419c23160ef7fb4

SHA512
d6e6ded4a6670feab177706cf01a6fdf6dd51b332095634fe7a98f08f00d6c9d1255801b6e49b895539410fb768dca402477033aa74cbaae1f9614338ae2c9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG105.PNG
Filesize
1KB

MD5
a61c4dce767771e8ab95319e22ca845a

SHA1
c3f744e9bf87dd596af8929992d2b061efae6a06

SHA256
a30cfcd584eb2fbf6a8946c4f7019abf4c6a63ac2a4345fcec7b0af209bfd7e1

SHA512
f24da088f41a4df08062473cf252adba80893b99f5d0d77489886bda6d86fdfed3a922609351202ddd399b661b05e2af8327063b49594f0ee766622a32fd9bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG108.PNG
Filesize
2KB

MD5
3d5f330e6b06983c2039787918380ed9

SHA1
b266a30c60e416b4fc4e2873b0af6c834547384c

SHA256
634cc62d01293bb8ece92e9e19ad09b246f432669ff6372339f1e4cf3970422d

SHA512
d7510dc8e54c8069086926aa5d318186b93ce4bba7ee6bb8e9e9876df8fded7a30021c98800b4ab4b480c8a77f97bc2c606c3bc8cf9f20ffd5bfc2e1197b302e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG123.PNG
Filesize
40KB

MD5
86dea528d12cc99302cc3b816617d441

SHA1
402891bc98ff5c74c6292f290b1b23f6643fbf8a

SHA256
9ea8e5dcc91a3da9707e376935c1f2ee8a814911163073728d5b21b0232e7dc6

SHA512
271d2a51bdb443165b5b64f7c0f91a22a121699143c2394b8404741c6fe8e5df63cc3db32f4fbf7333fbbe5f0f39f0f151130ec90f79432cc50ca3d997080ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG
Filesize
280B

MD5
9a9f1e56504fbacaadab18841f5601ce

SHA1
7370243d1ccb404dcbfee15bae8eb1dca4089424

SHA256
a2e909a0af7ce6e3e920e7d0177418e76a775fa27fa9108aa3ab7eca86c46207

SHA512
4f823863ec494cedb1b3b13549b5a7191df9784aa0ca698346b3e9ea5b01d34613ec21b260fc54a78089525b45634aa815be211898772be4164611d5eb782b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG22.PNG
Filesize
1KB

MD5
0a769eb4025da2ffb3789604406c560d

SHA1
ec3bd34ba1cb3306a671438296cc043019fdfac7

SHA256
94ecca5e9bc237a6c2ee966d3a3d47b6e753928baa96d0a3c4b9422c3b01113b

SHA512
f121e61b1466ab93628cbb4848cf659713cd935e2eb4c8e87bfefaafce09c5785d2fea353e702e2564572a8cb595703c232ce98b79a3678f4c1a0ee1e97bd73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG
Filesize
281B

MD5
18c7c448d89a759f33e8718e5e77e426

SHA1
d684616a97cb35907557faf62017cbb15ebab454

SHA256
440ac12284299b73644fdb21e07c383ad8511c6efb7dbcb87024d30f36af7f85

SHA512
a7ac80ff4dc7fa094a40963396a76cb1c76892a7a29e670761c84aeb475b6f5b10010678f72a2db2aefa6eb3b99fe3133d001f7ec0872eb505a12cb2ba31a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG
Filesize
43KB

MD5
300096a54f5c43b72a8d0fd6133d83cc

SHA1
a9d20156a45724128f17cd1c2eb352eee7774e27

SHA256
032569b46fcad28894e78b0adae22d7c1f154371a1fc929a36483cf6c412ae0e

SHA512
d943e6cb2838cbf6008df079f72376f6d8de9b637e6ee1e143748a2882a1abc75900fc8e7f6ecae7e917865d4bdbfaa52c6a55a98672c2742a92c314d3a0a2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG
Filesize
1KB

MD5
b1ed9f3b9acfa97b13ce7cfce7c3d33f

SHA1
0b51ac4d63a53f2668ce09aa9f9ae1284f4232a5

SHA256
c87b2d8d3274cb9d652cf1b377237c6407d1ccc042db081ee24d93a71c042a79

SHA512
4697906dc7dd25639150916c5ad7b4166f979a9c58661912209d1e53088d8976f577da1b4af2159758aa4c066bb30552eae24cd141c527c8a6eef61c23222ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
Filesize
110KB

MD5
dc1091f32258495a5313da54870b0768

SHA1
26eb9cfd00861bb55fdb4e25bd3427b5b137c148

SHA256
ebd2b290264dfc287b3ed4fda4aa6680f71a2997e15a8e1003696d9000a17d23

SHA512
8f084e376a8e0e5bc3ae34d24d114e29ade6f4a5bb59fb5a291bc9c427df1ec8539b1d7d5fb1609f2a4087f2eb17b445f8b9e2751dca0717c06ac2207ad4e639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
8KB

MD5
972bd8d03040744ebb193aa6bdbe711c

SHA1
71bb4ae17ddc7ad39d05ad60e29c032d4cfcba71

SHA256
9b387b09fe97654418e9b89c4843f3ee98055a7261b594f6beee698da03cb10c

SHA512
923baeb010dc3e29700b71303d467cee8f5494ffad8da9d8f5803f7ee95e1d486f214c132ab6d4e486964237a8b9439669f27796a0d49720c985631523c03650

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
Filesize
599B

MD5
7073d1947156a08b42e13d9a9c6191cd

SHA1
6ba6f7eea4708063b6abaa1be2d377aca537863d

SHA256
2c2043c020d99045afdbc1094f212f43bf988e9bb44a4162da180b3deb5918f6

SHA512
66d49f1883fced114188f1bad1cf00dcb2b38fc9082f5d00e7eccca5050c1f9c12dc50f40a4cf50d1e07cc246b49791c3aca639bda6e8632cf70901c07336ccb

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
5.2MB

MD5
1f73fb40bb5f2adfba15a2ff635e38f1

SHA1
a1d86b12e6776224a27cd86e50f9fddfed080da4

SHA256
9904f3d58a967aca7b4a74b182d930b380eb72d19f61cfefff86f65702c35385

SHA512
1e48fd4a01cbc005b99a8c2a21807f892e224ab0b9e16298683ecb7a64f30a7a9583853c2a9e7a0bdc0fa010e0d9a816d182126a379e64c4f016646ca89c813b

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP
Filesize
451KB

MD5
0b445ace8798426e7185f52b7b7b6d1e

SHA1
7a77b46e0848cc9b32283ccb3f91a18c0934c079

SHA256
2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6

SHA512
51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG
Filesize
1KB

MD5
61fa9fae50aa44ea3ed4a40e696465d6

SHA1
ea1401c22d9bb47c51b977c91fb87908c8a97f4a

SHA256
91458d455284afd8909834331a90182b2f29bbab30b30f2a3585195804b76316

SHA512
0f01c5f83fff49be11d1423f598244e628360eae0f2dbcc02aad21943c7efb33b919ab97ad5385d598ff4758da8bee8978608f43fb0909b9a0afbb67fb78a750

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG
Filesize
45KB

MD5
ebfa7c2a770f2e106b6b6253f8dd09f9

SHA1
db842939a3ac9e124325311804cfad1fe235f73d

SHA256
594ea0f496968181bf37400d4201f73040b9cc9dc72cebe23e700be712e89eca

SHA512
11ba57c44f119aadb2f33bcdc3e7d0213f8c64d252f23f68b90595d684f10a901e0b10182816132909a6456f54c9123d5e51ebd96143a28301cba3dc9b72474a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG
Filesize
352B

MD5
e5da0ff02090f93cc2ad8424db8c6444

SHA1
9bf7fedd01af28ba9b99e4f1e6e4624e72994282

SHA256
b14a73a25bf48bd6b2e1ac2182106ae92d26d76b74be3e96a03fff87b034e519

SHA512
ba6af1c5eadad279f2768fc5be58364b83e7637ebb7094ed5cea6fa9539aefd1a88d08b35896dd6d1b5e38a5b49fe685174bee0433e6880a3082fd3d12c7db6c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG45.PNG
Filesize
438B

MD5
d9ab0dc897d2a9c639f54c6f8c8b8ca9

SHA1
8828ef60c3f12d0a470953d6c055bc103a4963a4

SHA256
1dc8acea23931363eb0ce59b6372fd64430f47ecb13d184891cf81324fd9a2bf

SHA512
6405636b4daab452abbc17e24abc770315b19a269be39cf151a4faea4be68d3bd8827f0fedf51066b4b42efcd696ad6832a2baa849181b380b08da54d6147161

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG46.PNG
Filesize
206B

MD5
6f1eaa32297cceb1420cf4f2ee4312ff

SHA1
7e667a4e01450d0f274611edfbd1877f38cce88c

SHA256
71bb7e8679afa8d76169ce10ab171f2f9e308f632da01ab8c4654f8be503e462

SHA512
138a34ca708eaeb4dc3050df9e4c0d7afe13f362f5001c40f70a36fa867683d28603b150ff1f43d686a3c4afa754e1d34b2903a8c9df1cd3b63a5e3e0a3c5c74

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG
Filesize
1KB

MD5
299a6141f7b40309ff93ef36064f20b0

SHA1
ad447fb95871f3fdb52e3ae78b9b011a2425dd75

SHA256
203d65a9fc92327ebc059729dacf23c8e13c1d7c026c292d028980609083a781

SHA512
f552ed24a7e97d8568c481c5c45c119a7c56610bd81849fa71f87b5e1ad2cd4a04d9464874b8741ab87bd8f377e3b4d414d026415c5d7f0d4dc96828cfdb4d3c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG
Filesize
1KB

MD5
fd47269bd12f4788063a30494a123f45

SHA1
fa41f2f0a2e634b36c61a11d8ee044fd9ac87402

SHA256
a8056b3d482d11a78818784c363a406f55f9d50bae742659bb3d813683790e33

SHA512
28fb4a86e0d04ad66b031cbad04e1d82af6fcc09d32132c8453fc2a34bc00a595d1c4f6e8fe19e443fb40eeb4b47c0a1a59ab0a8a0a971fa46d746fde3f72df1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG
Filesize
41KB

MD5
1372e5018da45be041f4ca03fe2009fa

SHA1
b8007824887109df35049ac92f80cca276085823

SHA256
3d59e492c8bee131c5c68300c57b243f01ac7dfa28850956b6c08e5fb0b65e47

SHA512
149e6027d1c8a4cd35bcb3b3f181bc0ac4a75637c2fce0ff9ad83c6b4855e1aceb288b554757062e05eb267ea620b623ed8f90aa7e7a909d643bec3f0de42025

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG
Filesize
1KB

MD5
a2f1149887a432fc727b24271e269e0f

SHA1
2bbdbe5d2003f6f249c984f5bb57645e8dbad62d

SHA256
40e15833d63c2655a3ce20bb9cd9599498b8208492639a1b161457941e54f09d

SHA512
ab175e26ef76d2a3ae86047e30ecf81a6019113001a1328a0362829f453b12b6d950ad7cf5816678d7a6914c65db5cf0b53909ccaa699ccfd714b2f0a906f905

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
33KB

MD5
2628ef2e3f732366a6f1f7f93fe9dc55

SHA1
0e5d63e726f65d405bb2989f33b7c18e6b60eff3

SHA256
e710e106fb895d7f507abf9206187180a67a6f1c5ff604dc9c4e99f84e9ae80f

SHA512
75bf0b7b6e534c9d1ce5b8ca7326a224c1b44dc46b539f7f3a09da2fc2655182477c37931fa3ea8844562b0b46f882bffcef18bd67b5d5585f9babaa67474e01

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
19KB

MD5
d2d69b6f7291310531a43babd296acf1

SHA1
f87460730747790c3bdb6ffe0eed204c60c8bbef

SHA256
81e367d63e712b8a41fef660c46f503285ef3085a852b4cf6846f006194f8b1f

SHA512
5c14fee4eee3e4bd26fa6904940fc6550d305b8edb330f066efa2299d396e3f281320840f62ce20e4757c92a09e445947ce6851043425ec59c34e336d8af7c54

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
ffc151d87850e1333fa89cf2295ff9b6

SHA1
52adada43b95c391e46d12ad224b41bc7fb1bdee

SHA256
4be354e43c9a15a87488636051b063c1f59f227146c4b3df9d3be498e11360dc

SHA512
dfa1e88612a9c5aeeabee33c5374d24625594bb134fef600ed6bad7f13317ee62ebff0c48ec84dd4ef51c3a100fc0f07c65f9865f207e889bc34e558e1b0107d

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
ffc151d87850e1333fa89cf2295ff9b6

SHA1
52adada43b95c391e46d12ad224b41bc7fb1bdee

SHA256
4be354e43c9a15a87488636051b063c1f59f227146c4b3df9d3be498e11360dc

SHA512
dfa1e88612a9c5aeeabee33c5374d24625594bb134fef600ed6bad7f13317ee62ebff0c48ec84dd4ef51c3a100fc0f07c65f9865f207e889bc34e558e1b0107d

Download Submit
C:\Windows\Installer\6d81be.msi
Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe
Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\assistant\assistant_installer.exe
Filesize
2.1MB

MD5
2f3d9e21e232b9bfea064d3b2264db06

SHA1
bafddc657d8d1bb531683b29b0342cc065ee51d2

SHA256
25528c314aed2b5391ca1d08c736a3807142aab21ae99d5970f2a862c8258d5d

SHA512
94e81aa3015b7e112bf772b52b2dd6092f5634746e201171b34b2493a62b08fbbf53a6d6c60c904c424c06e802aae6810c6dd88cf7a882846bc0a4793c3b32e5

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\opera_package
Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303241951361\opera_package
Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303241951343851516.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303241951351961712.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303241951359761532.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303241951369901184.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303241951375361684.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
0d8a7de63f1cac99228f7f6fa99c50dc

SHA1
9db76c47b60cb9dba818cc1818b14d6961d37653

SHA256
b5541000cd2c3957adedefd6f3b2d42e9f7a5c9859a0cce7b5c1bdd9889c8ce7

SHA512
f39580c27ff5906b633bc8001aa4301402b3ea337d977545da2e8ab379e5d14f2254e5b214fc48b9611de283c0d7b698dfaeb0ef3682c0aaee214f3580ec4ff1

Download Submit
memory/844-418-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/844-369-0x0000000000CC0000-0x00000000010A8000-memory.dmp

Filesize
3.9MB

Download
memory/844-561-0x0000000000CC0000-0x00000000010A8000-memory.dmp

Filesize
3.9MB

Download
memory/844-2141-0x0000000000CC0000-0x00000000010A8000-memory.dmp

Filesize
3.9MB

Download
memory/844-402-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/844-365-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/844-366-0x0000000000C60000-0x0000000000C63000-memory.dmp

Filesize
12KB

Download
memory/844-1711-0x0000000000CC0000-0x00000000010A8000-memory.dmp

Filesize
3.9MB

Download
memory/844-1400-0x0000000000CC0000-0x00000000010A8000-memory.dmp

Filesize
3.9MB

Download
memory/844-1411-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/844-401-0x0000000000CC0000-0x00000000010A8000-memory.dmp

Filesize
3.9MB

Download
memory/844-385-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/844-384-0x0000000000CC0000-0x00000000010A8000-memory.dmp

Filesize
3.9MB

Download
memory/844-1690-0x0000000000CC0000-0x00000000010A8000-memory.dmp

Filesize
3.9MB

Download
memory/844-368-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/844-1556-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/844-1575-0x0000000000CC0000-0x00000000010A8000-memory.dmp

Filesize
3.9MB

Download
memory/844-73-0x0000000000CC0000-0x00000000010A8000-memory.dmp

Filesize
3.9MB

Download
memory/844-367-0x0000000000CC0000-0x00000000010A8000-memory.dmp

Filesize
3.9MB

Download
memory/896-462-0x00000000012B0000-0x0000000001698000-memory.dmp

Filesize
3.9MB

Download
memory/896-492-0x0000000005810000-0x0000000005D48000-memory.dmp

Filesize
5.2MB

Download
memory/896-491-0x0000000005810000-0x0000000005D48000-memory.dmp

Filesize
5.2MB

Download
memory/896-480-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/896-499-0x00000000012B0000-0x0000000001698000-memory.dmp

Filesize
3.9MB

Download
memory/1184-1384-0x0000000002B90000-0x00000000030C8000-memory.dmp

Filesize
5.2MB

Download
memory/1184-1383-0x0000000000C40000-0x0000000001178000-memory.dmp

Filesize
5.2MB

Download
memory/1516-551-0x0000000000C40000-0x0000000001178000-memory.dmp

Filesize
5.2MB

Download
memory/1516-537-0x00000000034C0000-0x00000000039F8000-memory.dmp

Filesize
5.2MB

Download
memory/1516-1682-0x00000000034C0000-0x00000000039F8000-memory.dmp

Filesize
5.2MB

Download
memory/1516-1683-0x0000000002C50000-0x0000000003188000-memory.dmp

Filesize
5.2MB

Download
memory/1516-1334-0x0000000003E40000-0x0000000004378000-memory.dmp

Filesize
5.2MB

Download
memory/1516-579-0x0000000002C50000-0x0000000003188000-memory.dmp

Filesize
5.2MB

Download
memory/1532-560-0x0000000000D10000-0x0000000001248000-memory.dmp

Filesize
5.2MB

Download
memory/1532-541-0x0000000000D10000-0x0000000001248000-memory.dmp

Filesize
5.2MB

Download
memory/1684-1385-0x0000000000C40000-0x0000000001178000-memory.dmp

Filesize
5.2MB

Download
memory/1704-68-0x0000000002B90000-0x0000000002F78000-memory.dmp

Filesize
3.9MB

Download
memory/1704-70-0x0000000002B90000-0x0000000002F78000-memory.dmp

Filesize
3.9MB

Download
memory/1712-594-0x0000000000C40000-0x0000000001178000-memory.dmp

Filesize
5.2MB

Download
memory/1960-458-0x0000000002A30000-0x0000000002E18000-memory.dmp

Filesize
3.9MB

Download
memory/1960-460-0x0000000002A30000-0x0000000002E18000-memory.dmp

Filesize
3.9MB

Download
memory/1960-459-0x0000000002A30000-0x0000000002E18000-memory.dmp

Filesize
3.9MB

Download
memory/1960-461-0x0000000002A30000-0x0000000002E18000-memory.dmp

Filesize
3.9MB

Download
memory/2084-2176-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2212-1838-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2212-1840-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2212-1841-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2212-1847-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2212-1839-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2212-2089-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2560-1684-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download