73979ef05ff6e528a344ccbc00d4b28b4203884a78f88bd87ce262111717a736

Analysis

max time kernel
129s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.86-Installer-1.0.exe
Size

21.7MB
MD5

54686b90f8d52d9489a4e8f41738d0da
SHA1

6931287434aa17f3681dde38710224165cb368ee
SHA256

73979ef05ff6e528a344ccbc00d4b28b4203884a78f88bd87ce262111717a736
SHA512

ee9a2f658bd7f695c5a5bef480b4189724fcdb3ac9be916e6a2575f34737107bd35f8f388b42c3c4f6464051d24221a34992baf8ccb18efdcf854cfe8e25d700
SSDEEP

393216:tXemKme/RtYto0fs/dQETVlOBbpFEj9GZdqV56HpkbGCST7yuk9sLe:tOmsJWTHExiTTqqHpMs6

Score

8^/10

adware discovery persistence spyware stealer upx

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

56 560 msiexec.exe
58 560 msiexec.exe
60 560 msiexec.exe
Downloads MZ/PE file

flow	pid	process
56	560	msiexec.exe
58	560	msiexec.exe
60	560	msiexec.exe

Executes dropped EXE 23 IoCs

Processes:

irsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeAssistant_96.0.4693.50_Setup.exe_sfx.exejre-windows.exeassistant_installer.exeassistant_installer.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exe

pid	process
624	irsetup.exe
1380	AdditionalExecuteTL.exe
1532	irsetup.exe
1620	opera-installer-bro.exe
696	opera-installer-bro.exe
1344	opera-installer-bro.exe
1756	opera-installer-bro.exe
2404	opera-installer-bro.exe
1532	Assistant_96.0.4693.50_Setup.exe_sfx.exe
384	jre-windows.exe
2528	assistant_installer.exe
2652	assistant_installer.exe
2252	installer.exe
2944	bspatch.exe
1916	unpack200.exe
2144	unpack200.exe
2220	unpack200.exe
1664	unpack200.exe
2052	unpack200.exe
1724	unpack200.exe
1104	unpack200.exe
2188	unpack200.exe
1200	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-2.86-Installer-1.0.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeassistant_installer.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exe

pid	process
996	TLauncher-2.86-Installer-1.0.exe
996	TLauncher-2.86-Installer-1.0.exe
996	TLauncher-2.86-Installer-1.0.exe
996	TLauncher-2.86-Installer-1.0.exe
624	irsetup.exe
624	irsetup.exe
624	irsetup.exe
624	irsetup.exe
624	irsetup.exe
624	irsetup.exe
624	irsetup.exe
624	irsetup.exe
1380	AdditionalExecuteTL.exe
1380	AdditionalExecuteTL.exe
1380	AdditionalExecuteTL.exe
1380	AdditionalExecuteTL.exe
1532	irsetup.exe
1532	irsetup.exe
1532	irsetup.exe
1532	irsetup.exe
1532	irsetup.exe
1532	irsetup.exe
1532	irsetup.exe
1532	irsetup.exe
1620	opera-installer-bro.exe
1620	opera-installer-bro.exe
696	opera-installer-bro.exe
1620	opera-installer-bro.exe
1344	opera-installer-bro.exe
1620	opera-installer-bro.exe
1756	opera-installer-bro.exe
1756	opera-installer-bro.exe
2404	opera-installer-bro.exe
1620	opera-installer-bro.exe
1620	opera-installer-bro.exe
1620	opera-installer-bro.exe
624	irsetup.exe
1620	opera-installer-bro.exe
2528	assistant_installer.exe
1268
560	msiexec.exe
2944	bspatch.exe
2944	bspatch.exe
2944	bspatch.exe
2252	installer.exe
1916	unpack200.exe
2144	unpack200.exe
2220	unpack200.exe
1664	unpack200.exe
2052	unpack200.exe
1724	unpack200.exe
1104	unpack200.exe
2188	unpack200.exe
2252	installer.exe
2252	installer.exe
2252	installer.exe
844
844
1200	javaw.exe
1200	javaw.exe
1200	javaw.exe
1200	javaw.exe
1200	javaw.exe
2252	installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0065-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0075-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0067-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/624-73-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
behavioral1/memory/624-366-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
behavioral1/memory/624-382-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
behavioral1/memory/624-383-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
behavioral1/memory/624-389-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
behavioral1/memory/624-418-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/1532-477-0x0000000001140000-0x0000000001528000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/1532-514-0x0000000001140000-0x0000000001528000-memory.dmp	upx
behavioral1/memory/1620-516-0x00000000011E0000-0x0000000001718000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/624-575-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
behavioral1/memory/696-609-0x00000000011E0000-0x0000000001718000-memory.dmp	upx
behavioral1/memory/1344-608-0x0000000000090000-0x00000000005C8000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/1756-1395-0x00000000011E0000-0x0000000001718000-memory.dmp	upx
behavioral1/memory/2404-1397-0x00000000011E0000-0x0000000001718000-memory.dmp	upx
behavioral1/memory/1620-1398-0x00000000011E0000-0x0000000001718000-memory.dmp	upx
behavioral1/memory/624-1412-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
behavioral1/memory/624-1435-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
behavioral1/memory/624-1710-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
behavioral1/memory/624-1718-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
behavioral1/memory/624-1736-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
behavioral1/memory/2944-1858-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2944-1863-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/624-2074-0x00000000010A0000-0x0000000001488000-memory.dmp	upx
behavioral1/memory/624-2159-0x00000000010A0000-0x0000000001488000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeopera-installer-bro.exeopera-installer-bro.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exeunpack200.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_51\bin\javacpl.cpl	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\rmid.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\splashscreen.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\splash.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaSansDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaSansRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_MoveDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\java.security	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\dnsns.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\ktab.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\verify.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\GRAY.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_TW.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jce.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JavaAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\lcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\resource.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\PYCC.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\resources.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\rt.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java-rmi.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\sRGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\logging.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management-agent.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\cacerts	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\tzmappings	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\trusted.libraries	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\Xusage.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\classlist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\psfontj2d.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\glib-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr\profile.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunmscapi.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\LINEAR_RGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\snmp.acl.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\pack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\nio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\plugin2\npjp2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\java.policy	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\mlib_image.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\management.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\tzdb.dat	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kinit.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_font_t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\ffjcext.zip	installer.exe

Drops file in Windows directory 6 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\6dc840.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6dc840.msi	msiexec.exe
File created	C:\Windows\Installer\6dc842.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDB6.tmp	msiexec.exe
File created	C:\Windows\Installer\6dc844.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exeirsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ = "Java(tm) Plug-In SSV Helper"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_92"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_15"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_54"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0098-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_98"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_57"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0068-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0098-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_32"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_74"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBA}	installer.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

irsetup.exeopera-installer-bro.exeirsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	384	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	384	jre-windows.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeSecurityPrivilege	560	msiexec.exe
Token: SeCreateTokenPrivilege	384	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	384	jre-windows.exe
Token: SeLockMemoryPrivilege	384	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	384	jre-windows.exe
Token: SeMachineAccountPrivilege	384	jre-windows.exe
Token: SeTcbPrivilege	384	jre-windows.exe
Token: SeSecurityPrivilege	384	jre-windows.exe
Token: SeTakeOwnershipPrivilege	384	jre-windows.exe
Token: SeLoadDriverPrivilege	384	jre-windows.exe
Token: SeSystemProfilePrivilege	384	jre-windows.exe
Token: SeSystemtimePrivilege	384	jre-windows.exe
Token: SeProfSingleProcessPrivilege	384	jre-windows.exe
Token: SeIncBasePriorityPrivilege	384	jre-windows.exe
Token: SeCreatePagefilePrivilege	384	jre-windows.exe
Token: SeCreatePermanentPrivilege	384	jre-windows.exe
Token: SeBackupPrivilege	384	jre-windows.exe
Token: SeRestorePrivilege	384	jre-windows.exe
Token: SeShutdownPrivilege	384	jre-windows.exe
Token: SeDebugPrivilege	384	jre-windows.exe
Token: SeAuditPrivilege	384	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	384	jre-windows.exe
Token: SeChangeNotifyPrivilege	384	jre-windows.exe
Token: SeRemoteShutdownPrivilege	384	jre-windows.exe
Token: SeUndockPrivilege	384	jre-windows.exe
Token: SeSyncAgentPrivilege	384	jre-windows.exe
Token: SeEnableDelegationPrivilege	384	jre-windows.exe
Token: SeManageVolumePrivilege	384	jre-windows.exe
Token: SeImpersonatePrivilege	384	jre-windows.exe
Token: SeCreateGlobalPrivilege	384	jre-windows.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe
Token: SeRestorePrivilege	560	msiexec.exe
Token: SeTakeOwnershipPrivilege	560	msiexec.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

irsetup.exeirsetup.exe

pid process

624 irsetup.exe
624 irsetup.exe
624 irsetup.exe
624 irsetup.exe
624 irsetup.exe
624 irsetup.exe
1532 irsetup.exe
1532 irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-2.86-Installer-1.0.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exe

description	pid	process	target process
PID 996 wrote to memory of 624	996	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 996 wrote to memory of 624	996	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 996 wrote to memory of 624	996	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 996 wrote to memory of 624	996	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 996 wrote to memory of 624	996	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 996 wrote to memory of 624	996	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 996 wrote to memory of 624	996	TLauncher-2.86-Installer-1.0.exe	irsetup.exe
PID 624 wrote to memory of 1380	624	irsetup.exe	AdditionalExecuteTL.exe
PID 624 wrote to memory of 1380	624	irsetup.exe	AdditionalExecuteTL.exe
PID 624 wrote to memory of 1380	624	irsetup.exe	AdditionalExecuteTL.exe
PID 624 wrote to memory of 1380	624	irsetup.exe	AdditionalExecuteTL.exe
PID 624 wrote to memory of 1380	624	irsetup.exe	AdditionalExecuteTL.exe
PID 624 wrote to memory of 1380	624	irsetup.exe	AdditionalExecuteTL.exe
PID 624 wrote to memory of 1380	624	irsetup.exe	AdditionalExecuteTL.exe
PID 1380 wrote to memory of 1532	1380	AdditionalExecuteTL.exe	irsetup.exe
PID 1380 wrote to memory of 1532	1380	AdditionalExecuteTL.exe	irsetup.exe
PID 1380 wrote to memory of 1532	1380	AdditionalExecuteTL.exe	irsetup.exe
PID 1380 wrote to memory of 1532	1380	AdditionalExecuteTL.exe	irsetup.exe
PID 1380 wrote to memory of 1532	1380	AdditionalExecuteTL.exe	irsetup.exe
PID 1380 wrote to memory of 1532	1380	AdditionalExecuteTL.exe	irsetup.exe
PID 1380 wrote to memory of 1532	1380	AdditionalExecuteTL.exe	irsetup.exe
PID 1532 wrote to memory of 1620	1532	irsetup.exe	opera-installer-bro.exe
PID 1532 wrote to memory of 1620	1532	irsetup.exe	opera-installer-bro.exe
PID 1532 wrote to memory of 1620	1532	irsetup.exe	opera-installer-bro.exe
PID 1532 wrote to memory of 1620	1532	irsetup.exe	opera-installer-bro.exe
PID 1532 wrote to memory of 1620	1532	irsetup.exe	opera-installer-bro.exe
PID 1532 wrote to memory of 1620	1532	irsetup.exe	opera-installer-bro.exe
PID 1532 wrote to memory of 1620	1532	irsetup.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 696	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 696	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 696	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 696	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 696	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 696	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 696	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1344	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1344	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1344	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1344	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1344	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1344	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1344	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1756	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1756	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1756	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1756	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1756	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1756	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1756	1620	opera-installer-bro.exe	opera-installer-bro.exe
PID 1756 wrote to memory of 2404	1756	opera-installer-bro.exe	opera-installer-bro.exe
PID 1756 wrote to memory of 2404	1756	opera-installer-bro.exe	opera-installer-bro.exe
PID 1756 wrote to memory of 2404	1756	opera-installer-bro.exe	opera-installer-bro.exe
PID 1756 wrote to memory of 2404	1756	opera-installer-bro.exe	opera-installer-bro.exe
PID 1756 wrote to memory of 2404	1756	opera-installer-bro.exe	opera-installer-bro.exe
PID 1756 wrote to memory of 2404	1756	opera-installer-bro.exe	opera-installer-bro.exe
PID 1756 wrote to memory of 2404	1756	opera-installer-bro.exe	opera-installer-bro.exe
PID 1620 wrote to memory of 1532	1620	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1620 wrote to memory of 1532	1620	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1620 wrote to memory of 1532	1620	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1620 wrote to memory of 1532	1620	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1620 wrote to memory of 1532	1620	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1620 wrote to memory of 1532	1620	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 1620 wrote to memory of 1532	1620	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 624 wrote to memory of 384	624	irsetup.exe	jre-windows.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1908426 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.exe" "__IRCT:3" "__IRTSS:22693245" "__IRSID:S-1-5-21-3948302646-268491222-1934009652-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1814730 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1839152" "__IRSID:S-1-5-21-3948302646-268491222-1934009652-1000"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=97.0.4719.28 --initial-client-data=0x1a4,0x1a8,0x1ac,0x178,0x1b0,0x718333e0,0x718333f0,0x718333fc
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:696

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe" --version
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1620 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230328064601" --session-guid=c52be694-b207-4fe2-92aa-67efd453a94e --server-tracking-blob=YTZjNDNkZjZkMTA3ZjE1MjcyZDgxMTA0N2Q3YzhhZWYwYmM5ZGIzZjU3NDU0ZmU1ZjM5MzZkMzhiMGEyZGUyMDp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjciLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNjc5OTc4NzU2LjE4NTMiLCJ1c2VyYWdlbnQiOiJTZXR1cCBGYWN0b3J5IDkuMCIsInV0bSI6eyJjYW1wYWlnbiI6Ik9wZXJhRGVza3RvcCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Ik1TVEwifSwidXVpZCI6IjA1MmQ2ZmM5LThiYmUtNDg4Ny05YmMxLTQyNWE1N2QwZTNjMiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3403000000000000
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=97.0.4719.28 --initial-client-data=0x1b0,0x1b4,0x1b8,0x178,0x1bc,0x70d033e0,0x70d033f0,0x70d033fc
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe"
6⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\assistant\assistant_installer.exe" --version
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=96.0.4693.50 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0x1356c28,0x1356c38,0x1356c44
7⤵
- Executes dropped EXE
PID:2652

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Program Files\Java\jre1.8.0_51\installer.exe
"C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" STATIC=1 REPAIRMODE=0
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2252

C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2144

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2220

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2052

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
PID:2808

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
4⤵
PID:2856

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll
Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe
Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
471B

MD5
92a6e5070529f066d5dd8ba0ee4ad21f

SHA1
d53c4c60e56c8ca7079183bdb36f4ba002c8cdf7

SHA256
2d90916a8fc4e8bd1ea4d2d76ce7f3c37aaaa8aef3ecf7b8478cb3b3853f69d9

SHA512
eeab5b46bbb9beb43e68cc771118183cdd61b0f248e1bd168f84b216b8cda84d632affda1fa5bcd78e7588bcfba2e47c4f5d2ef1f92820493251be0ff2d7c73b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d908b25d3bccd139ebbdd22e3533b7c9

SHA1
9399fbe3e94de6a740d8b817fcae9817d7d62851

SHA256
24659da484700ff83c5c68b3e04ba4da1173c157420e36fdf6a8ff26485b972b

SHA512
74ac27bcdeb78d98eca46231ee1000513e83963008cbe5487ee7392bc972faf4ce09cbacebe326cac12115ecd9f521c8af3cdfef61479075e8a421ecf1eb5274

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a65cc2b47e66b7052719c74604994fe8

SHA1
a0ecad227079b028b66a639b5024ee31e264177e

SHA256
d11555423e92ed7f3836194d2fae1bc8156f35c2516f0a3b8baf9a7592d8f265

SHA512
f455279d4609640a3ef12ca8f3b33580a4dfdb33d7e5aa1158e82806f277f662deabb6f56673c6322aa067c9bba60c50191db78edef4668245eef95854ac5d0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1ecf91b77dd74b1cb2a1d1a176eb9b5d

SHA1
657c93cefdd4411c2c2c45afa1b10ace5b354ff5

SHA256
3e1935f69b0f251126934256fc440cc5c301e4ada7f5755337973c42922ab577

SHA512
ba7ad1853fd2d303179b2c83c3174c749b8bd6b293239104b613974ff5804cf2471a28881c805f0598b55ed903375012a5c4ff4317f784768a6d5d48174351a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
434B

MD5
0177ac455087736f40bd2918e967a86f

SHA1
5fa3e0edadff8bac392564c0de2e31b5062a8daf

SHA256
34a92c5888277484bf8926e7b63dca8a766c1995a1b7e9ca2fe539d171116002

SHA512
c6e21c4d14ee94da73caeb2e7804a72296d0475918d9858650aab2338e14070f3bc068f0aa8f0bdd307c457009dcfea0a617e75e2f0aad6f01c1fe2195844cff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
c9811c4718ca08824135b88710cf1024

SHA1
58c895fd8017690134998e72099f561b70176a93

SHA256
78e1dabd4ddd1da9fdc40aabe68986f45a4a281b8079798637d629db20486cca

SHA512
1bae64e3b842078da709838b4b700e828559f906772bf0b964de62451688180a311c7a23756b7a23bb7d7ca3a340fd6665a3b1b08c8a2fbc8179436ac23f7784

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\additional_file0.tmp
Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe
Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe
Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\opera_package
Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2783.tmp
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE62B.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2303280645596981344.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar27B4.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE64D.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG
Filesize
339B

MD5
f7ae33e5dc26017806d2d66baa1e29bf

SHA1
79c926f3d533e3ee79f7e688b8731096819cecb7

SHA256
dbdd6f54cd024ef67b8806ba4c8759b30faa8f47d22a28fed419c23160ef7fb4

SHA512
d6e6ded4a6670feab177706cf01a6fdf6dd51b332095634fe7a98f08f00d6c9d1255801b6e49b895539410fb768dca402477033aa74cbaae1f9614338ae2c9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG105.PNG
Filesize
1KB

MD5
a61c4dce767771e8ab95319e22ca845a

SHA1
c3f744e9bf87dd596af8929992d2b061efae6a06

SHA256
a30cfcd584eb2fbf6a8946c4f7019abf4c6a63ac2a4345fcec7b0af209bfd7e1

SHA512
f24da088f41a4df08062473cf252adba80893b99f5d0d77489886bda6d86fdfed3a922609351202ddd399b661b05e2af8327063b49594f0ee766622a32fd9bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG108.PNG
Filesize
2KB

MD5
3d5f330e6b06983c2039787918380ed9

SHA1
b266a30c60e416b4fc4e2873b0af6c834547384c

SHA256
634cc62d01293bb8ece92e9e19ad09b246f432669ff6372339f1e4cf3970422d

SHA512
d7510dc8e54c8069086926aa5d318186b93ce4bba7ee6bb8e9e9876df8fded7a30021c98800b4ab4b480c8a77f97bc2c606c3bc8cf9f20ffd5bfc2e1197b302e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG123.PNG
Filesize
40KB

MD5
86dea528d12cc99302cc3b816617d441

SHA1
402891bc98ff5c74c6292f290b1b23f6643fbf8a

SHA256
9ea8e5dcc91a3da9707e376935c1f2ee8a814911163073728d5b21b0232e7dc6

SHA512
271d2a51bdb443165b5b64f7c0f91a22a121699143c2394b8404741c6fe8e5df63cc3db32f4fbf7333fbbe5f0f39f0f151130ec90f79432cc50ca3d997080ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG
Filesize
280B

MD5
9a9f1e56504fbacaadab18841f5601ce

SHA1
7370243d1ccb404dcbfee15bae8eb1dca4089424

SHA256
a2e909a0af7ce6e3e920e7d0177418e76a775fa27fa9108aa3ab7eca86c46207

SHA512
4f823863ec494cedb1b3b13549b5a7191df9784aa0ca698346b3e9ea5b01d34613ec21b260fc54a78089525b45634aa815be211898772be4164611d5eb782b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG22.PNG
Filesize
1KB

MD5
0a769eb4025da2ffb3789604406c560d

SHA1
ec3bd34ba1cb3306a671438296cc043019fdfac7

SHA256
94ecca5e9bc237a6c2ee966d3a3d47b6e753928baa96d0a3c4b9422c3b01113b

SHA512
f121e61b1466ab93628cbb4848cf659713cd935e2eb4c8e87bfefaafce09c5785d2fea353e702e2564572a8cb595703c232ce98b79a3678f4c1a0ee1e97bd73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG
Filesize
281B

MD5
18c7c448d89a759f33e8718e5e77e426

SHA1
d684616a97cb35907557faf62017cbb15ebab454

SHA256
440ac12284299b73644fdb21e07c383ad8511c6efb7dbcb87024d30f36af7f85

SHA512
a7ac80ff4dc7fa094a40963396a76cb1c76892a7a29e670761c84aeb475b6f5b10010678f72a2db2aefa6eb3b99fe3133d001f7ec0872eb505a12cb2ba31a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG
Filesize
43KB

MD5
300096a54f5c43b72a8d0fd6133d83cc

SHA1
a9d20156a45724128f17cd1c2eb352eee7774e27

SHA256
032569b46fcad28894e78b0adae22d7c1f154371a1fc929a36483cf6c412ae0e

SHA512
d943e6cb2838cbf6008df079f72376f6d8de9b637e6ee1e143748a2882a1abc75900fc8e7f6ecae7e917865d4bdbfaa52c6a55a98672c2742a92c314d3a0a2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG
Filesize
1KB

MD5
b1ed9f3b9acfa97b13ce7cfce7c3d33f

SHA1
0b51ac4d63a53f2668ce09aa9f9ae1284f4232a5

SHA256
c87b2d8d3274cb9d652cf1b377237c6407d1ccc042db081ee24d93a71c042a79

SHA512
4697906dc7dd25639150916c5ad7b4166f979a9c58661912209d1e53088d8976f577da1b4af2159758aa4c066bb30552eae24cd141c527c8a6eef61c23222ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
Filesize
110KB

MD5
dc1091f32258495a5313da54870b0768

SHA1
26eb9cfd00861bb55fdb4e25bd3427b5b137c148

SHA256
ebd2b290264dfc287b3ed4fda4aa6680f71a2997e15a8e1003696d9000a17d23

SHA512
8f084e376a8e0e5bc3ae34d24d114e29ade6f4a5bb59fb5a291bc9c427df1ec8539b1d7d5fb1609f2a4087f2eb17b445f8b9e2751dca0717c06ac2207ad4e639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
8KB

MD5
b53039ebe3e9e2d48cc1a9466a1bf689

SHA1
e275b45ac9cbacf460eeaa44d5ddc3ac10ebe6b1

SHA256
0273a56b6d1e8c9e9ddf44fdf037da5e224aac22fde49bf04aca61abf079b074

SHA512
9a2f641258365d490c89b3cc515e1cc7f72f44b58f4726af1546999600f9e8c8a198425190e3e43fefe5e524aa181c5ee09827fb8c08397ed82fa181ac3f8501

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
Filesize
599B

MD5
769682e69d10f679d8953e1f69fdf1bb

SHA1
9a24025648ce6bdff1322a1aae31cb5c41c7a479

SHA256
3462bea0f0c463d959fc073ee65a06baba88f616e49b4575719c18e04241f69e

SHA512
abc90c835460500859f04e3c85d366729d47053ee89321c1e7bf62c50955dced2cbe19702ccd159ea769f7ebcafb6375e1224425bba788781f2e30ed239fd98e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
5.2MB

MD5
1f73fb40bb5f2adfba15a2ff635e38f1

SHA1
a1d86b12e6776224a27cd86e50f9fddfed080da4

SHA256
9904f3d58a967aca7b4a74b182d930b380eb72d19f61cfefff86f65702c35385

SHA512
1e48fd4a01cbc005b99a8c2a21807f892e224ab0b9e16298683ecb7a64f30a7a9583853c2a9e7a0bdc0fa010e0d9a816d182126a379e64c4f016646ca89c813b

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP
Filesize
451KB

MD5
0b445ace8798426e7185f52b7b7b6d1e

SHA1
7a77b46e0848cc9b32283ccb3f91a18c0934c079

SHA256
2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6

SHA512
51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG
Filesize
1KB

MD5
61fa9fae50aa44ea3ed4a40e696465d6

SHA1
ea1401c22d9bb47c51b977c91fb87908c8a97f4a

SHA256
91458d455284afd8909834331a90182b2f29bbab30b30f2a3585195804b76316

SHA512
0f01c5f83fff49be11d1423f598244e628360eae0f2dbcc02aad21943c7efb33b919ab97ad5385d598ff4758da8bee8978608f43fb0909b9a0afbb67fb78a750

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG
Filesize
45KB

MD5
ebfa7c2a770f2e106b6b6253f8dd09f9

SHA1
db842939a3ac9e124325311804cfad1fe235f73d

SHA256
594ea0f496968181bf37400d4201f73040b9cc9dc72cebe23e700be712e89eca

SHA512
11ba57c44f119aadb2f33bcdc3e7d0213f8c64d252f23f68b90595d684f10a901e0b10182816132909a6456f54c9123d5e51ebd96143a28301cba3dc9b72474a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG
Filesize
457B

MD5
09b91cdc6dccb019291ed8dc0eb9a0ed

SHA1
4657af8119fe097ca9b214bdc3e7d02a837dfac7

SHA256
55856d757130127683c072da67aaca37d9b657964a4c1a012e29d2ccf2f01811

SHA512
86a93999a32364d504aa80de18b701a6810d9e05b732bb59d89b17c99fa6498ed6afcca5701dd247a030012f475265cea3d8a9c5fded2f634cc58b9dd4f3a918

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG
Filesize
352B

MD5
e5da0ff02090f93cc2ad8424db8c6444

SHA1
9bf7fedd01af28ba9b99e4f1e6e4624e72994282

SHA256
b14a73a25bf48bd6b2e1ac2182106ae92d26d76b74be3e96a03fff87b034e519

SHA512
ba6af1c5eadad279f2768fc5be58364b83e7637ebb7094ed5cea6fa9539aefd1a88d08b35896dd6d1b5e38a5b49fe685174bee0433e6880a3082fd3d12c7db6c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG45.PNG
Filesize
438B

MD5
d9ab0dc897d2a9c639f54c6f8c8b8ca9

SHA1
8828ef60c3f12d0a470953d6c055bc103a4963a4

SHA256
1dc8acea23931363eb0ce59b6372fd64430f47ecb13d184891cf81324fd9a2bf

SHA512
6405636b4daab452abbc17e24abc770315b19a269be39cf151a4faea4be68d3bd8827f0fedf51066b4b42efcd696ad6832a2baa849181b380b08da54d6147161

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG46.PNG
Filesize
206B

MD5
6f1eaa32297cceb1420cf4f2ee4312ff

SHA1
7e667a4e01450d0f274611edfbd1877f38cce88c

SHA256
71bb7e8679afa8d76169ce10ab171f2f9e308f632da01ab8c4654f8be503e462

SHA512
138a34ca708eaeb4dc3050df9e4c0d7afe13f362f5001c40f70a36fa867683d28603b150ff1f43d686a3c4afa754e1d34b2903a8c9df1cd3b63a5e3e0a3c5c74

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG
Filesize
1KB

MD5
299a6141f7b40309ff93ef36064f20b0

SHA1
ad447fb95871f3fdb52e3ae78b9b011a2425dd75

SHA256
203d65a9fc92327ebc059729dacf23c8e13c1d7c026c292d028980609083a781

SHA512
f552ed24a7e97d8568c481c5c45c119a7c56610bd81849fa71f87b5e1ad2cd4a04d9464874b8741ab87bd8f377e3b4d414d026415c5d7f0d4dc96828cfdb4d3c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG
Filesize
1KB

MD5
fd47269bd12f4788063a30494a123f45

SHA1
fa41f2f0a2e634b36c61a11d8ee044fd9ac87402

SHA256
a8056b3d482d11a78818784c363a406f55f9d50bae742659bb3d813683790e33

SHA512
28fb4a86e0d04ad66b031cbad04e1d82af6fcc09d32132c8453fc2a34bc00a595d1c4f6e8fe19e443fb40eeb4b47c0a1a59ab0a8a0a971fa46d746fde3f72df1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG
Filesize
41KB

MD5
1372e5018da45be041f4ca03fe2009fa

SHA1
b8007824887109df35049ac92f80cca276085823

SHA256
3d59e492c8bee131c5c68300c57b243f01ac7dfa28850956b6c08e5fb0b65e47

SHA512
149e6027d1c8a4cd35bcb3b3f181bc0ac4a75637c2fce0ff9ad83c6b4855e1aceb288b554757062e05eb267ea620b623ed8f90aa7e7a909d643bec3f0de42025

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG
Filesize
1KB

MD5
a2f1149887a432fc727b24271e269e0f

SHA1
2bbdbe5d2003f6f249c984f5bb57645e8dbad62d

SHA256
40e15833d63c2655a3ce20bb9cd9599498b8208492639a1b161457941e54f09d

SHA512
ab175e26ef76d2a3ae86047e30ecf81a6019113001a1328a0362829f453b12b6d950ad7cf5816678d7a6914c65db5cf0b53909ccaa699ccfd714b2f0a906f905

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
33KB

MD5
a4192aaf5b50194e757cc6e83ecf1900

SHA1
b0bbf17a6fbf40a5b791e3cb213969dc736e6fc8

SHA256
c3fda2976a74f65bdb0d589f175cfe747078f974ea2234569fcdc2ef65a78ae0

SHA512
5ba51bbd1fea6584d8747256a076512bc3fa75f041a72a057c2a1ce16c7ed04c28235fee3b4f72605b8ed5666aa01dde6832fc7c8a5df2642467f26fd6e3f74e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
33KB

MD5
b93308dc49cef4932c692bae3e6b572f

SHA1
43752f3159a86ff0b437d362e3e5f5ed1c2abbb3

SHA256
37a96d8ae9589361749c5a210be737bcd166c00c08a460de99734babda9a6c87

SHA512
23234d7c76cd052e976374fbc2f7f687aecae6f50708f6cf1b01523129c1f255aeaf9bf84b9b89b4c0e95f28bb59300627e5502164b3b3952c92a4e332b3d638

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
910fd65f8c2f001efea8d7defd3d6c61

SHA1
f5a80812c44edbc190141e5de080dd6a151e1227

SHA256
53ac49f88a25c9d256880774e9cc8874ceaaefaf857b39beb4f3b163db61823c

SHA512
e8d4510b4793baf87e5a862831bc5e268bc12bfb4e05ae5b28bedc130369119a2bd4bde55e5566a6626cf5d3ff8c8232b9767f18eb500de6843fc2f58642a069

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
910fd65f8c2f001efea8d7defd3d6c61

SHA1
f5a80812c44edbc190141e5de080dd6a151e1227

SHA256
53ac49f88a25c9d256880774e9cc8874ceaaefaf857b39beb4f3b163db61823c

SHA512
e8d4510b4793baf87e5a862831bc5e268bc12bfb4e05ae5b28bedc130369119a2bd4bde55e5566a6626cf5d3ff8c8232b9767f18eb500de6843fc2f58642a069

Download Submit
C:\Windows\Installer\6dc840.msi
Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe
Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\opera_package
Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202303280646011\opera_package
Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303280645576861620.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_230328064558294696.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303280645596981344.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303280646017421756.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2303280646019292404.dll
Filesize
4.6MB

MD5
674e177ac04e98ce48f4df0d4c440568

SHA1
b08fa2014573f0af48c06357da323e79399ef144

SHA256
8e1ac3c2a3aeb52e26794368c1adf5e7b330aa3bc27ac1669cb3aed64da8fe86

SHA512
5d99f5837ec50ca2f46a8e8cfbb055eeedbc28f7e63c49a901984f1c884e2a6d790e91542174dc2808b4ead30a6204912f5f98af1b562210494574eb2328d3e4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
7bd289086adbabba6647d9bb6391083e

SHA1
9e54b4d1d918c08c00fc315297f9ca67dba68e5f

SHA256
5c06eb50bbdde4e4ad0c4e7058e2cc03d80d123e658f12548ab5519419c07873

SHA512
d93aeaf886d8e5a1ca8d5fc20d41e1d7d52fedcc2f420f272c967449350bdc9fd939f71ef4258fc0fa1c6843a05613ef9e6ac353390302a5fecf454e47801fc7

Download Submit
memory/384-1705-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/624-367-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/624-366-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-2159-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-73-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-364-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/624-2074-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-365-0x0000000000470000-0x0000000000473000-memory.dmp

Filesize
12KB

Download
memory/624-1412-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-1413-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/624-1435-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-1736-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-1718-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-1710-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-382-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-383-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-384-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/624-389-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-418-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-419-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/624-575-0x00000000010A0000-0x0000000001488000-memory.dmp

Filesize
3.9MB

Download
memory/624-435-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/696-609-0x00000000011E0000-0x0000000001718000-memory.dmp

Filesize
5.2MB

Download
memory/996-71-0x0000000002EB0000-0x0000000003298000-memory.dmp

Filesize
3.9MB

Download
memory/1200-2106-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1344-608-0x0000000000090000-0x00000000005C8000-memory.dmp

Filesize
5.2MB

Download
memory/1380-476-0x0000000002C30000-0x0000000003018000-memory.dmp

Filesize
3.9MB

Download
memory/1380-475-0x0000000002C30000-0x0000000003018000-memory.dmp

Filesize
3.9MB

Download
memory/1532-513-0x0000000005650000-0x0000000005B88000-memory.dmp

Filesize
5.2MB

Download
memory/1532-508-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/1532-477-0x0000000001140000-0x0000000001528000-memory.dmp

Filesize
3.9MB

Download
memory/1532-515-0x0000000005650000-0x0000000005B88000-memory.dmp

Filesize
5.2MB

Download
memory/1532-514-0x0000000001140000-0x0000000001528000-memory.dmp

Filesize
3.9MB

Download
memory/1532-1497-0x0000000005650000-0x0000000005B88000-memory.dmp

Filesize
5.2MB

Download
memory/1620-1332-0x0000000003EC0000-0x00000000043F8000-memory.dmp

Filesize
5.2MB

Download
memory/1620-516-0x00000000011E0000-0x0000000001718000-memory.dmp

Filesize
5.2MB

Download
memory/1620-605-0x0000000002B20000-0x0000000003058000-memory.dmp

Filesize
5.2MB

Download
memory/1620-593-0x0000000003B30000-0x0000000004068000-memory.dmp

Filesize
5.2MB

Download
memory/1620-1398-0x00000000011E0000-0x0000000001718000-memory.dmp

Filesize
5.2MB

Download
memory/1620-1489-0x0000000003B30000-0x0000000004068000-memory.dmp

Filesize
5.2MB

Download
memory/1756-1395-0x00000000011E0000-0x0000000001718000-memory.dmp

Filesize
5.2MB

Download
memory/1756-1396-0x0000000002CC0000-0x00000000031F8000-memory.dmp

Filesize
5.2MB

Download
memory/2404-1397-0x00000000011E0000-0x0000000001718000-memory.dmp

Filesize
5.2MB

Download
memory/2856-2193-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2944-1863-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2944-1860-0x00000000003B0000-0x00000000003C7000-memory.dmp

Filesize
92KB

Download
memory/2944-1859-0x00000000003B0000-0x00000000003C7000-memory.dmp

Filesize
92KB

Download
memory/2944-1858-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download