bazarbackdoor | db4104e1c6b9e7f82b97ce171a0196aa52a2a05733ba078ba636a8d563448b93

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-04-2023 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.871-Installer-1.0.5-global.exe
Size

21.6MB
MD5

3fd4f4a37bb70740e1121d42f4d65777
SHA1

b869dc12cab4d24d8576e3d0e9802ab07c13b78c
SHA256

db4104e1c6b9e7f82b97ce171a0196aa52a2a05733ba078ba636a8d563448b93
SHA512

fa1e89512677062995d84df4e6fca7fc3535a64e0b2fdbec128d72a3c0abd9d1f4f62e084d0bdeeffc92cc3c546ddb4c0b2778b149e25f00a655d9b375918fd4
SSDEEP

393216:+Xw7T+J/n8IPfs/dQETVlOBbpFEj9GZdqV56Hpk7IXOzDnKI17fyVn:+gv+V8aHExiTTqqHp6zvKcfyVn

Score

10^/10

bazarbackdoor adware backdoor discovery persistence spyware stealer upx

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jre-windows.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jds7161990.tmp\jre-windows.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jds7161990.tmp\jre-windows.exe	BazarBackdoorVar3
C:\Windows\Installer\6dc840.msi	BazarBackdoorVar3

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

53 520 msiexec.exe
Downloads MZ/PE file

flow	pid	process
53	520	msiexec.exe

Executes dropped EXE 23 IoCs

Processes:

irsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exejre-windows.exeAssistant_96.0.4693.50_Setup.exe_sfx.exejre-windows.exeassistant_installer.exeassistant_installer.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exe

pid	process
1952	irsetup.exe
1812	AdditionalExecuteTL.exe
1940	irsetup.exe
316	opera-installer-bro.exe
468	opera-installer-bro.exe
1976	opera-installer-bro.exe
1960	opera-installer-bro.exe
2012	opera-installer-bro.exe
2304	jre-windows.exe
2540	Assistant_96.0.4693.50_Setup.exe_sfx.exe
2688	jre-windows.exe
2780	assistant_installer.exe
2592	assistant_installer.exe
2464	installer.exe
2348	bspatch.exe
2404	unpack200.exe
2676	unpack200.exe
2616	unpack200.exe
1040	unpack200.exe
2216	unpack200.exe
2812	unpack200.exe
2876	unpack200.exe
1096	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-2.871-Installer-1.0.5-global.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exejre-windows.exeassistant_installer.exeMsiExec.exemsiexec.exebspatch.exeinstaller.exeunpack200.exe

pid	process
2008	TLauncher-2.871-Installer-1.0.5-global.exe
2008	TLauncher-2.871-Installer-1.0.5-global.exe
2008	TLauncher-2.871-Installer-1.0.5-global.exe
2008	TLauncher-2.871-Installer-1.0.5-global.exe
1952	irsetup.exe
1952	irsetup.exe
1952	irsetup.exe
1952	irsetup.exe
1952	irsetup.exe
1952	irsetup.exe
1952	irsetup.exe
1952	irsetup.exe
1812	AdditionalExecuteTL.exe
1812	AdditionalExecuteTL.exe
1812	AdditionalExecuteTL.exe
1812	AdditionalExecuteTL.exe
1940	irsetup.exe
1940	irsetup.exe
1940	irsetup.exe
1940	irsetup.exe
1940	irsetup.exe
1940	irsetup.exe
1940	irsetup.exe
1940	irsetup.exe
316	opera-installer-bro.exe
316	opera-installer-bro.exe
468	opera-installer-bro.exe
316	opera-installer-bro.exe
1976	opera-installer-bro.exe
316	opera-installer-bro.exe
1960	opera-installer-bro.exe
1960	opera-installer-bro.exe
2012	opera-installer-bro.exe
1952	irsetup.exe
316	opera-installer-bro.exe
316	opera-installer-bro.exe
316	opera-installer-bro.exe
2304	jre-windows.exe
316	opera-installer-bro.exe
2780	assistant_installer.exe
1188
2196	MsiExec.exe
2196	MsiExec.exe
2196	MsiExec.exe
520	msiexec.exe
2348	bspatch.exe
2348	bspatch.exe
2348	bspatch.exe
2464	installer.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe
2404	unpack200.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0067-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0091-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0072-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0047-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0095-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0067-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0081-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0087-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0053-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0044-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0079-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0087-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1952-364-0x0000000000980000-0x0000000000D68000-memory.dmp	upx
behavioral1/memory/1952-367-0x0000000000980000-0x0000000000D68000-memory.dmp	upx
behavioral1/memory/1952-389-0x0000000000980000-0x0000000000D68000-memory.dmp	upx
behavioral1/memory/1952-390-0x0000000000980000-0x0000000000D68000-memory.dmp	upx
behavioral1/memory/1952-409-0x0000000000980000-0x0000000000D68000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/1940-478-0x0000000001200000-0x00000000015E8000-memory.dmp	upx
behavioral1/memory/1952-491-0x0000000000980000-0x0000000000D68000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/1940-582-0x0000000001200000-0x00000000015E8000-memory.dmp	upx
behavioral1/memory/316-585-0x0000000000E40000-0x0000000001378000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/468-597-0x0000000000E40000-0x0000000001378000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe	upx
behavioral1/memory/1976-610-0x0000000000130000-0x0000000000668000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/1952-1223-0x0000000000980000-0x0000000000D68000-memory.dmp	upx
behavioral1/memory/1960-1374-0x0000000000E40000-0x0000000001378000-memory.dmp	upx
behavioral1/memory/2012-1395-0x0000000000E40000-0x0000000001378000-memory.dmp	upx
behavioral1/memory/1952-1417-0x0000000000980000-0x0000000000D68000-memory.dmp	upx
behavioral1/memory/1952-1549-0x0000000000980000-0x0000000000D68000-memory.dmp	upx
behavioral1/memory/1952-1742-0x0000000000980000-0x0000000000D68000-memory.dmp	upx
behavioral1/memory/2348-2016-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2348-2026-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2348-2029-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

opera-installer-bro.exemsiexec.exeopera-installer-bro.exe

description	ioc	process
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 1 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_351\bin\ucrtbase.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\libxml2.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\calendars.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-utility-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\keytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\unpack.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\gstreamer.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\logging.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-file-l2-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\pack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\plugin.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\javaws.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-string-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\vcruntime140_1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_ko.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\relaxngom.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\content-types.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\currency.data	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-filesystem-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\jopt-simple.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\plugin2\npjp2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jfxswt.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\management\management.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\resources.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\glass.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-sysinfo-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-timezone-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\libxslt.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\thaidict.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaBrightDemiItalic.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\Welcome.html	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-heap-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_fr.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\management\snmp.acl.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-convert-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_es.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\relaxngdatatype.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jfr\profile.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-handle-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\deploy.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\cacerts	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\plugin.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_zh_TW.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\java.policy	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jp2iexp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\msvcp140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\xmlresolver.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\sRGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\CIEXYZ.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\psfont.properties.ja	installer.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\6dc842.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE4C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE508.tmp	msiexec.exe
File created	C:\Windows\Installer\6dc840.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6dc840.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE4A8.tmp	msiexec.exe
File created	C:\Windows\Installer\6dc844.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

irsetup.exejre-windows.exeinstaller.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0096-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0099-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_99"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0072-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_54"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0064-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0088-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_88"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_16"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_79"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0099-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_48"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0088-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0089-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_99"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0076-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0091-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.1_06"	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exemsiexec.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0064-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0088-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0098-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0086-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800\4EA42A62D9304AC4784BF2468130150F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_17"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0048-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0071-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0051-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0096-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Version = "134221238"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0060-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0064-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_32"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0048-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_48"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0071-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_28"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_48"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_71"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0068-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0081-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_56"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2"	installer.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

irsetup.exeirsetup.exeopera-installer-bro.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	opera-installer-bro.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2688	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2688	jre-windows.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeSecurityPrivilege	520	msiexec.exe
Token: SeCreateTokenPrivilege	2688	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2688	jre-windows.exe
Token: SeLockMemoryPrivilege	2688	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2688	jre-windows.exe
Token: SeMachineAccountPrivilege	2688	jre-windows.exe
Token: SeTcbPrivilege	2688	jre-windows.exe
Token: SeSecurityPrivilege	2688	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2688	jre-windows.exe
Token: SeLoadDriverPrivilege	2688	jre-windows.exe
Token: SeSystemProfilePrivilege	2688	jre-windows.exe
Token: SeSystemtimePrivilege	2688	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2688	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2688	jre-windows.exe
Token: SeCreatePagefilePrivilege	2688	jre-windows.exe
Token: SeCreatePermanentPrivilege	2688	jre-windows.exe
Token: SeBackupPrivilege	2688	jre-windows.exe
Token: SeRestorePrivilege	2688	jre-windows.exe
Token: SeShutdownPrivilege	2688	jre-windows.exe
Token: SeDebugPrivilege	2688	jre-windows.exe
Token: SeAuditPrivilege	2688	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2688	jre-windows.exe
Token: SeChangeNotifyPrivilege	2688	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2688	jre-windows.exe
Token: SeUndockPrivilege	2688	jre-windows.exe
Token: SeSyncAgentPrivilege	2688	jre-windows.exe
Token: SeEnableDelegationPrivilege	2688	jre-windows.exe
Token: SeManageVolumePrivilege	2688	jre-windows.exe
Token: SeImpersonatePrivilege	2688	jre-windows.exe
Token: SeCreateGlobalPrivilege	2688	jre-windows.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

irsetup.exeirsetup.exejre-windows.exe

pid	process
1952	irsetup.exe
1952	irsetup.exe
1952	irsetup.exe
1952	irsetup.exe
1952	irsetup.exe
1952	irsetup.exe
1940	irsetup.exe
1940	irsetup.exe
2688	jre-windows.exe
2688	jre-windows.exe
2688	jre-windows.exe
2688	jre-windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-2.871-Installer-1.0.5-global.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exe

description	pid	process	target process
PID 2008 wrote to memory of 1952	2008	TLauncher-2.871-Installer-1.0.5-global.exe	irsetup.exe
PID 2008 wrote to memory of 1952	2008	TLauncher-2.871-Installer-1.0.5-global.exe	irsetup.exe
PID 2008 wrote to memory of 1952	2008	TLauncher-2.871-Installer-1.0.5-global.exe	irsetup.exe
PID 2008 wrote to memory of 1952	2008	TLauncher-2.871-Installer-1.0.5-global.exe	irsetup.exe
PID 2008 wrote to memory of 1952	2008	TLauncher-2.871-Installer-1.0.5-global.exe	irsetup.exe
PID 2008 wrote to memory of 1952	2008	TLauncher-2.871-Installer-1.0.5-global.exe	irsetup.exe
PID 2008 wrote to memory of 1952	2008	TLauncher-2.871-Installer-1.0.5-global.exe	irsetup.exe
PID 1952 wrote to memory of 1812	1952	irsetup.exe	AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1812	1952	irsetup.exe	AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1812	1952	irsetup.exe	AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1812	1952	irsetup.exe	AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1812	1952	irsetup.exe	AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1812	1952	irsetup.exe	AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1812	1952	irsetup.exe	AdditionalExecuteTL.exe
PID 1812 wrote to memory of 1940	1812	AdditionalExecuteTL.exe	irsetup.exe
PID 1812 wrote to memory of 1940	1812	AdditionalExecuteTL.exe	irsetup.exe
PID 1812 wrote to memory of 1940	1812	AdditionalExecuteTL.exe	irsetup.exe
PID 1812 wrote to memory of 1940	1812	AdditionalExecuteTL.exe	irsetup.exe
PID 1812 wrote to memory of 1940	1812	AdditionalExecuteTL.exe	irsetup.exe
PID 1812 wrote to memory of 1940	1812	AdditionalExecuteTL.exe	irsetup.exe
PID 1812 wrote to memory of 1940	1812	AdditionalExecuteTL.exe	irsetup.exe
PID 1940 wrote to memory of 316	1940	irsetup.exe	opera-installer-bro.exe
PID 1940 wrote to memory of 316	1940	irsetup.exe	opera-installer-bro.exe
PID 1940 wrote to memory of 316	1940	irsetup.exe	opera-installer-bro.exe
PID 1940 wrote to memory of 316	1940	irsetup.exe	opera-installer-bro.exe
PID 1940 wrote to memory of 316	1940	irsetup.exe	opera-installer-bro.exe
PID 1940 wrote to memory of 316	1940	irsetup.exe	opera-installer-bro.exe
PID 1940 wrote to memory of 316	1940	irsetup.exe	opera-installer-bro.exe
PID 316 wrote to memory of 468	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 468	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 468	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 468	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 468	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 468	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 468	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1976	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1976	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1976	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1976	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1976	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1976	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1976	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1960	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1960	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1960	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1960	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1960	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1960	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 316 wrote to memory of 1960	316	opera-installer-bro.exe	opera-installer-bro.exe
PID 1960 wrote to memory of 2012	1960	opera-installer-bro.exe	opera-installer-bro.exe
PID 1960 wrote to memory of 2012	1960	opera-installer-bro.exe	opera-installer-bro.exe
PID 1960 wrote to memory of 2012	1960	opera-installer-bro.exe	opera-installer-bro.exe
PID 1960 wrote to memory of 2012	1960	opera-installer-bro.exe	opera-installer-bro.exe
PID 1960 wrote to memory of 2012	1960	opera-installer-bro.exe	opera-installer-bro.exe
PID 1960 wrote to memory of 2012	1960	opera-installer-bro.exe	opera-installer-bro.exe
PID 1960 wrote to memory of 2012	1960	opera-installer-bro.exe	opera-installer-bro.exe
PID 1952 wrote to memory of 2304	1952	irsetup.exe	jre-windows.exe
PID 1952 wrote to memory of 2304	1952	irsetup.exe	jre-windows.exe
PID 1952 wrote to memory of 2304	1952	irsetup.exe	jre-windows.exe
PID 1952 wrote to memory of 2304	1952	irsetup.exe	jre-windows.exe
PID 316 wrote to memory of 2540	316	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 316 wrote to memory of 2540	316	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 316 wrote to memory of 2540	316	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe
PID 316 wrote to memory of 2540	316	opera-installer-bro.exe	Assistant_96.0.4693.50_Setup.exe_sfx.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5-global.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5-global.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5-global.exe" "__IRCT:3" "__IRTSS:22640484" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=97.0.4719.63 --initial-client-data=0x1a4,0x1a8,0x1ac,0x178,0x1b0,0x70c333e0,0x70c333f0,0x70c333fc
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:468
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=316 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230415235620" --session-guid=40477c10-5388-4684-824a-b80140291283 --server-tracking-blob=OGEyOTM4NzgyNDRhNzM2ZWI1ZDczYjkxYjIzZTE2NThiOTcxOTliYjkwNzJkZWE2YTI4ZjlkZDBiNDUyMjNmNjp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjciLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNjgxNTk1Nzc1LjE5NzUiLCJ1c2VyYWdlbnQiOiJTZXR1cCBGYWN0b3J5IDkuMCIsInV0bSI6eyJjYW1wYWlnbiI6Ik9wZXJhRGVza3RvcCIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Ik1TVEwifSwidXVpZCI6IjQzN2YyMTM3LWYwNmQtNDZhNi1iYzUzLWM1ZjY2N2MwMzk5NiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2C03000000000000
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=97.0.4719.63 --initial-client-data=0x1b0,0x1b4,0x1b8,0x178,0x1bc,0x701433e0,0x701433f0,0x701433fc
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe"
        6⤵
        Executes dropped EXE
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\assistant\assistant_installer.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=96.0.4693.50 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0xc36c28,0xc36c38,0xc36c44
        7⤵
        Executes dropped EXE
        
        PID:2592
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\jds7161990.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7161990.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2688

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:520
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding DCC18189AD31DCA571C90FAA716E86A7
  2⤵
  - Loads dropped DLL
  PID:2196
- C:\Program Files\Java\jre1.8.0_351\installer.exe
  "C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:2464
- - C:\ProgramData\Oracle\Java\installcache_x64\7206388.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2348
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2404
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    PID:2676
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    PID:1040
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    PID:2216
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    PID:2876
- - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_351\bin\javacpl.exe

Filesize
103KB

MD5
7a9d69862a2021508931a197cd6501ec

SHA1
a0f7d313a874552f4972784d15042b564e4067fc

SHA256
51ff63cbac78bd133333e98d91b02b652c88cd57cedd0052519051a17be77856

SHA512
5c331e6deefc8256ea203d63770484f6b485d4c3832a60ecf4a540dff3cb75a76dbde37980fe1763ca487401b68126f58f8d1a4c72ee610f5144c624c4736850

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe

Filesize
446KB

MD5
24ccb37646e1f52ce4f47164cccf2b91

SHA1
bc265e26417026286d6ed951904305086c4f693c

SHA256
adf2d659c2b2a4afff1ca58f3a742d27d767d27eabeca6a8b6ee243e9c913a39

SHA512
cb174e7a219f6ffae3715e37beb428979bc1462202729c05a25fa7b8da90e2dd6faa92c03cd9ca21567d354dce7acc1852669f4071298e953d6a286243794e32

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk

Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
182B

MD5
7fadb9e200dbbd992058cefa41212796

SHA1
e2525d7ba66bb07bc1cd5ba93f88c54e7e2042b4

SHA256
b05abacd15117b1ffcd2a288308f50c0542214d264b852eddfa9025307ac401b

SHA512
94b7bf1f1f5cea2a74f8c326113dd25652cb14e5fa356ac83d16b6ac5a5cac26c9d2b20259f5c2cf8ebc1e022490511e2996335a5d8dd7f5b64dce429fb6dfb1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
178B

MD5
3b1c6b5701ef2829986a6bdc3f6fbf94

SHA1
1a2fe685aba9430625cba281d1a8f7ba9d392af0

SHA256
6a2cdce88637830202e1031bc8c11f083103a6bbb8c1ce16fb805671a46633c8

SHA512
f3391d790bb6acb1c25b82253b19c334e7cd73648e9821b7050fefbd5b0bc4b48a0cedd97e425a83c788f9b798337d33dee2e989771604c4f886da46d2debea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
471B

MD5
773488ac86e6c0bb015144953fb791f7

SHA1
599c66784e4a8f40e8a8d461e0d98e5ad2e7be47

SHA256
ede30e3c1115148a1f206e1d446bca3b228a1310e13423adcc38870d3a516096

SHA512
22a571811cf5a94b5eec0592d59f816795e8082d4b680d5d807ae96bce6c410a434decd5abc1d095f395f266eebca1bb590db366a2c90e4411d9d89d7cba9d2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e983aa97c9f30ccc78879dd43246249

SHA1
67f08c49782ced03684d644fe69645e3c025d0c8

SHA256
907209ea1c9670728819cbc8c563cdcb9b708ee0b6d4adaebcb010df92c77393

SHA512
7a1e0a9cf7d347a7e70655890a5c8666aba010b13be6454ca2ad173129504ae1ed64a50e6591e210a7f82a90e4f49755b06905dad9a9de58faaca3b52d4b36c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa9d1ed9e4693decdfdce30305c085f9

SHA1
dacd54ab6757a3bc3e3c81dc24de1bf05b182bfb

SHA256
0ef3e5772a4ad21937798c6b58d2abf564e6bdd3fb487ada4bf2afe5b9a24225

SHA512
abd2921c917f1fd0a24f30edd704cf53e5dcac08ae9012b2ecef99147a1d35041c2c66a6d52b98fd65213ca32677d50dca51e59174eeb331b79e78e87906f573

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec5a6ff15ab1a36c940d9f4c4e40a95e

SHA1
85d04ee9438c75988f5b2069165c5c607937f66f

SHA256
69384b76e8b0dd71ec24f5fe35db56aa5fa1788f8e1d0929ef08aef03671a577

SHA512
7b51a28133db1aa05b9a2e6b78069fb23071cff6cfd26f5f5fa64a2a63005b937ff75e5b5253ff2caf386eab2328af50cd02fb538eb937f8edd895e5e1ed10d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
434B

MD5
e0d11559895ed1c5b02b546560943b5a

SHA1
f92e585ed2ec61f81ea7247fdb68ce3c2505edba

SHA256
4a485df89e4104ac83734839e850120d0a4c2a64d26192ca59710a878a52702d

SHA512
77653002b0871c5ff00185896eb345afb23a2a39ec9b8f88d55822a0d5b4d612362f24201ef28d5024bfaa56d48c5f8935d016c4da3a8b116f172aa93b0de89c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
14b9c27540cba53ddc6933639c5e2875

SHA1
488ab7eeee4e9aec49917c6712ff92905ce089ba

SHA256
8d97e6f919875a0abb2e6370034c765071e1bd495ba72bf9c007e44152ae062f

SHA512
cd24bdd7921054e8b937d2dd5e72d0dd572de9468b82accca57f19559f49b459cd5bf7c5d57c6f724404d850c075d3381bb9b70a0fa97c4014cc92150210689b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\additional_file0.tmp

Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe

Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\opera_package

Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1A3A.tmp

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE0C0.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2304152356197581976.dll

Filesize
4.6MB

MD5
4fa000d2daf4a9a8b30a36de57343e8b

SHA1
4865161c5ec70cce04079a6cbf08795e05bacbf1

SHA256
50df18de18d3cdd5cc21f8fc0dbabbe5a60690027b82af25806f679f492065de

SHA512
a52620ab7ae4e8a6c7379790fc70c5cc611a06432b83ded0a7ea476a647098fcb18797b42ed98293c3e9dd955d784819638597e3b1b419f54eeb9a0084b625ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1A6C.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE0C2.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

Filesize
339B

MD5
9b1cde4d8de6713e0d94a29db10eb467

SHA1
3f9ba4061ddf991d625bc358c3df018ce0ccccab

SHA256
b7bfd0a4830175ee7fe8c63d6588b007f1120ec1efdb213c09f1e9b3c91ed4cf

SHA512
670789f023f3ec9bce6748abbadeea0a004c64678966cba4ab8c2370233cade7ed5a9df365011b945d76947405e8a963b4a590f982765b3653c20116c9f03a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG108.PNG

Filesize
2KB

MD5
dfbcdef2ce486b1906a2a82f2eb76252

SHA1
728637c320d8764a88e6d7cf2bd0da28d9118c00

SHA256
75825ca77c3f71105b6dfa87171c376d443b4da680e90eb4f045f16e10dcb274

SHA512
250595ca264e54bc595ba547121c94b8e62e28da0843692536bc9b03616f3c161795db2422052859d6725bd1393c8a28b4345d1e49bf52794a2c1157073f1a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG123.PNG

Filesize
40KB

MD5
26d482a9bbb9c0fd478044355406ac10

SHA1
0f44ccaa0803a9acf48cc265f075d04ebf2e368f

SHA256
3cd0469dda3bab7cf2efe851379aad9f4e44200a85bf10d2e0d92b292419e6a0

SHA512
37c9f54d1e1cd0f8db6cb83c431aeb07c61172057416fb4743a091d97ae38980801b6353ced45a49ec25d6002f9a85660d9f9f540e74fdf9cedc913c452315ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
ddfa9d4dd306f76ade792484483b97e7

SHA1
4455ba407a7af9e861a16fea4c9993a0b9ca85a4

SHA256
730c0f409f836c50edf05e50f3fcf48c2e21eb30e292868cb14ed694e9e3273e

SHA512
f803b46bce2867c66df86dbac6910c0b07ed80a4f528e614ed66675a64686288cd37a8b12e66f70d5ec2036ef90db896df2b32a93a5b2c318fe7ed88cffbf975

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG22.PNG

Filesize
1KB

MD5
d2e568be42843c3a8ce877e14506cc5b

SHA1
f8f4a1bee36009c3145198b613995855404d4e43

SHA256
dc28a97fcd2f52992189c6f24f9e5d99e13e59eda6f45f4cd1ef635acfff29ab

SHA512
4f3eda687e43a6bb827cbd4712d627948cfbb022f7d4d4b70e8944fd3217974189f6a3bdee24de66205128a466a6197830de8c7dec2d7e7605e15a4d1777ed47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
0db1bfe2c486ced3b623bef4239f6fa6

SHA1
9fb1a9cbc386581713b6c17492a4e4996dfe7b92

SHA256
044908ff004ef4b861b706a19a71bfb1d2179329db1bfd46f32fe86d54b32c7c

SHA512
04edea3ada9aac0319d1ceb42b56128fe86a77e0ba5a4a78e91a0fa876d48b51514f054947be538245205f52002dfc6612b99c59a136b9c251cd0c0dc42e55b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG

Filesize
43KB

MD5
3d6702d93a77a0581de453d501237a25

SHA1
ac501c14fafb4aa106ba50327e9ff8cb0c1c6799

SHA256
a349d5ae9ff58797c79ff58ec7fd0ae30a60e3d3d7db116753df13719d7b3952

SHA512
9dd11b3247e79d3f7666759bffba4de7b02d6a41855f6e358022beda8fab9486e08850aca8c8398ac6845cc33d5ff5d5663aeb90726dd6ef615aa2e7d28f1eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG

Filesize
1KB

MD5
1b7b5c6a6d05c94bcc83cb408ea83371

SHA1
e1ba18d8c5d076356aea91d96c9e513c5dec308f

SHA256
263bc75c2b8c0cb7644c27bb57562b4e65429908dd28df621f185383836b894b

SHA512
28ea7d74f891b618469912e3da2e1117e1b1822509141c6b6df06e0e676b11b1136f63e020bda7fe98e5250b156cfb721e5a4424ea2222190f66c70e31252d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
92d1c01623cc06eb11096ff6e4fa7206

SHA1
059ccb8ba1228662adc487e8e17844651e856ca6

SHA256
667aa7c3017b648709ed7870f537b15484e2b90c939ffca5174faec5f2e3005f

SHA512
aba40d8b32655177b7aafb203fd9edf58eeda701fa121955ef510d4399ca4184b97cc58235e83bb782f630f0a59c24c130dcf73085dacc37003beb626387665d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
92d1c01623cc06eb11096ff6e4fa7206

SHA1
059ccb8ba1228662adc487e8e17844651e856ca6

SHA256
667aa7c3017b648709ed7870f537b15484e2b90c939ffca5174faec5f2e3005f

SHA512
aba40d8b32655177b7aafb203fd9edf58eeda701fa121955ef510d4399ca4184b97cc58235e83bb782f630f0a59c24c130dcf73085dacc37003beb626387665d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
92d1c01623cc06eb11096ff6e4fa7206

SHA1
059ccb8ba1228662adc487e8e17844651e856ca6

SHA256
667aa7c3017b648709ed7870f537b15484e2b90c939ffca5174faec5f2e3005f

SHA512
aba40d8b32655177b7aafb203fd9edf58eeda701fa121955ef510d4399ca4184b97cc58235e83bb782f630f0a59c24c130dcf73085dacc37003beb626387665d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
106KB

MD5
51be149c8e20df63087c584165516ecd

SHA1
feabbb95b65e6929f086266b06ee1cfef83539a7

SHA256
b949eb246d81688efea07a7655652107ad435f37d493d93dd68c88a9fe6f3e33

SHA512
6f24e4caafd6af85c2f8641d7f2b066dfafa7d6abb512fa62f3642eaa42b549692b15043a3bf0e13cb1fae377fc1d3139dcf5cea3d4def24de197f75297e17f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7161990.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
16e9c64633466bb6c95592120e118947

SHA1
e2bdf32513a10b89fb69744c247639f676cbbd58

SHA256
c78a7fae79da096dd8118033e7bff5326907a328d76c56d5f98fb9a4c651d0d0

SHA512
12c8e61986029c84170505c0f6cb33d8397a20968280c7d475fd6a667f9fc9f84c72e37c0ed9a5e44377b8c7fbfd668fbbc470638471ff4150d9a16dd4f43706

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
16e9c64633466bb6c95592120e118947

SHA1
e2bdf32513a10b89fb69744c247639f676cbbd58

SHA256
c78a7fae79da096dd8118033e7bff5326907a328d76c56d5f98fb9a4c651d0d0

SHA512
12c8e61986029c84170505c0f6cb33d8397a20968280c7d475fd6a667f9fc9f84c72e37c0ed9a5e44377b8c7fbfd668fbbc470638471ff4150d9a16dd4f43706

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
14KB

MD5
ca37094f32d358e687dfaf91aa975659

SHA1
98dd591ad598e8cc5af6947ada6e60196776b839

SHA256
1b4ce9de51a9ad7f809936cfda3696d3643390f0556064f91cf59ee3427fcf62

SHA512
3435a6bd69c956f89f10bdc21af98df0767b7f58535b472399819bef9f3a338b5eb41e7671c1236e92d730dbe9dd032bd9635f8950b34fa1d36f039619968227

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
602B

MD5
d501b088af46e1d936e690a9d3c3afb2

SHA1
553c719acfe0010b7f5b2103ad7616b66eb17cf2

SHA256
f1102c593c7bdfe0b07e5023c7356863499fcbbbe73d1d0f85dd9f21269406a2

SHA512
eabb20bd29060c23f634fe1b2af12d5d393c5e65f79307f49c2e8a7497ee11111ccb9760aa02ccb60189ca3691e1cffa09ba97001a1c1be7e440dc87c40fdb59

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.2MB

MD5
58e22c0ee91280156cdaadacac7acddb

SHA1
189c552c94a9b0ae0208763bca77f2801debc224

SHA256
765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

SHA512
9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP

Filesize
451KB

MD5
0b445ace8798426e7185f52b7b7b6d1e

SHA1
7a77b46e0848cc9b32283ccb3f91a18c0934c079

SHA256
2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6

SHA512
51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG

Filesize
1KB

MD5
905edb67ced86b964e87aa2d4979862f

SHA1
561d6e61986960979582ea8cec795355bae1c3e5

SHA256
2d540bd79a70400095b6bb23fa203bab28d2e67d16cf172f04918a23f49e1cb1

SHA512
c1cec3076d9884dfdd6105d935871db4a65302d8019ffa97906a83330a51a0e7eb46b3720ccb3e3f4f68500895ad7794867e7a631136bd21eda9beaab9ffce9d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
45KB

MD5
b88d9a2095fda3acbe81f54fa45d2008

SHA1
0c8f6579c44d9dc25310144f1f2be647a09511e8

SHA256
a7152ee6e7521e37cf7055b9d312b3b11c47a233428c7954ced7cec935f556bc

SHA512
9e8a75767f0c45d07ff4a956d0e7a01e28ef96a7fc2611fd5efd7112396520a57f7e12e410dc0cb559ac9c1546534e98eb71883b9518e2e9418d68de01d837a2

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG

Filesize
457B

MD5
6ac92e72056c5e1da54316378d852683

SHA1
33f4e0ff77257099156b46db0dd89162ff8bb56e

SHA256
e79e7703fc11c5261354c607113d7e173d266e765203de91980aca7e817e8f01

SHA512
0c59a02d11bcc35d50125352ba865bbc5dddf37332476631227fc083f0713c5a346a096291edd27e171830c4b83845b5693e3a3ca79e1daef28e6190aa24afb2

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG

Filesize
352B

MD5
cbb632e51a9c5c2955f9c0944c414831

SHA1
7ead327306e9e413e58a0923de3fd28fa6cf461f

SHA256
8cf449ed1f01d835faad56fb15e073cff95e8bfea6f8572edef160638b055ef6

SHA512
8abb5e5a82934e08b20e07a91f232a008e39f06ea098886b221bc9294bec6ceac4328f404b93ebb88fc66bb43fb179983c7f868e15a4c63d9294e0ea08db96a4

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG45.PNG

Filesize
438B

MD5
770c30795469db59c765b04d9a918157

SHA1
d7d1178695b4bb61206723df7ea82f86f65e3a44

SHA256
1b03583344f44188444604f9989f8487761326590e83367ec0a51685e28aa679

SHA512
256a9cdeae7560f8ffa690bd2f3572dba56c363084e6adc4281d1418f9c8a2155ae5da154dd351e844e0c11c8e0c6d8009abae1e8733b5935a5a0da0986d1a52

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG46.PNG

Filesize
206B

MD5
e5329b4f50a6d05b9f317d31e511f065

SHA1
832068e3e911b239525add101105cb0101f54518

SHA256
bffe754566e9658da9bb0ef029655219fb1421ab0e4c6c3ebd2c8f59aafc2c5c

SHA512
086e377427f4a4c80408e63c8b69aa511f7c5568b2b55d0ecd61b3380b63f587f004762de852b07e0aeb153f1a1f54c5ea3441a3e3992f203134fc9a827365b8

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG

Filesize
1KB

MD5
c23a0f2c75efceac95c193078b6dbdd1

SHA1
5796622e9d9eaa429c9de3927f2cd14f48b0d5f3

SHA256
1e1c44d65bddb73a09c2a4268a9f8579395ad6fa7bccb24ca8ac4462ab341e8f

SHA512
5bae2ffe515ec683ebe14842727ad11cb3681db3ecdb5b85575157b9f771cef8f2e6ff04adf3ab00ad8386b97e6245ee1e967da0b2c27cd81b93debb81a9c7b9

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG

Filesize
1KB

MD5
894c378bfb0a3083a480c17e69b82d43

SHA1
c0d9adfba36da365e62ac5add34ca093d4e9abdc

SHA256
3fc0f92d4a1c0f3039a871316eb6e38ac90194f91f0a1d083215cb111c5ed309

SHA512
fb6076167edbf5326bcb85bb2f1343490a15dc21d98385672eba3aaa5b8f5545770fcbc038c027111364f11ecd049e180959114142a957f7f224fe40ddbde765

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG

Filesize
41KB

MD5
727a0f9e22850aa16614eb8c57864f42

SHA1
4d412bb29b03db8c7defc52bb9916c6fbfddb9d5

SHA256
ed1bc76af6a5507063a880224b794ba9d0443b21d6e3a893805ede13c9ac2c92

SHA512
203506c5cb77119d618c19c16851fb7acf7ce76e2cb2517f9633e2e933aa3e86413f9b3314ef17f389648fb859545b8b9bda20c558a8f8ff50150fac7649eee2

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG

Filesize
1KB

MD5
d37c6beba4af2cb8095ac1e21125018a

SHA1
0ecd624a8f13d6851c2e262d896994249b4a2260

SHA256
833e0e81453d4dad3abfd62b3c64cf679cf034a3a259a60d814144a77f07e63b

SHA512
c01a604e8590337ec8bcb96ab819c9c814b5041e36217256316f1ff8ce7668eb16799c121c62d0a0542208269d98f81847079f02c1070ad905c183f374ce1b9c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
33KB

MD5
3198d6095e724feef0d00d65eb7bd797

SHA1
a6f587ab6c1691582d07b1e4f660ff915b319831

SHA256
bee631908a018dae4f4627c8c11f034fdb2157039273d7c5352b77f7667ee855

SHA512
ad45b067b599f7b43c3d21eba00c07e24945f6f013c0d32bda33b18c36f1511cbc35559bfc8fd602090337d6168c805e8b0014e7eb15f0dd8cdb975d57de05d3

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
15KB

MD5
cea9d1885e6ec3771ac7cf82a77bfae8

SHA1
804f3cd6a8b8f458afa66e7a332f7093e90db3f2

SHA256
af75b34854ca3def97b18dd3af04b108ddacbd8f8f8db58464a76be6890e859a

SHA512
2ec07bb1643d0136113afcb28a81f0f28daf337b7bff2b44690fa8a53e6a9165b120313410b37848a0bde1cb3a9b6849fbeb4d8e30f1a5d6f7bc436dc958917e

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
f60f22179300aec107eacc228a1d969f

SHA1
d09f1e2b935ab341dfc25b1f35380f0d7b2e8803

SHA256
65c0b0b697a696684d9406d1a7b31f5cdb1ecd5aefebed5fe7c25a383d720796

SHA512
15efb24cdf679ee75d957b78e7b52090b60c5aebf2f40d0f529c969a2aa0062c958577d0fc108ad070755397322a750f2fda52c299d1db340649551990e5ec80

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
f60f22179300aec107eacc228a1d969f

SHA1
d09f1e2b935ab341dfc25b1f35380f0d7b2e8803

SHA256
65c0b0b697a696684d9406d1a7b31f5cdb1ecd5aefebed5fe7c25a383d720796

SHA512
15efb24cdf679ee75d957b78e7b52090b60c5aebf2f40d0f529c969a2aa0062c958577d0fc108ad070755397322a750f2fda52c299d1db340649551990e5ec80

Download Submit
C:\Windows\Installer\6dc840.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\MSIE508.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\assistant\Assistant_96.0.4693.50_Setup.exe_sfx.exe

Filesize
1.7MB

MD5
b386cdcb413405daa8219af8e4cbd318

SHA1
ce275ff8514fef0629c915a6ee7b5ac481b9043d

SHA256
408ebcce07eb76963651b97f84255b67e5f0e7ff6869e9c0e5bab0082eafe66e

SHA512
91f6bf600e022a2a80c6b0a7b84fd5549804111447f66c4a30e768a589efc0702d02634a9ba23ce18c42701e42b440af0aa3396cc317fa733c2f90223b6db626

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\opera_package

Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202304152356201\opera_package

Filesize
86.9MB

MD5
6b7771354e081eb94cdbf7627799da4f

SHA1
199341a750443cc6e9b2b2fa1e657d0dd327711f

SHA256
494d1247e61eebf703a6eb19c14bde88edd2f85515fefa4f0465f43873e69aab

SHA512
33e781a102ba3f5c3b1895540bc9c43b78bf4f19af4b91ae0c765594f39d6569d1bad207b33f808426d8ebdcb00c419b7bb76bb050bae0bb843f96dd84355800

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_230415235616294316.dll

Filesize
4.6MB

MD5
4fa000d2daf4a9a8b30a36de57343e8b

SHA1
4865161c5ec70cce04079a6cbf08795e05bacbf1

SHA256
50df18de18d3cdd5cc21f8fc0dbabbe5a60690027b82af25806f679f492065de

SHA512
a52620ab7ae4e8a6c7379790fc70c5cc611a06432b83ded0a7ea476a647098fcb18797b42ed98293c3e9dd955d784819638597e3b1b419f54eeb9a0084b625ca

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_230415235617667468.dll

Filesize
4.6MB

MD5
4fa000d2daf4a9a8b30a36de57343e8b

SHA1
4865161c5ec70cce04079a6cbf08795e05bacbf1

SHA256
50df18de18d3cdd5cc21f8fc0dbabbe5a60690027b82af25806f679f492065de

SHA512
a52620ab7ae4e8a6c7379790fc70c5cc611a06432b83ded0a7ea476a647098fcb18797b42ed98293c3e9dd955d784819638597e3b1b419f54eeb9a0084b625ca

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2304152356197581976.dll

Filesize
4.6MB

MD5
4fa000d2daf4a9a8b30a36de57343e8b

SHA1
4865161c5ec70cce04079a6cbf08795e05bacbf1

SHA256
50df18de18d3cdd5cc21f8fc0dbabbe5a60690027b82af25806f679f492065de

SHA512
a52620ab7ae4e8a6c7379790fc70c5cc611a06432b83ded0a7ea476a647098fcb18797b42ed98293c3e9dd955d784819638597e3b1b419f54eeb9a0084b625ca

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2304152356200851960.dll

Filesize
4.6MB

MD5
4fa000d2daf4a9a8b30a36de57343e8b

SHA1
4865161c5ec70cce04079a6cbf08795e05bacbf1

SHA256
50df18de18d3cdd5cc21f8fc0dbabbe5a60690027b82af25806f679f492065de

SHA512
a52620ab7ae4e8a6c7379790fc70c5cc611a06432b83ded0a7ea476a647098fcb18797b42ed98293c3e9dd955d784819638597e3b1b419f54eeb9a0084b625ca

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2304152356202572012.dll

Filesize
4.6MB

MD5
4fa000d2daf4a9a8b30a36de57343e8b

SHA1
4865161c5ec70cce04079a6cbf08795e05bacbf1

SHA256
50df18de18d3cdd5cc21f8fc0dbabbe5a60690027b82af25806f679f492065de

SHA512
a52620ab7ae4e8a6c7379790fc70c5cc611a06432b83ded0a7ea476a647098fcb18797b42ed98293c3e9dd955d784819638597e3b1b419f54eeb9a0084b625ca

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
92d1c01623cc06eb11096ff6e4fa7206

SHA1
059ccb8ba1228662adc487e8e17844651e856ca6

SHA256
667aa7c3017b648709ed7870f537b15484e2b90c939ffca5174faec5f2e3005f

SHA512
aba40d8b32655177b7aafb203fd9edf58eeda701fa121955ef510d4399ca4184b97cc58235e83bb782f630f0a59c24c130dcf73085dacc37003beb626387665d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
92d1c01623cc06eb11096ff6e4fa7206

SHA1
059ccb8ba1228662adc487e8e17844651e856ca6

SHA256
667aa7c3017b648709ed7870f537b15484e2b90c939ffca5174faec5f2e3005f

SHA512
aba40d8b32655177b7aafb203fd9edf58eeda701fa121955ef510d4399ca4184b97cc58235e83bb782f630f0a59c24c130dcf73085dacc37003beb626387665d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
92d1c01623cc06eb11096ff6e4fa7206

SHA1
059ccb8ba1228662adc487e8e17844651e856ca6

SHA256
667aa7c3017b648709ed7870f537b15484e2b90c939ffca5174faec5f2e3005f

SHA512
aba40d8b32655177b7aafb203fd9edf58eeda701fa121955ef510d4399ca4184b97cc58235e83bb782f630f0a59c24c130dcf73085dacc37003beb626387665d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
92d1c01623cc06eb11096ff6e4fa7206

SHA1
059ccb8ba1228662adc487e8e17844651e856ca6

SHA256
667aa7c3017b648709ed7870f537b15484e2b90c939ffca5174faec5f2e3005f

SHA512
aba40d8b32655177b7aafb203fd9edf58eeda701fa121955ef510d4399ca4184b97cc58235e83bb782f630f0a59c24c130dcf73085dacc37003beb626387665d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
92d1c01623cc06eb11096ff6e4fa7206

SHA1
059ccb8ba1228662adc487e8e17844651e856ca6

SHA256
667aa7c3017b648709ed7870f537b15484e2b90c939ffca5174faec5f2e3005f

SHA512
aba40d8b32655177b7aafb203fd9edf58eeda701fa121955ef510d4399ca4184b97cc58235e83bb782f630f0a59c24c130dcf73085dacc37003beb626387665d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jds7161990.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.7MB

MD5
81a3a00b3422fffdb714230b750938e3

SHA1
e5a9b31940fa10d37a41b95b0b99376e52297fd3

SHA256
29ba5699a426089746fbb28e1e8c38bda021012b266494d485ab90faa6dc3d76

SHA512
a209b4a427498a9024b800cbeecdfe62b83d3e0af825fcd49ad700e84ac258527274e4319e0e850766f37404da889713361b3cb26b9276dc544cbc8400f6a716

Download Submit
memory/316-1592-0x00000000040B0000-0x00000000045E8000-memory.dmp

Filesize
5.2MB

Download
memory/316-1261-0x00000000040B0000-0x00000000045E8000-memory.dmp

Filesize
5.2MB

Download
memory/316-585-0x0000000000E40000-0x0000000001378000-memory.dmp

Filesize
5.2MB

Download
memory/316-1078-0x0000000003970000-0x0000000003EA8000-memory.dmp

Filesize
5.2MB

Download
memory/316-596-0x0000000002A50000-0x0000000002F88000-memory.dmp

Filesize
5.2MB

Download
memory/468-597-0x0000000000E40000-0x0000000001378000-memory.dmp

Filesize
5.2MB

Download
memory/1812-476-0x0000000002B60000-0x0000000002F48000-memory.dmp

Filesize
3.9MB

Download
memory/1812-477-0x0000000002B60000-0x0000000002F48000-memory.dmp

Filesize
3.9MB

Download
memory/1940-581-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1940-478-0x0000000001200000-0x00000000015E8000-memory.dmp

Filesize
3.9MB

Download
memory/1940-584-0x0000000005B20000-0x0000000006058000-memory.dmp

Filesize
5.2MB

Download
memory/1940-582-0x0000000001200000-0x00000000015E8000-memory.dmp

Filesize
3.9MB

Download
memory/1940-583-0x0000000005B20000-0x0000000006058000-memory.dmp

Filesize
5.2MB

Download
memory/1952-1549-0x0000000000980000-0x0000000000D68000-memory.dmp

Filesize
3.9MB

Download
memory/1952-1428-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1952-1743-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1952-1550-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1952-365-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1952-1429-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download
memory/1952-364-0x0000000000980000-0x0000000000D68000-memory.dmp

Filesize
3.9MB

Download
memory/1952-1223-0x0000000000980000-0x0000000000D68000-memory.dmp

Filesize
3.9MB

Download
memory/1952-1417-0x0000000000980000-0x0000000000D68000-memory.dmp

Filesize
3.9MB

Download
memory/1952-491-0x0000000000980000-0x0000000000D68000-memory.dmp

Filesize
3.9MB

Download
memory/1952-436-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download
memory/1952-410-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1952-409-0x0000000000980000-0x0000000000D68000-memory.dmp

Filesize
3.9MB

Download
memory/1952-391-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1952-390-0x0000000000980000-0x0000000000D68000-memory.dmp

Filesize
3.9MB

Download
memory/1952-389-0x0000000000980000-0x0000000000D68000-memory.dmp

Filesize
3.9MB

Download
memory/1952-366-0x0000000002570000-0x0000000002573000-memory.dmp

Filesize
12KB

Download
memory/1952-367-0x0000000000980000-0x0000000000D68000-memory.dmp

Filesize
3.9MB

Download
memory/1952-368-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1952-1742-0x0000000000980000-0x0000000000D68000-memory.dmp

Filesize
3.9MB

Download
memory/1960-1374-0x0000000000E40000-0x0000000001378000-memory.dmp

Filesize
5.2MB

Download
memory/1960-1394-0x0000000002B60000-0x0000000003098000-memory.dmp

Filesize
5.2MB

Download
memory/1976-610-0x0000000000130000-0x0000000000668000-memory.dmp

Filesize
5.2MB

Download
memory/2008-384-0x0000000002A60000-0x0000000002E48000-memory.dmp

Filesize
3.9MB

Download
memory/2008-68-0x0000000002A60000-0x0000000002E48000-memory.dmp

Filesize
3.9MB

Download
memory/2008-383-0x0000000002A60000-0x0000000002E48000-memory.dmp

Filesize
3.9MB

Download
memory/2008-69-0x0000000002A60000-0x0000000002E48000-memory.dmp

Filesize
3.9MB

Download
memory/2008-74-0x0000000002A60000-0x0000000002E48000-memory.dmp

Filesize
3.9MB

Download
memory/2012-1395-0x0000000000E40000-0x0000000001378000-memory.dmp

Filesize
5.2MB

Download
memory/2348-2017-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2348-2029-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2348-2026-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2348-2019-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2348-2018-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2348-2016-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download