73979ef05ff6e528a344ccbc00d4b28b4203884a78f88bd87ce262111717a736

Analysis

max time kernel
159s
max time network
184s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13/02/2023, 15:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.86-Installer-1.0.exe
Size

21.7MB
MD5

54686b90f8d52d9489a4e8f41738d0da
SHA1

6931287434aa17f3681dde38710224165cb368ee
SHA256

73979ef05ff6e528a344ccbc00d4b28b4203884a78f88bd87ce262111717a736
SHA512

ee9a2f658bd7f695c5a5bef480b4189724fcdb3ac9be916e6a2575f34737107bd35f8f388b42c3c4f6464051d24221a34992baf8ccb18efdcf854cfe8e25d700
SSDEEP

393216:tXemKme/RtYto0fs/dQETVlOBbpFEj9GZdqV56HpkbGCST7yuk9sLe:tOmsJWTHExiTTqqHpMs6

Score

8^/10

discovery upx

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
30	1000	msiexec.exe
31	1000	msiexec.exe
33	1000	msiexec.exe
35	1000	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
1144	irsetup.exe
1976	AdditionalExecuteTL.exe
1608	irsetup.exe
1940	jre-windows.exe
968	installer.exe
1712	bspatch.exe
672	unpack200.exe
1728	unpack200.exe
588	unpack200.exe
1484	unpack200.exe
1392	unpack200.exe
1248	unpack200.exe
1776	unpack200.exe
1108	unpack200.exe
1472	javaw.exe

Loads dropped DLL 45 IoCs

pid	Process
1096	TLauncher-2.86-Installer-1.0.exe
1096	TLauncher-2.86-Installer-1.0.exe
1096	TLauncher-2.86-Installer-1.0.exe
1096	TLauncher-2.86-Installer-1.0.exe
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1976	AdditionalExecuteTL.exe
1976	AdditionalExecuteTL.exe
1976	AdditionalExecuteTL.exe
1976	AdditionalExecuteTL.exe
1608	irsetup.exe
1608	irsetup.exe
1608	irsetup.exe
1144	irsetup.exe
1396	Process not Found
1396	Process not Found
1000	msiexec.exe
1712	bspatch.exe
1712	bspatch.exe
1712	bspatch.exe
968	installer.exe
672	unpack200.exe
1728	unpack200.exe
588	unpack200.exe
1484	unpack200.exe
1392	unpack200.exe
1248	unpack200.exe
1776	unpack200.exe
1108	unpack200.exe
968	installer.exe
968	installer.exe
968	installer.exe
868	Process not Found
868	Process not Found
1472	javaw.exe
1472	javaw.exe
1472	javaw.exe
1472	javaw.exe
1472	javaw.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000133ab-55.dat	upx
behavioral1/files/0x000a0000000133ab-56.dat	upx
behavioral1/files/0x000a0000000133ab-58.dat	upx
behavioral1/files/0x000a0000000133ab-57.dat	upx
behavioral1/files/0x000a0000000133ab-60.dat	upx
behavioral1/memory/1144-66-0x0000000000DE0000-0x00000000011C8000-memory.dmp	upx
behavioral1/files/0x000a0000000133ab-68.dat	upx
behavioral1/memory/1144-74-0x0000000000DE0000-0x00000000011C8000-memory.dmp	upx
behavioral1/files/0x000a0000000133ab-75.dat	upx
behavioral1/files/0x000400000001ca14-84.dat	upx
behavioral1/files/0x000400000001ca14-87.dat	upx
behavioral1/files/0x000400000001ca14-86.dat	upx
behavioral1/files/0x000400000001ca14-85.dat	upx
behavioral1/files/0x000400000001ca14-89.dat	upx
behavioral1/files/0x000400000001ca14-95.dat	upx
behavioral1/memory/1608-102-0x0000000000FE0000-0x00000000013C8000-memory.dmp	upx
behavioral1/memory/1608-103-0x0000000000FE0000-0x00000000013C8000-memory.dmp	upx
behavioral1/files/0x000300000001d763-123.dat	upx
behavioral1/files/0x000300000001d763-124.dat	upx
behavioral1/files/0x000300000001d763-128.dat	upx
behavioral1/files/0x000300000001d763-127.dat	upx
behavioral1/files/0x000300000001d763-126.dat	upx
behavioral1/memory/1712-131-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1712-135-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_51\bin\unpack.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\glass.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\glib-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_font_t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfr.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsoundds.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\management.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_de.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\Welcome.html	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\pack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\amd64\jvm.cfg	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_MoveNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javacpl.cpl	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\rmid.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\LINEAR_RGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\jaccess.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\decora_sse.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2native.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\nashorn.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\sound.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\bci.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\deployJava1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\j2pkcs11.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\ssvagent.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\wsdetect.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\snmp.acl.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kinit.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_it.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jdwp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\net.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\plugin2\msvcr100.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\calendars.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\GRAY.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\zipfs.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\mlib_image.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_es.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\dnsns.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\LICENSE	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\zip.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\COPYRIGHT	installer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI774D.tmp	msiexec.exe
File created	C:\Windows\Installer\6e6e52.msi	msiexec.exe
File created	C:\Windows\Installer\6e6e4e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6e6e4e.msi	msiexec.exe
File created	C:\Windows\Installer\6e6e50.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140815	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\SourceList\PackageName = "jre1.8.0_51.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2681408150F\jrecore	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\jre1.8.0_51_x64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2681408150F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\PackageCode = "07E8A08DDF5AABB4AAD0B6661A8FF917"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\jre1.8.0_51_x64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140815\4EA42A62D9304AC4784BF2681408150F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\ProductName = "Java 8 Update 51 (64-bit)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\Version = "134218238"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\Assignment = "1"	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	jre-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1940	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1940	jre-windows.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeSecurityPrivilege	1000	msiexec.exe
Token: SeCreateTokenPrivilege	1940	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	1940	jre-windows.exe
Token: SeLockMemoryPrivilege	1940	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1940	jre-windows.exe
Token: SeMachineAccountPrivilege	1940	jre-windows.exe
Token: SeTcbPrivilege	1940	jre-windows.exe
Token: SeSecurityPrivilege	1940	jre-windows.exe
Token: SeTakeOwnershipPrivilege	1940	jre-windows.exe
Token: SeLoadDriverPrivilege	1940	jre-windows.exe
Token: SeSystemProfilePrivilege	1940	jre-windows.exe
Token: SeSystemtimePrivilege	1940	jre-windows.exe
Token: SeProfSingleProcessPrivilege	1940	jre-windows.exe
Token: SeIncBasePriorityPrivilege	1940	jre-windows.exe
Token: SeCreatePagefilePrivilege	1940	jre-windows.exe
Token: SeCreatePermanentPrivilege	1940	jre-windows.exe
Token: SeBackupPrivilege	1940	jre-windows.exe
Token: SeRestorePrivilege	1940	jre-windows.exe
Token: SeShutdownPrivilege	1940	jre-windows.exe
Token: SeDebugPrivilege	1940	jre-windows.exe
Token: SeAuditPrivilege	1940	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	1940	jre-windows.exe
Token: SeChangeNotifyPrivilege	1940	jre-windows.exe
Token: SeRemoteShutdownPrivilege	1940	jre-windows.exe
Token: SeUndockPrivilege	1940	jre-windows.exe
Token: SeSyncAgentPrivilege	1940	jre-windows.exe
Token: SeEnableDelegationPrivilege	1940	jre-windows.exe
Token: SeManageVolumePrivilege	1940	jre-windows.exe
Token: SeImpersonatePrivilege	1940	jre-windows.exe
Token: SeCreateGlobalPrivilege	1940	jre-windows.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe
Token: SeRestorePrivilege	1000	msiexec.exe
Token: SeTakeOwnershipPrivilege	1000	msiexec.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1144	irsetup.exe
1608	irsetup.exe
1608	irsetup.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1144	1096	TLauncher-2.86-Installer-1.0.exe	26
PID 1096 wrote to memory of 1144	1096	TLauncher-2.86-Installer-1.0.exe	26
PID 1096 wrote to memory of 1144	1096	TLauncher-2.86-Installer-1.0.exe	26
PID 1096 wrote to memory of 1144	1096	TLauncher-2.86-Installer-1.0.exe	26
PID 1096 wrote to memory of 1144	1096	TLauncher-2.86-Installer-1.0.exe	26
PID 1096 wrote to memory of 1144	1096	TLauncher-2.86-Installer-1.0.exe	26
PID 1096 wrote to memory of 1144	1096	TLauncher-2.86-Installer-1.0.exe	26
PID 1144 wrote to memory of 1976	1144	irsetup.exe	29
PID 1144 wrote to memory of 1976	1144	irsetup.exe	29
PID 1144 wrote to memory of 1976	1144	irsetup.exe	29
PID 1144 wrote to memory of 1976	1144	irsetup.exe	29
PID 1144 wrote to memory of 1976	1144	irsetup.exe	29
PID 1144 wrote to memory of 1976	1144	irsetup.exe	29
PID 1144 wrote to memory of 1976	1144	irsetup.exe	29
PID 1976 wrote to memory of 1608	1976	AdditionalExecuteTL.exe	30
PID 1976 wrote to memory of 1608	1976	AdditionalExecuteTL.exe	30
PID 1976 wrote to memory of 1608	1976	AdditionalExecuteTL.exe	30
PID 1976 wrote to memory of 1608	1976	AdditionalExecuteTL.exe	30
PID 1976 wrote to memory of 1608	1976	AdditionalExecuteTL.exe	30
PID 1976 wrote to memory of 1608	1976	AdditionalExecuteTL.exe	30
PID 1976 wrote to memory of 1608	1976	AdditionalExecuteTL.exe	30
PID 1144 wrote to memory of 1940	1144	irsetup.exe	32
PID 1144 wrote to memory of 1940	1144	irsetup.exe	32
PID 1144 wrote to memory of 1940	1144	irsetup.exe	32
PID 1144 wrote to memory of 1940	1144	irsetup.exe	32
PID 1000 wrote to memory of 968	1000	msiexec.exe	36
PID 1000 wrote to memory of 968	1000	msiexec.exe	36
PID 1000 wrote to memory of 968	1000	msiexec.exe	36
PID 968 wrote to memory of 1712	968	installer.exe	37
PID 968 wrote to memory of 1712	968	installer.exe	37
PID 968 wrote to memory of 1712	968	installer.exe	37
PID 968 wrote to memory of 1712	968	installer.exe	37
PID 968 wrote to memory of 1712	968	installer.exe	37
PID 968 wrote to memory of 1712	968	installer.exe	37
PID 968 wrote to memory of 1712	968	installer.exe	37
PID 968 wrote to memory of 672	968	installer.exe	40
PID 968 wrote to memory of 672	968	installer.exe	40
PID 968 wrote to memory of 672	968	installer.exe	40
PID 968 wrote to memory of 1728	968	installer.exe	42
PID 968 wrote to memory of 1728	968	installer.exe	42
PID 968 wrote to memory of 1728	968	installer.exe	42
PID 968 wrote to memory of 588	968	installer.exe	43
PID 968 wrote to memory of 588	968	installer.exe	43
PID 968 wrote to memory of 588	968	installer.exe	43
PID 968 wrote to memory of 1484	968	installer.exe	45
PID 968 wrote to memory of 1484	968	installer.exe	45
PID 968 wrote to memory of 1484	968	installer.exe	45
PID 968 wrote to memory of 1392	968	installer.exe	47
PID 968 wrote to memory of 1392	968	installer.exe	47
PID 968 wrote to memory of 1392	968	installer.exe	47
PID 968 wrote to memory of 1248	968	installer.exe	50
PID 968 wrote to memory of 1248	968	installer.exe	50
PID 968 wrote to memory of 1248	968	installer.exe	50
PID 968 wrote to memory of 1776	968	installer.exe	52
PID 968 wrote to memory of 1776	968	installer.exe	52
PID 968 wrote to memory of 1776	968	installer.exe	52
PID 968 wrote to memory of 1108	968	installer.exe	53
PID 968 wrote to memory of 1108	968	installer.exe	53
PID 968 wrote to memory of 1108	968	installer.exe	53
PID 968 wrote to memory of 1472	968	installer.exe	55
PID 968 wrote to memory of 1472	968	installer.exe	55
PID 968 wrote to memory of 1472	968	installer.exe	55

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1908426 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.exe" "__IRCT:3" "__IRTSS:22693245" "__IRSID:S-1-5-21-999675638-2867687379-27515722-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1814730 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1839152" "__IRSID:S-1-5-21-999675638-2867687379-27515722-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:1940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Program Files\Java\jre1.8.0_51\installer.exe
  "C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" STATIC=1 REPAIRMODE=0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1712
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:672
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1728
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:588
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1484
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1392
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:1248
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1776
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1108
- - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1472
- - C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:1124
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      PID:1876
  - - C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:1636

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
PID:1284
- C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_51\bin\MSVCR100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\installer.exe

Filesize
36.1MB

MD5
f4aeffe5d7206c8553711a2a1e197ff6

SHA1
d0479b9e829c60167686f100079a32c5ba6b00e7

SHA256
b6c428b9d17993468e925736e4a7e36070884755db09969379db276ef14a0466

SHA512
854370e3d844ee94cd135d0b992bb6634eba046cf9699c35561fc262260fbec5812ec2f9c35b37d7ae2227e3040e232bc80c419210a70181675440ff35a0b3ff

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack

Filesize
1.8MB

MD5
5cfc3a1b269312f7a2d2f1d7c0497819

SHA1
d048284db9ce7103156f8bbce988b4d9978786b7

SHA256
80ba80d2a6c20deef6e2f3973337e15e22eec30508899ae998bf191ba725db26

SHA512
8735af7c8bc5b48aac42120326a5dee21f98512ba31c57c77b6fc3906b7b1b98e5f22f57a31f26dc3e16abe63a6f15ef2e115c7fc17bbab35e846dc373da9c6b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack

Filesize
211KB

MD5
5a83bc9b3e4a7e960fd757f3ad7cd263

SHA1
f5f308aec7e93accb5d6714c178b8bf0840fb38d

SHA256
0a95ab97c85e534b72a369b3ee75200f8075cb14e6f226196b18fd43e6ba42f5

SHA512
b8e554bbf036d0500686e878597ffdefa8bcd091ab6533eae76fa04eda310cec7cac89b71911f1f81012f499c7bec890ac9032685945f7e5e6b68f7ad3f7430c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack

Filesize
482KB

MD5
538777ddaa33641aa2c17b8f71eed307

SHA1
ac7b5fdba952ce65b5a85578f2a81b37daed0948

SHA256
9948b1c18d71a790e7b5a82d773fea95d25ab67109843a3f3888f3f0ac9d1135

SHA512
7a5877e0eaef6424ea473a203184fedb902cd9d47df5d95d6f617ca4efa1162f0ffd418e9bc6b7492f938cb33fc6384907237487d6ad4f6d0d2d962402529d8b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\rt.pack

Filesize
13.1MB

MD5
f0177701b36068c9a2bb4924dd409fa5

SHA1
71e4b32c95e20dd565a6603d3de3819eb4f19d33

SHA256
93c1e08034b68e12d78005c2950145595327477c17c1f716248d3e16313b4eec

SHA512
8e198bf60dbb95f38bf5eca67c9b7cd4fe9920890ba3d569e08de59b38c1b00830a0a37168fd74c874df86b7ff0915c8b69adb1591432b42b5ff35e5885e6641

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8

Filesize
28.9MB

MD5
892e80714eff06a20d3aee6ca587fa2d

SHA1
114d3afdfecc78eb8092e756eacbffe5029a6511

SHA256
1e813b1ca30e373de2a1e50316225cb50f4956a7b35269372b6faebe030dc6a6

SHA512
735a3d29cc9e600270252116818d5218f195d16b71575577d234a47f88b65b1e1dd51c1a9830747104303947a00eb9193441989af9a7ef595c675332b031497a

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\diff

Filesize
9.1MB

MD5
d417682702b140d7131851bae877f046

SHA1
aa78da727e8a62c839a9bb6f7a93b48d3a04be70

SHA256
3b3657c83e4f588f0e759cd46e99309cece2ebb54af2c377f9dc087ec764fda8

SHA512
9e107b7f61e42410807aa1e6761ac7adce412846f69ae8e2e21b147e39d1a95d41367e21624381750eb11c77322206c4d869a477e5442e8323405c85854c03cd

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\newimage

Filesize
23.8MB

MD5
2ebe138532bb0e367c4df62b16340bcd

SHA1
4020757ac6f135907318465ca1eb63367bf790ef

SHA256
dd23499dfbe319f277a26ad30dfc090b34007cb114d4cdf6ae56295edeff9037

SHA512
3b9d7baae17d51426f354d981a26ed1778b490121172fcd0d52022f9362ad3bc685050b941545337fa11ebb77a7ef78d8cada9701c2974f0d981646a624e292a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
d7df4cf91c4cb07af97344657f6f11ae

SHA1
7f671a7d3c6c478a023287222cfdb8531c3723a0

SHA256
5f0475cb24ed0977b3081a2e4e12054b8ea7b9e0629d115aa8f8b9062247bdd0

SHA512
a5f5b3ebf71d57833fa2e8ffa4a7230af58787dff526727ccd1eeebdbd67f81eb01d94af29068b17b6b088840d7284e0d7dbc6a2a977ec652d62ab51133bde87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cbcfb42295173458ae8440c01334210

SHA1
5b2649f9f49be7f3a09a623a0fd79222f68125dc

SHA256
4297f737498e3c287acf0ea5d0b7629ce6fe28da241c6017a94be704b7fe7d1d

SHA512
156e25e890870e4c59f01fcb6871185ec271593c64ff24c67c1cf03811560b02d7c1a8ef74f7d21d09ea3ac6cb02a31dcc08b2f4aa0b4c276cc9a30cfafb7ba9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
395039d044b4613e60cffafc5aa4dfc4

SHA1
9a063aaacc132de221043adc7a98e7d271ac50f8

SHA256
0edd1b665b9891a4d17d834b2358f35a7791d8c0487f94a12253dd5951300e74

SHA512
4ae783ed80eef3533624892df4dd63d277a10f150d4b654d06f655c6a38a5d2060cbfa7aced47433d96af6e47dc2cb81b25600bcb8725d9d42aebba3eec1c7fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi

Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
17KB

MD5
8cfb05e153f9005a72bbb985c77efa7e

SHA1
5579bff974355c1513c1067fd4796657fdbbe70c

SHA256
d7db089756c49b0013fd3fa75972c697b01b23ec076803a547a0e33b2f526197

SHA512
efbf2f42e03e539b4f00a9e7972aa90ce9ba374561dc61c92f99c879d7416d3a6c97baf8fb8d913ab37c01cf9b2fc3f996f216eae5e358eb0ec76d8c59e76386

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
600B

MD5
a4f9188d29daaeffdcc263d394ac8dc4

SHA1
ebbdda7bcfaa6b32fda7cc270ce8072f823d57bf

SHA256
b80338bd0a79ebd273b6380e2d602698effc64f402501ea1937cffe63de3585f

SHA512
cccd6a48508fd781d9c97f7649a6dee021baf39cb3bac1dd072f98c6fc82ded5955c7e5a8d8901809406532880c7cc78839ccb2ec0a6b41755e26407e64a1b93

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
\Program Files\Java\jre1.8.0_51\installer.exe

Filesize
30.4MB

MD5
174882da11eb458b2e21392025c9308b

SHA1
ec0c4d94b138dfb7d006f7625285a867bbab8805

SHA256
7ba8891891e85efcfd047411c85f234ab9e6f185b2f94d58b0cb9522f25d8f44

SHA512
57c9f40a29970921cbb0aa5974d66bcb9af2016b1bfe4ee9340ee94207809972f298536a72627b653ea56ceac58728a2b29cf60d10dade833ee938910ca7280c

Download Submit
\ProgramData\Oracle\Java\installcache_x64\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9e6647a44c7e8c2936688de4c44fa0ed

SHA1
4243691c66caf34f8ce840b77312e02ebf06ea8e

SHA256
0856229158dbdda1c1fb1b7076baeac546c88ba709356a73fdc1147d17c0a29f

SHA512
0054a87606c9f95d00d1a4e804aec1cd01bf3b1c4ed21456a246d9baa31becce749b5ea75ca63beb3e614da06da9199e618635f0f36a38f1de9c0d3cba1cbad1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
memory/1096-73-0x0000000002D50000-0x0000000003138000-memory.dmp

Filesize
3.9MB

Download
memory/1096-62-0x0000000002D50000-0x0000000003138000-memory.dmp

Filesize
3.9MB

Download
memory/1096-63-0x0000000002D50000-0x0000000003138000-memory.dmp

Filesize
3.9MB

Download
memory/1096-64-0x0000000002D50000-0x0000000003138000-memory.dmp

Filesize
3.9MB

Download
memory/1096-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1144-74-0x0000000000DE0000-0x00000000011C8000-memory.dmp

Filesize
3.9MB

Download
memory/1144-93-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/1144-117-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1144-71-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1144-105-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/1144-66-0x0000000000DE0000-0x00000000011C8000-memory.dmp

Filesize
3.9MB

Download
memory/1144-72-0x0000000000490000-0x0000000000493000-memory.dmp

Filesize
12KB

Download
memory/1472-165-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/1608-103-0x0000000000FE0000-0x00000000013C8000-memory.dmp

Filesize
3.9MB

Download
memory/1608-102-0x0000000000FE0000-0x00000000013C8000-memory.dmp

Filesize
3.9MB

Download
memory/1712-133-0x0000000000250000-0x0000000000267000-memory.dmp

Filesize
92KB

Download
memory/1712-132-0x0000000000250000-0x0000000000267000-memory.dmp

Filesize
92KB

Download
memory/1712-134-0x0000000000250000-0x0000000000267000-memory.dmp

Filesize
92KB

Download
memory/1712-131-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1712-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1876-179-0x0000000002470000-0x0000000003470000-memory.dmp

Filesize
16.0MB

Download
memory/1940-109-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1976-94-0x0000000002D20000-0x0000000003108000-memory.dmp

Filesize
3.9MB

Download
memory/1976-101-0x0000000002D20000-0x0000000003108000-memory.dmp

Filesize
3.9MB

Download
memory/1976-97-0x0000000002D20000-0x0000000003108000-memory.dmp

Filesize
3.9MB

Download
memory/1976-96-0x0000000002D20000-0x0000000003108000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads