2c4d8b48344ae221e349e525ac16eb364ffb5ab8deae80c7caa28dd5967cabdb

Resubmissions

11-03-2023 20:24

230311-y62amsda4v 8

11-03-2023 20:17

230311-y2pq2sda3t 8

Analysis

max time kernel
901s
max time network
889s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
11-03-2023 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.876.exe
Size

6.3MB
MD5

f08d9bbc61cff8e8c3504524c3220bef
SHA1

b4268c667469620bb528c04eaa819d508159b398
SHA256

2c4d8b48344ae221e349e525ac16eb364ffb5ab8deae80c7caa28dd5967cabdb
SHA512

a64a03d959487399fb57e1bd062c0e9f88a17ff9b3ad15e6b96a4b7332341d0fc9186ef99b2ab9bdcfa51864f21d08bce48479202c01d15470916e90fb09fef4
SSDEEP

196608:/PIsbJRd4KIlsep5E8laWRtMGplAZQHW07v:HIqNbeY8la1Gpl/7

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 20 IoCs

Processes:

jre-8u51-windows-x64.exeinstaller.execonhost.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exe

pid	process
1620	jre-8u51-windows-x64.exe
1020	installer.exe
2180	conhost.exe
3056	unpack200.exe
1584	unpack200.exe
2076	unpack200.exe
2124	unpack200.exe
2172	unpack200.exe
2228	unpack200.exe
288	unpack200.exe
2300	unpack200.exe
2352	javaw.exe
2728	javaws.exe
2740	javaw.exe
2060	jp2launcher.exe
2716	javaw.exe
2840	javaw.exe
1996	javaw.exe
2128	javaw.exe
524	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

iexplore.exemsiexec.execonhost.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exeTLauncher-2.876.exe

pid	process
1096	iexplore.exe
1408
1408
1088	msiexec.exe
2180	conhost.exe
2180	conhost.exe
2180	conhost.exe
1020	installer.exe
3056	unpack200.exe
1584	unpack200.exe
2076	unpack200.exe
2124	unpack200.exe
2172	unpack200.exe
2228	unpack200.exe
288	unpack200.exe
2300	unpack200.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
824
824
2352	javaw.exe
2352	javaw.exe
2352	javaw.exe
2352	javaw.exe
2352	javaw.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
1020	installer.exe
824
824
2728	javaws.exe
2740	javaw.exe
2740	javaw.exe
2740	javaw.exe
2740	javaw.exe
2740	javaw.exe
2728	javaws.exe
2060	jp2launcher.exe
2060	jp2launcher.exe
2060	jp2launcher.exe
2060	jp2launcher.exe
2060	jp2launcher.exe
2060	jp2launcher.exe
2060	jp2launcher.exe
2060	jp2launcher.exe
2060	jp2launcher.exe
2060	jp2launcher.exe
2676	TLauncher-2.876.exe
2676	TLauncher-2.876.exe
2676	TLauncher-2.876.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0003-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0043-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0069-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0018-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0047-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0096-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe	upx
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\bspatch.exe	upx
behavioral1/memory/2180-879-0x0000000000400000-0x0000000000417000-memory.dmp	upx
\ProgramData\Oracle\Java\installcache_x64\bspatch.exe	upx
behavioral1/memory/2180-884-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exejavaw.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_51\bin\verify.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\WindowsAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\content-types.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\flavormap.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\hijrah-config-umalqura.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfr.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\management.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaSansRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\resources.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\rt.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JavaAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\nio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jabswitch.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JAWTAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsdt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\management.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\currency.data	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunmscapi.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\THIRDPARTYLICENSEREADME.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\hprof.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\sound.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\sRGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_fr.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\splash.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfxmedia.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\sunec.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\classes.jsa	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_51\LICENSE	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\Welcome.html	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_sw.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\resource.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\Xusage.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\awt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jdwp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\servertool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\w2k_lsa_auth.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\calendars.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\invalid32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\local_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jjs.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsoundds.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\zip.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunpkcs11.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jvm.hprof.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\trusted.libraries	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\unpack.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfxwebkit.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\cursors.properties	installer.exe

Drops file in Windows directory 6 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\6e58db.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6e58db.msi	msiexec.exe
File created	C:\Windows\Installer\6e58dd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6210.tmp	msiexec.exe
File created	C:\Windows\Installer\6e58df.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d8bf10da5754d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeinstaller.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c00000000020000000000106600000001000020000000067a513d5e9ca42bfa11bcab11d1838b652c26b1c2c1d10542341cddd338a5bd000000000e8000000002000020000000acc1f6e4fd8c7010cf58ead264262551aeb8e45b5585d172701c02ac8ee9d15590000000387c544a07587bfe639149a7a6db37ee5bcca780ed0c47638a4f9a15736070a51cda0de992875fe9feaa883b789929e9d19963eb342cb8f15710c7679e61311949964c85d5a414b441b87552128022910724e4c59e45230c3abb7dfb31e3673636b3bacabffbbcd0a202b059adadcd0974c1bc0b2e9a74baef298e8b9ba4507c2c071f6f8c1bbc219def718f0618d9a2400000002e8581a28edce3452d84324c21b54b84aeef4077f3909f97e16a791d92b03600797ce0c42893e26e83da0aadb1499c6975790ed8db50695982f771e78327b553	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c00000000020000000000106600000001000020000000370abc5c1fd544186dd7dcd149202936850864b3a5a53f74a852f19019a9e025000000000e8000000002000020000000fe8a98be2394ab9b3d01c7f0fb161befc52810da409422e5f82d820b3bd77ecf20000000497a5eb61e55c7af62f8c8c655c025f2dcd75320c062650f0974c4a4854f3044400000004f4052b1fa917fe42ce52615fa142dc765c7862acb32af18074629e4c61924871e0b219f2382c74cb42d84feae49e08e910b2538e042cee058bdd2856764328b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0A470C71-C04B-11ED-B3D5-F6B2F3A01775} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80376ce65754d901	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "385331424"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-FFFF-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0037-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0066-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_40"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0041-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0060-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0086-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0027-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0039-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0021-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_30"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_01"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_68"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_90"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_02"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\InProcServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_32"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

jp2launcher.exe

pid process

2060 jp2launcher.exe

pid	process
2060	jp2launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEjre-8u51-windows-x64.exemsiexec.exe

description	pid	process
Token: 33	1484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1484	AUDIODG.EXE
Token: 33	1484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1484	AUDIODG.EXE
Token: SeShutdownPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeSecurityPrivilege	1088	msiexec.exe
Token: SeCreateTokenPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeLockMemoryPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeMachineAccountPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeTcbPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeSecurityPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeTakeOwnershipPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeLoadDriverPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeSystemProfilePrivilege	1620	jre-8u51-windows-x64.exe
Token: SeSystemtimePrivilege	1620	jre-8u51-windows-x64.exe
Token: SeProfSingleProcessPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeIncBasePriorityPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeCreatePagefilePrivilege	1620	jre-8u51-windows-x64.exe
Token: SeCreatePermanentPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeBackupPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1620	jre-8u51-windows-x64.exe
Token: SeShutdownPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeDebugPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeAuditPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeChangeNotifyPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeRemoteShutdownPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeUndockPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeSyncAgentPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeEnableDelegationPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeManageVolumePrivilege	1620	jre-8u51-windows-x64.exe
Token: SeImpersonatePrivilege	1620	jre-8u51-windows-x64.exe
Token: SeCreateGlobalPrivilege	1620	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1096 iexplore.exe
1096 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXEjavaw.exe

pid process

1096 iexplore.exe
1096 iexplore.exe
1500 IEXPLORE.EXE
1500 IEXPLORE.EXE
1500 IEXPLORE.EXE
1500 IEXPLORE.EXE
2840 javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-2.876.exeiexplore.exemsiexec.exeinstaller.exejavaws.exeTLauncher-2.876.exe

description	pid	process	target process
PID 1088 wrote to memory of 1096	1088	TLauncher-2.876.exe	iexplore.exe
PID 1088 wrote to memory of 1096	1088	TLauncher-2.876.exe	iexplore.exe
PID 1088 wrote to memory of 1096	1088	TLauncher-2.876.exe	iexplore.exe
PID 1088 wrote to memory of 1096	1088	TLauncher-2.876.exe	iexplore.exe
PID 1096 wrote to memory of 1500	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1500	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1500	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1500	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1500	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1500	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1500	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1620	1096	iexplore.exe	jre-8u51-windows-x64.exe
PID 1096 wrote to memory of 1620	1096	iexplore.exe	jre-8u51-windows-x64.exe
PID 1096 wrote to memory of 1620	1096	iexplore.exe	jre-8u51-windows-x64.exe
PID 1088 wrote to memory of 1020	1088	msiexec.exe	installer.exe
PID 1088 wrote to memory of 1020	1088	msiexec.exe	installer.exe
PID 1088 wrote to memory of 1020	1088	msiexec.exe	installer.exe
PID 1020 wrote to memory of 2180	1020	installer.exe	conhost.exe
PID 1020 wrote to memory of 2180	1020	installer.exe	conhost.exe
PID 1020 wrote to memory of 2180	1020	installer.exe	conhost.exe
PID 1020 wrote to memory of 2180	1020	installer.exe	conhost.exe
PID 1020 wrote to memory of 2180	1020	installer.exe	conhost.exe
PID 1020 wrote to memory of 2180	1020	installer.exe	conhost.exe
PID 1020 wrote to memory of 2180	1020	installer.exe	conhost.exe
PID 1020 wrote to memory of 3056	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 3056	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 3056	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 1584	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 1584	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 1584	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2076	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2076	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2076	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2124	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2124	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2124	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2172	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2172	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2172	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2228	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2228	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2228	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 288	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 288	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 288	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2300	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2300	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2300	1020	installer.exe	unpack200.exe
PID 1020 wrote to memory of 2352	1020	installer.exe	javaw.exe
PID 1020 wrote to memory of 2352	1020	installer.exe	javaw.exe
PID 1020 wrote to memory of 2352	1020	installer.exe	javaw.exe
PID 1020 wrote to memory of 2728	1020	installer.exe	javaws.exe
PID 1020 wrote to memory of 2728	1020	installer.exe	javaws.exe
PID 1020 wrote to memory of 2728	1020	installer.exe	javaws.exe
PID 2728 wrote to memory of 2740	2728	javaws.exe	javaw.exe
PID 2728 wrote to memory of 2740	2728	javaws.exe	javaw.exe
PID 2728 wrote to memory of 2740	2728	javaws.exe	javaw.exe
PID 2728 wrote to memory of 2060	2728	javaws.exe	jp2launcher.exe
PID 2728 wrote to memory of 2060	2728	javaws.exe	jp2launcher.exe
PID 2728 wrote to memory of 2060	2728	javaws.exe	jp2launcher.exe
PID 2676 wrote to memory of 2716	2676	TLauncher-2.876.exe	javaw.exe
PID 2676 wrote to memory of 2716	2676	TLauncher-2.876.exe	javaw.exe
PID 2676 wrote to memory of 2716	2676	TLauncher-2.876.exe	javaw.exe
PID 2676 wrote to memory of 2716	2676	TLauncher-2.876.exe	javaw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
2⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1500

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\jre-8u51-windows-x64.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\jre-8u51-windows-x64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Program Files\Java\jre1.8.0_51\installer.exe
"C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" REPAIRMODE=0
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020

C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
PID:2180

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1584

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2352

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "737795636-1916467652849907913250784217271613091694652554-1598469282-632316899"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d4
1⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe"
2⤵
- Executes dropped EXE
PID:2716

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe"
1⤵
PID:1652

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe"
1⤵
PID:2740

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe"
2⤵
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe"
1⤵
PID:2080

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe"
2⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe"
1⤵
PID:1052

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876.exe"
2⤵
- Executes dropped EXE
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_51\bin\MSVCR100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll
Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe
Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
Filesize
202KB

MD5
7b23b0aab68e65b93bb6477f05999574

SHA1
920752e4c22e1165e6df27f69599483187edfbb3

SHA256
32546ecf1236769d2d777331f90282fb97589bec75da11c8e727d61d3d4c988a

SHA512
e3395303e53edce3dfa8fe11b7338c77795595a17dac17818e4bc8b77feee4900d541201d6762aa8f46565730e24a5423684049d40bbd074186ef7223c96b604

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
Filesize
202KB

MD5
7b23b0aab68e65b93bb6477f05999574

SHA1
920752e4c22e1165e6df27f69599483187edfbb3

SHA256
32546ecf1236769d2d777331f90282fb97589bec75da11c8e727d61d3d4c988a

SHA512
e3395303e53edce3dfa8fe11b7338c77795595a17dac17818e4bc8b77feee4900d541201d6762aa8f46565730e24a5423684049d40bbd074186ef7223c96b604

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\server\jvm.dll
Filesize
8.3MB

MD5
2894ece7b8de355b13978d6b8ec6e68c

SHA1
cec5cd8450498ee6f81eae2f10e56726b6125be2

SHA256
04d85639dacb86c6efca146051681608727f0376ca5293b9f83b232fc4db6a54

SHA512
634e1cedf63d384c072bbd32dbca35982f7b2a7a77ab6d11130f2d45fd164d17ad080206a650854473370e824ec1153c61821c318a2af7954d2031a38d37bfd4

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\installer.exe
Filesize
89.1MB

MD5
de052a3a782280dfe0d333bfb894c7d3

SHA1
c6a2c5150e1a6f7d5fccf5927aef1c5b2a94ea74

SHA256
cacefac05b6719d7ec1bd4945de0e58e9233e54d2ba94d68103bcd2bb04cdde3

SHA512
dfd8bfea673f0c1a37199cd76ceb9f7731eb3c502f02b8e81fd72dc6f4d9cec866fb3133b45ff93127a459be75580d1488609ecf2ab337a685a91fe609245935

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\amd64\jvm.cfg
Filesize
634B

MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack
Filesize
1.0MB

MD5
45288142b863dc4761b634f9de75e5e5

SHA1
9d07fca553e08c47e38dd48a9c7824e376e4ce80

SHA256
91517ff5c74438654956aae554f2951bf508f561b288661433894e517960c2ac

SHA512
f331cd93f82d2751734eb1a51cb4401969fb6e479b2e19be609e13829454ec27cec864c57bdc116bf029317c98d551e9feafc44386b899a94c242bc0464556d8

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack
Filesize
1.8MB

MD5
5cfc3a1b269312f7a2d2f1d7c0497819

SHA1
d048284db9ce7103156f8bbce988b4d9978786b7

SHA256
80ba80d2a6c20deef6e2f3973337e15e22eec30508899ae998bf191ba725db26

SHA512
8735af7c8bc5b48aac42120326a5dee21f98512ba31c57c77b6fc3906b7b1b98e5f22f57a31f26dc3e16abe63a6f15ef2e115c7fc17bbab35e846dc373da9c6b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack
Filesize
4.8MB

MD5
8dfebf0b78c6e3bf5aa5002ca9a6da1a

SHA1
1edee53b9e0af5d767d0051c2beccc474035024f

SHA256
0840d659560e62fcc41cd42dec9d7aedb8359f606097b540806452ca8ad05e21

SHA512
f9bf6e9558b52969ec152fbfebc239c1bcb7e4343b3dc58da5e7cac015d1fe75f255bd9ceb3fdeb86b2c05be62c62b552a25c94aba4091df3eaf163cf91da444

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack
Filesize
1.3MB

MD5
2ad7c3462a7494b29edbe3701ebeab4c

SHA1
7358ab9b0c4771efdc0d28764b90a46aac55e865

SHA256
7cdc489fa093e924649e82f4eb9689bc1bc0d28e20e37a0a94060efd5428c2db

SHA512
8b1f0f5932896f1876e5f8137dc8f74ff79f02b7708220b53ab2146fc742403ee952c68dddff9a92c786d4a534f7a266327934a8fe84a3c979c016cc8c93efdb

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack
Filesize
211KB

MD5
5a83bc9b3e4a7e960fd757f3ad7cd263

SHA1
f5f308aec7e93accb5d6714c178b8bf0840fb38d

SHA256
0a95ab97c85e534b72a369b3ee75200f8075cb14e6f226196b18fd43e6ba42f5

SHA512
b8e554bbf036d0500686e878597ffdefa8bcd091ab6533eae76fa04eda310cec7cac89b71911f1f81012f499c7bec890ac9032685945f7e5e6b68f7ad3f7430c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack
Filesize
150KB

MD5
168f72fd2f288a96ee9c4e845339db02

SHA1
e25b521b0ed663e2b050af2b454d571c5145904f

SHA256
5552e52e39c0e7ac423d6939eec367a0c15b4ca699a3a1954f2b191d48a034e6

SHA512
01cdf3d8d3be0b2458d9c86976cef3f5a21131d13eb2a1c6f816aeb2c384779b67d1b419fa9233aedd3bbd16970ec7c81689bf2e25a8bebadec5de8e9b5a19f1

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack
Filesize
482KB

MD5
538777ddaa33641aa2c17b8f71eed307

SHA1
ac7b5fdba952ce65b5a85578f2a81b37daed0948

SHA256
9948b1c18d71a790e7b5a82d773fea95d25ab67109843a3f3888f3f0ac9d1135

SHA512
7a5877e0eaef6424ea473a203184fedb902cd9d47df5d95d6f617ca4efa1162f0ffd418e9bc6b7492f938cb33fc6384907237487d6ad4f6d0d2d962402529d8b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\rt.pack
Filesize
13.1MB

MD5
f0177701b36068c9a2bb4924dd409fa5

SHA1
71e4b32c95e20dd565a6603d3de3819eb4f19d33

SHA256
93c1e08034b68e12d78005c2950145595327477c17c1f716248d3e16313b4eec

SHA512
8e198bf60dbb95f38bf5eca67c9b7cd4fe9920890ba3d569e08de59b38c1b00830a0a37168fd74c874df86b7ff0915c8b69adb1591432b42b5ff35e5885e6641

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8
Filesize
78.7MB

MD5
22646919b87d1a6dfc371464405b373b

SHA1
2296c69b12c3e0244fc59586f794457a4735e692

SHA256
0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11

SHA512
b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\diff
Filesize
9.1MB

MD5
d417682702b140d7131851bae877f046

SHA1
aa78da727e8a62c839a9bb6f7a93b48d3a04be70

SHA256
3b3657c83e4f588f0e759cd46e99309cece2ebb54af2c377f9dc087ec764fda8

SHA512
9e107b7f61e42410807aa1e6761ac7adce412846f69ae8e2e21b147e39d1a95d41367e21624381750eb11c77322206c4d869a477e5442e8323405c85854c03cd

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\newimage
Filesize
79.9MB

MD5
ba85f8b5a9bf9b6320a6dae439e0f536

SHA1
fc8dc72b58ed72e910ec605537bd35069db324ee

SHA256
caafa9c10903317fc968b8807c23057173859ab6cc8aae89b77220a9d4ee6777

SHA512
75b000b3e21e4f8f4c57032f4dd4d5c526a7bd3fb65da77356a7911f7281289b5512cc90d48cc43b0897b46e40f1ad8de8d1af30ab427ae16625f6007cf4c149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
b8095ea597420c788072cd5932be8cfe

SHA1
22b4e43ffb177841e5ce1d076350607c12dfab3f

SHA256
9aa288ef424642c451824b3cf0eed97a2ba88f6e1ca0f03d818487fb67949271

SHA512
73e2e4af9da2a3ad3d66673f99ce0f66554813ac17d2445a2a39f4499247d0f4af46c385694c5c3fda6fde23ac7aafbd5c59b8ce28f78b5fd79151a6a71f3964

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
1KB

MD5
7439acfb52db0c339b6063abf21b9609

SHA1
9a953ec31e7553c9943d11c793452c55e939da36

SHA256
64920236c0a4cbb1bc9b8f2ebbdcd3d0cc89763dc167b13b170d141985e9ca3c

SHA512
244d17809a8769fe9e847f61eccee365b4ab0f6770af97ceddbcc6d4b0dbcc7e031d97acff5802c86d7cf616ff99e758882f431d4914c709a2adc9b666f84713

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
1KB

MD5
43c733836b08c3b61b29be5cf1fdf915

SHA1
094fe8fc3f554998c720f3ca91813dda16fa3b98

SHA256
d3591e005808a7325446c7da5821342f26e8ed2e63ba19cc769d5d29c669725d

SHA512
0dfa39fbc13592e9d4e1d62f8c7280b1a2b2e809a9640d54c25721f557856c548d383999f84cddcd4d3a1ebc62132d0a8f317184fdf700f9c9885d949dcaaa7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8ccf542f5cf7591c3409bc99dd799e60

SHA1
517904b5747310b59a5d71f32d1abf658cca19c4

SHA256
40ae407583f4bbb27bbba52fca6c01e8d4674e9bfb4e353b21015fb662d04a4a

SHA512
dd445a5614b919af9783175444ffcf1563be55ef7258c6238aa4a0a8ebb5d400ffa8e4105bd38ad0f46ea5f0c23c2ab310ff4e77044efab40ca3edaaa8555b08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
73a00032dfed42555b8018b884eddb70

SHA1
10dee3815014bb5d9836333f515b1bbc38316373

SHA256
b7b49575305a7dbb679a9510dd8b9e440e63283bd65aec3b496b86ac6e705cac

SHA512
acb44b0023f519d7095ed9cdfb69af32491b3ab7754ba6f55eeb5d52333a49b4b67a16f0f7df371a983b88da8397b6772e274a28fcb223e85af262ba606d0719

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d2716c7185004644d31f732b0549ed5f

SHA1
79552ff4bc9276e642e3121c190bbb4440638721

SHA256
7d56c9673e6093385e06245b4dbdc1de219bb2ecebb5aeb89a0e179284c938d5

SHA512
52f08cff7e97bcdf0d15668356225d7e2ca4a171499679097879ff2877996301fa4e90a076975820cdf8662607bc833956c46089bc6cba75fc73d6f8699d3f1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
0097db826bdf4f2b4ea784b2cc1a97fd

SHA1
aa5e81982d65b5d96ab517de57820dac07b6e47f

SHA256
027f68e8654b8e3d5c0a6d211fd6ce9e6633e757bf39693015a77122ff054e84

SHA512
7119dd80073916ae77586275ed21ef5c680e17526afabf09cdc5a7414c75389630767099dbec2afa72f30b8f1165914b140bcf6aea815237d87d3b541ee036a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
1b4613b022aabfc708742b4c157bb39b

SHA1
a8c9d758c125642efabf4280f96f1ea0b7588c40

SHA256
bc4227cdf4dac0ff9ca95cf040d83ca27fd6301a848eff9c5baafc400bc65288

SHA512
bdfc3b0968f8529fef738b375babd5002df9ff0ad5e997d5479aa9e14ea60b262336ac1c9609b779cb12d4d08bee1845ca02d18e9a9b54dfb30a2d349d020a64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
4b9d701b2bdb4869606f74721e99e00a

SHA1
52b7153507ef3fffe2a847aa6bd3bcf1c94a1315

SHA256
8a6e88705a7c9b4533bb8a73dbf9700a4a1b9771e26eb2d8e66fa0ef33514060

SHA512
fa747fe359bcb815f37a02df99befcd0799561de77214abd9b29f15accdca6ce9b389a73499d470cdb9d1fc60a5aaf155ee69ba38cf34d00a91faea48e3ea778

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
bedc67f937395fad2942a559ca3ae1e1

SHA1
23fc3fc75c14526c0a16a076d9e573f48e0a7cba

SHA256
5a2ae0e849ebc2b9525e59af9e04fbc700fce1d8a6746f4ac0e7a7621154612c

SHA512
e358ad7c14113fc12d4978aed64b019fe6d9875f66fbf01ef27212b8945f11e5a6c4ba846209799215d28775ed918e0c3a47d6ac96d2b379943da64c42e73815

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
10eb3cd2c53297625d6ede947c4f32b1

SHA1
f1e60981559cc2585bfcab3faa40bce6b2213be2

SHA256
c4b03e7c48cf96952b6629546d006fff7e610f9dd5fd1543c70a9525a3f2e5a0

SHA512
af23842c682162d22cc57d47d21669c5e8bd4df537dcfb02325877eef6c61d4e0830c50363d72b13f983fd00fb2b446ef615b82c2a6b5738dff7e16e20d256c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
02cf72ebe0f1f8aa367a095be0c9056d

SHA1
f591f3085fd423fa681ba08ff42c8f9eb3604a28

SHA256
b639c85b1aadb6c1651d40462173a5c9f0d3fc93aa3ee334086ef363b0b82f61

SHA512
ac83b2bbd0f79c495b95ade90a421af7e8b882fa4fbb7f4dbd20f11f5da00db2462aed18d06766b17f0de848163834ba1bc9f49ffb8d4dd5138cd5365baf4b02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
398B

MD5
eeeb8b4309920fa6c51275f1c752c6ea

SHA1
48bead2efc4b985884249624969643d0672bc375

SHA256
f21a03c3f644a259e6f73fdd4235b8397507627754be9a239c359c123454bb78

SHA512
6599779ebf70521c1cb75c368f9df75c78188f7e4bb49cbca7f7420bc60b726a3fce4ddde7a260b00e9cfcb94c099a2d7f3fb783f286d95e1925a8c06b20dad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
402B

MD5
c5a78b71497b47ed4e1a5c530cd5fea3

SHA1
d64bc4cedb9c8e8f58a078367da4b87d2292d9a8

SHA256
c12803d3b2c7329a175dbcf1dffe37ed6cddd59c3dcd4989c7b1c87e04c96939

SHA512
67eae4fdb00317863a7ed16743d785c4788336fc158525f38fbcd433b82e76fa151feb2b22465817d9f9177d4a622d68e89df3f1992075ab1497a70989b79685

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
7ec9ea6702b961e4de19aebb8fd85334

SHA1
b19f94c7f010e2b492c19c6463a045cfadea96bc

SHA256
90513c113f2bc04ef3944f376f6e9b3fa17f16e252905e9ea47d8e626aba12de

SHA512
2cb694f71ab31fe27eb9c16ed2f5c6b2c8fea90c6fc308202f7a1056909068ec81c6f4e8c4e19155920242364109395cc38af9ffc258c226a71e39ebd3fdd4e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi
Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\62yy7f8\imagestore.dat
Filesize
32KB

MD5
4c09797a3be5594237aacca38a6eb154

SHA1
878a67bda73137f4f2ee55be0ac14b27ed2ea728

SHA256
918cf3c061e8f7e945628bfd24a59c8d4d1dc0a2b9790b8ed5f0cc0c57930560

SHA512
a8afcae29be39dae8e9cec94923c65e6e744c92bbe55619689f149e4aeff99edf52432125e7010895cb323195337b97988cacc6e8db9f957805467024b116e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BJWXLGAS\favicon-196x196[1].png
Filesize
28KB

MD5
a75485f99fd7e589f7a784e87c0eecf7

SHA1
389cc19d374a79ad9779fc0b4165a36b84d55554

SHA256
d38a40b5fe5403a5b6d0a3f6892c99718b31c9a62d3287c1c7292d7ed36ba44a

SHA512
3f594a05e0e6809d47bb1c3d016ae0374b452c0fc6d44f27bc8be447f4dbccdd795e67b5e5356356732708b3ddbf65e1b9479fdddd1ba965618dfa6eed93e11d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\suggestions[1].es-ES
Filesize
18KB

MD5
e2749896090665aeb9b29bce1a591a75

SHA1
59e05283e04c6c0252d2b75d5141ba62d73e9df9

SHA256
d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

SHA512
c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\jre-8u51-windows-x64.exe
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\jre-8u51-windows-x64.exe.ki7ftri.partial
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\jre-8u51-windows-x64[1].exe
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1143.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1145.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1485.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
8KB

MD5
6c58a21c1ddc76a5bebcda0a2ad2dbc3

SHA1
3f7f1a85a91915c133be07d21b5577a454d348f3

SHA256
8284635375a0910d5535689c2c53d2ff90d175c8180d62dfa865afecfd5274ff

SHA512
bf6634edae0b5b0f5fc041af78c2ccee88f724309d1d0dceff0eb2d85821866bf0a2fc17863bbc3f83a34ac29452442549d80ec44b1a61315b18ffa66334c263

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
18KB

MD5
d496125556db597e2e60ddaed3c93a36

SHA1
f939aad7287c6ae5293845e25b5aa1569fc8bba5

SHA256
ff7b0c2cbba4dc7a8b5ac1317aecc7b4200f0f9cb888d930325ec7a27a2a421c

SHA512
ae7be0a0f6e7c7d58f32f7c70c7d2f8a94596e9ff9d4445b4710878b1fd44519ee9a4fee0a4e58c38fc1cd8a97e8afb69b7989a2fc44612806a0f3d1e7343b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF2ACB32BE286E7DED.TMP
Filesize
16KB

MD5
5841350694361b29c44f156cc42ab163

SHA1
75ca4f03f6ff4d51344447ba551764231d2cbd4b

SHA256
85eeca86a4eab4ff9e5d8668098c47a970cd5e7770bf5abde51b74814b90f580

SHA512
c3ab377c9b639272b5cbae4ccbfe50186c0539e2708a7ebe06462633192dc1e197aebd7baaa57e135c3331eaa19834c1267ab62b80f380eefdc944e3ca31c1da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CCQGVDDQ.txt
Filesize
512B

MD5
00750b6d7e64943bd37a8897e7b2e61b

SHA1
46cf87f5559e8b824128e9f5d8c9073160bc72f2

SHA256
f43947c84151cfc52610a99ec7bab5ecf80509b4979d5fb4f16035bf7c2ab15a

SHA512
e35425d8cc39fef9921871955147fde009b2d27efa0968ec2b5b49cef4147877c1d3e18cd9d0e011f2bcd761edb8cf6ac492928446ebc7f057ee9618639fce12

Download Submit
C:\Windows\Installer\6e58db.msi
Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
\Program Files\Java\jre1.8.0_51\bin\java.dll
Filesize
154KB

MD5
31401e170ddd8437635c4c8571a80341

SHA1
b79de1ce1b96ad0c3d00c8a32e55043eaeb1bad7

SHA256
3e060e1aafa2fe99f06c34db84a49d3a2f994c1a0dbef40f37dbafd45cd69533

SHA512
fc5e52e5398563a39dd5d8204ffe52a8668c19e1f1bb9706cf408c6c7ed81f8be667d87233bcdfd8739ac022792c36b9147249e5eedb51b21493100ffbf1e5c9

Download Submit
\Program Files\Java\jre1.8.0_51\bin\java.dll
Filesize
154KB

MD5
31401e170ddd8437635c4c8571a80341

SHA1
b79de1ce1b96ad0c3d00c8a32e55043eaeb1bad7

SHA256
3e060e1aafa2fe99f06c34db84a49d3a2f994c1a0dbef40f37dbafd45cd69533

SHA512
fc5e52e5398563a39dd5d8204ffe52a8668c19e1f1bb9706cf408c6c7ed81f8be667d87233bcdfd8739ac022792c36b9147249e5eedb51b21493100ffbf1e5c9

Download Submit
\Program Files\Java\jre1.8.0_51\bin\java.dll
Filesize
154KB

MD5
31401e170ddd8437635c4c8571a80341

SHA1
b79de1ce1b96ad0c3d00c8a32e55043eaeb1bad7

SHA256
3e060e1aafa2fe99f06c34db84a49d3a2f994c1a0dbef40f37dbafd45cd69533

SHA512
fc5e52e5398563a39dd5d8204ffe52a8668c19e1f1bb9706cf408c6c7ed81f8be667d87233bcdfd8739ac022792c36b9147249e5eedb51b21493100ffbf1e5c9

Download Submit
\Program Files\Java\jre1.8.0_51\bin\java.dll
Filesize
154KB

MD5
31401e170ddd8437635c4c8571a80341

SHA1
b79de1ce1b96ad0c3d00c8a32e55043eaeb1bad7

SHA256
3e060e1aafa2fe99f06c34db84a49d3a2f994c1a0dbef40f37dbafd45cd69533

SHA512
fc5e52e5398563a39dd5d8204ffe52a8668c19e1f1bb9706cf408c6c7ed81f8be667d87233bcdfd8739ac022792c36b9147249e5eedb51b21493100ffbf1e5c9

Download Submit
\Program Files\Java\jre1.8.0_51\bin\javaw.exe
Filesize
202KB

MD5
7b23b0aab68e65b93bb6477f05999574

SHA1
920752e4c22e1165e6df27f69599483187edfbb3

SHA256
32546ecf1236769d2d777331f90282fb97589bec75da11c8e727d61d3d4c988a

SHA512
e3395303e53edce3dfa8fe11b7338c77795595a17dac17818e4bc8b77feee4900d541201d6762aa8f46565730e24a5423684049d40bbd074186ef7223c96b604

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\server\jvm.dll
Filesize
8.3MB

MD5
2894ece7b8de355b13978d6b8ec6e68c

SHA1
cec5cd8450498ee6f81eae2f10e56726b6125be2

SHA256
04d85639dacb86c6efca146051681608727f0376ca5293b9f83b232fc4db6a54

SHA512
634e1cedf63d384c072bbd32dbca35982f7b2a7a77ab6d11130f2d45fd164d17ad080206a650854473370e824ec1153c61821c318a2af7954d2031a38d37bfd4

Download Submit
\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
\Program Files\Java\jre1.8.0_51\installer.exe
Filesize
89.1MB

MD5
de052a3a782280dfe0d333bfb894c7d3

SHA1
c6a2c5150e1a6f7d5fccf5927aef1c5b2a94ea74

SHA256
cacefac05b6719d7ec1bd4945de0e58e9233e54d2ba94d68103bcd2bb04cdde3

SHA512
dfd8bfea673f0c1a37199cd76ceb9f7731eb3c502f02b8e81fd72dc6f4d9cec866fb3133b45ff93127a459be75580d1488609ecf2ab337a685a91fe609245935

Download Submit
\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\jre-8u51-windows-x64.exe
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\jre-8u51-windows-x64.exe
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\jre-8u51-windows-x64.exe
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
memory/524-1439-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1052-1428-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1088-54-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1620-1025-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1620-789-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1652-1349-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1996-1420-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1996-1415-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2060-1301-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/2060-1330-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2080-1399-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2180-881-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/2180-880-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/2180-882-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/2180-879-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2180-884-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2352-1162-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2676-1336-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2740-1398-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2740-1277-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2740-1264-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2840-1364-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2840-1369-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2840-1390-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2840-1394-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2840-1396-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2840-1361-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2840-1360-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download