Analysis Overview
SHA256
78d84068b47cf28b76c88ba4474c7c187510f4e4e967d079d3761dcab7851655
Threat Level: Known bad
The file TLauncher-2.876-Installer-1.0.7-global.exe was found to be: Known bad.
Malicious Activity Summary
BazarBackdoor
Bazar/Team9 Backdoor payload
Blocklisted process makes network request
Downloads MZ/PE file
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Checks installed software on the system
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-20 04:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-20 04:46
Reported
2023-03-20 04:48
Platform
win7-20230220-es
Max time kernel
100s
Max time network
137s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre-windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\6d89ca.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6d89ca.msi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe" "__IRCT:3" "__IRTSS:23645635" "__IRSID:S-1-5-21-3430344531-3702557399-3004411149-1000"
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816338 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1840798" "__IRSID:S-1-5-21-3430344531-3702557399-3004411149-1000"
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
C:\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe" "STATIC=1"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding DCC12E4D2905E927F8DF24B2F381A1D9
C:\Program Files\Java\jre1.8.0_351\installer.exe
"C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
C:\ProgramData\Oracle\Java\installcache_x64\7191396.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl2.tlauncher.org | udp |
| US | 104.20.234.70:443 | dl2.tlauncher.org | tcp |
| US | 8.8.8.8:53 | tlauncher.org | udp |
| US | 104.20.235.70:443 | tlauncher.org | tcp |
| US | 8.8.8.8:53 | javadl.oracle.com | udp |
| NL | 69.192.71.29:80 | javadl.oracle.com | tcp |
| NL | 69.192.71.29:443 | javadl.oracle.com | tcp |
| US | 8.8.8.8:53 | sdlc-esd.oracle.com | udp |
| GB | 23.44.232.84:443 | sdlc-esd.oracle.com | tcp |
| US | 8.8.8.8:53 | javadl-esd-secure.oracle.com | udp |
| GB | 2.19.148.12:443 | javadl-esd-secure.oracle.com | tcp |
| US | 8.8.8.8:53 | rps-svcs.oracle.com | udp |
| GB | 2.19.148.12:443 | rps-svcs.oracle.com | tcp |
| US | 8.8.8.8:53 | javadl.oracle.com | udp |
| NL | 69.192.71.29:443 | javadl.oracle.com | tcp |
| GB | 23.44.232.84:443 | sdlc-esd.oracle.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 111dddf2f308abc2a8f7555d5f642751 |
| SHA1 | 11e6cdccbf29a71a97011b9444cf20c83ad8b57b |
| SHA256 | c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0 |
| SHA512 | 11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 111dddf2f308abc2a8f7555d5f642751 |
| SHA1 | 11e6cdccbf29a71a97011b9444cf20c83ad8b57b |
| SHA256 | c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0 |
| SHA512 | 11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 111dddf2f308abc2a8f7555d5f642751 |
| SHA1 | 11e6cdccbf29a71a97011b9444cf20c83ad8b57b |
| SHA256 | c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0 |
| SHA512 | 11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 111dddf2f308abc2a8f7555d5f642751 |
| SHA1 | 11e6cdccbf29a71a97011b9444cf20c83ad8b57b |
| SHA256 | c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0 |
| SHA512 | 11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 111dddf2f308abc2a8f7555d5f642751 |
| SHA1 | 11e6cdccbf29a71a97011b9444cf20c83ad8b57b |
| SHA256 | c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0 |
| SHA512 | 11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4 |
memory/1396-69-0x0000000002B80000-0x0000000002F68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 111dddf2f308abc2a8f7555d5f642751 |
| SHA1 | 11e6cdccbf29a71a97011b9444cf20c83ad8b57b |
| SHA256 | c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0 |
| SHA512 | 11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4 |
memory/1396-70-0x0000000002B80000-0x0000000002F68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
memory/1396-72-0x0000000002B80000-0x0000000002F68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 111dddf2f308abc2a8f7555d5f642751 |
| SHA1 | 11e6cdccbf29a71a97011b9444cf20c83ad8b57b |
| SHA256 | c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0 |
| SHA512 | 11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4 |
memory/1272-205-0x0000000000BF0000-0x0000000000FD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
| MD5 | e043a9cb014d641a56f50f9d9ac9a1b9 |
| SHA1 | 61dc6aed3d0d1f3b8afe3d161410848c565247ed |
| SHA256 | 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946 |
| SHA512 | 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
| MD5 | da1d0cd400e0b6ad6415fd4d90f69666 |
| SHA1 | de9083d2902906cacf57259cf581b1466400b799 |
| SHA256 | 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575 |
| SHA512 | f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
| MD5 | 1bbf5dd0b6ca80e4c7c77495c3f33083 |
| SHA1 | e0520037e60eb641ec04d1e814394c9da0a6a862 |
| SHA256 | bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b |
| SHA512 | 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab |
memory/1272-366-0x0000000010000000-0x0000000010051000-memory.dmp
memory/1272-367-0x00000000007D0000-0x00000000007D3000-memory.dmp
memory/1272-368-0x0000000000BF0000-0x0000000000FD8000-memory.dmp
memory/1396-370-0x0000000002B80000-0x0000000002F68000-memory.dmp
memory/1272-375-0x0000000000BF0000-0x0000000000FD8000-memory.dmp
memory/1272-386-0x0000000000BF0000-0x0000000000FD8000-memory.dmp
memory/1272-387-0x0000000010000000-0x0000000010051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG
| MD5 | 5a7901f7df307fba45b1c377f2c94ccc |
| SHA1 | d6630cf733033cdfbda7af3213d49b32f5b06919 |
| SHA256 | d8471d5a5b4792c4b49e80b5cb22ef1e938dc3069b210646704f658548d7a9f8 |
| SHA512 | fc0036a7ed4b53edd72b91c4824919e6e8a82b5be1e82cdc134e267ef4792424124fb6ba5d7c86cf686910da0baba8453d7a6c12b39a5b4c0cb70658580f3bc9 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG
| MD5 | 05d7bba3d6ac92766c4495b8928202a6 |
| SHA1 | 50b65a8ba5ed2633e43929ee4bd58c95a91a3363 |
| SHA256 | 4804f3c4fae714657fdb85e98244828acc6ac938505c2da1ed694ae7b58f2949 |
| SHA512 | 1544d5cd6f85aaeeacd26f2deb9da9eb510226b41079ee78c4dede14386e5ea3446efdfd475bfbfa3a6846fa2ff23d64f4dad3a4ddd304e32de80e4d7bcbc600 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe
| MD5 | 52e46b1adf9cd40428b41755df527bd4 |
| SHA1 | 5f0bb9c9c14208851beb5c93d9268c16ab39dc07 |
| SHA256 | a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13 |
| SHA512 | 813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 111dddf2f308abc2a8f7555d5f642751 |
| SHA1 | 11e6cdccbf29a71a97011b9444cf20c83ad8b57b |
| SHA256 | c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0 |
| SHA512 | 11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4 |
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
| MD5 | 52e46b1adf9cd40428b41755df527bd4 |
| SHA1 | 5f0bb9c9c14208851beb5c93d9268c16ab39dc07 |
| SHA256 | a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13 |
| SHA512 | 813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669 |
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
| MD5 | 52e46b1adf9cd40428b41755df527bd4 |
| SHA1 | 5f0bb9c9c14208851beb5c93d9268c16ab39dc07 |
| SHA256 | a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13 |
| SHA512 | 813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669 |
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
| MD5 | 52e46b1adf9cd40428b41755df527bd4 |
| SHA1 | 5f0bb9c9c14208851beb5c93d9268c16ab39dc07 |
| SHA256 | a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13 |
| SHA512 | 813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669 |
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
| MD5 | 52e46b1adf9cd40428b41755df527bd4 |
| SHA1 | 5f0bb9c9c14208851beb5c93d9268c16ab39dc07 |
| SHA256 | a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13 |
| SHA512 | 813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669 |
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
| MD5 | 52e46b1adf9cd40428b41755df527bd4 |
| SHA1 | 5f0bb9c9c14208851beb5c93d9268c16ab39dc07 |
| SHA256 | a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13 |
| SHA512 | 813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669 |
memory/1272-446-0x0000000000BF0000-0x0000000000FD8000-memory.dmp
memory/1272-447-0x0000000010000000-0x0000000010051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
| MD5 | 52e46b1adf9cd40428b41755df527bd4 |
| SHA1 | 5f0bb9c9c14208851beb5c93d9268c16ab39dc07 |
| SHA256 | a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13 |
| SHA512 | 813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669 |
memory/1272-448-0x0000000003080000-0x0000000003090000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG46.PNG
| MD5 | d8a095202e08fa1ac2578982e9a486db |
| SHA1 | 397ffc8af43ac18466b8df245b4faa6b278659e6 |
| SHA256 | 28fed2b9a3cbde34da4b6b5d1af2d2844437d21f6dec85b3ca2faa5cd3b512e5 |
| SHA512 | ac751386a0004e335f4e5f4ea24bf6a474478c8a7ca54d018734e7cd44b8e9a0eb262b00fe1219b1c62c96b018b08ba6b1056d3a13e64b55c7e70d748a6ae9c6 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG45.PNG
| MD5 | 09229c3bfb801177839a7c2e22e33a1b |
| SHA1 | f679c05c4c7b2f3722069420c6d6481fc856e7aa |
| SHA256 | cbf81d779b469942613297a3ca6c09d885e3b1d4aa952dc1994a7175fbfc7e3f |
| SHA512 | 503bfa063b29dda95f15da303f707e5b78a6bdb74662c222d8a8b7e3a33264016a66acdd9de44aea932e7cde80a43c2406ea6f0250d3df8e182217bc4a0a7ed7 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG
| MD5 | bbdf2e8c0262e7e606d41ddbe5a3cd12 |
| SHA1 | acbb25f729af14b692ec9c8187a23b1a696f8e47 |
| SHA256 | d7c76896d206d977739556ad2d5811f7cf3117252afcd439a5aa0f2b645f6949 |
| SHA512 | 0334fae3682889adbc18594b7917d8c93252a86bc04d08efc6860d5714ba4eb8aabc39c51e532c4aee57a938021540d2f2899781d9cd1de311036e1850a65067 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | 5027f3112ac2d6f764769102a9145c8e |
| SHA1 | a369a0e1d4ace1a8d66908aa43543bea03c76f5b |
| SHA256 | d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c |
| SHA512 | 181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | 5027f3112ac2d6f764769102a9145c8e |
| SHA1 | a369a0e1d4ace1a8d66908aa43543bea03c76f5b |
| SHA256 | d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c |
| SHA512 | 181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | 5027f3112ac2d6f764769102a9145c8e |
| SHA1 | a369a0e1d4ace1a8d66908aa43543bea03c76f5b |
| SHA256 | d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c |
| SHA512 | 181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | 5027f3112ac2d6f764769102a9145c8e |
| SHA1 | a369a0e1d4ace1a8d66908aa43543bea03c76f5b |
| SHA256 | d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c |
| SHA512 | 181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | 5027f3112ac2d6f764769102a9145c8e |
| SHA1 | a369a0e1d4ace1a8d66908aa43543bea03c76f5b |
| SHA256 | d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c |
| SHA512 | 181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | 5027f3112ac2d6f764769102a9145c8e |
| SHA1 | a369a0e1d4ace1a8d66908aa43543bea03c76f5b |
| SHA256 | d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c |
| SHA512 | 181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | 5027f3112ac2d6f764769102a9145c8e |
| SHA1 | a369a0e1d4ace1a8d66908aa43543bea03c76f5b |
| SHA256 | d61d2469b6058ac40def94cea42045a6f53e39694645add82949e0a011d5b36c |
| SHA512 | 181a00ac87820a08f73ffe7c3d26dfec56d3440a40d9ea67ab9b242b4653b712461a201118c9d0f747502a06e689d3badcc0986667814bb0a19c8f00d47d491f |
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
| MD5 | 52e46b1adf9cd40428b41755df527bd4 |
| SHA1 | 5f0bb9c9c14208851beb5c93d9268c16ab39dc07 |
| SHA256 | a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13 |
| SHA512 | 813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669 |
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
| MD5 | 52e46b1adf9cd40428b41755df527bd4 |
| SHA1 | 5f0bb9c9c14208851beb5c93d9268c16ab39dc07 |
| SHA256 | a2794481de60c7dd95b148cd5197db8f8b6a549c74e9ba7ac54da7590f89cf13 |
| SHA512 | 813186667e3c63ee624482642609901d2210a8f99fb134e5fc58e5d1e603055ed2903eadf62c6419c16f00a3a41ed6580bc7693cfed1957d077f53a96b577669 |
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
| MD5 | bfa30f0f8ddfa2b091e8cdf0910c3b99 |
| SHA1 | e89541fcf497406e1c1177712c087bddf6a709ff |
| SHA256 | fd12e9b05ed50b112b29e9c6372d222da34bb1899fcf90debf9f37935f280d2e |
| SHA512 | 02bbb41eb377bd36d711dfbd03bea712ed69e1f56540ea75f8807eb56165b378126fec8548563d4d651085d61554fde53869a69adb53672c0cb774cdbae5fa6b |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
| MD5 | aec508468d53ab8d55f5b4beb82c347d |
| SHA1 | 477d1ffb28834243f5811a4a2a54b4f0ca240120 |
| SHA256 | ebee84e34e221ad822486432333bad9e6357af2fb0d9651cc61c7fab8ec9b5bf |
| SHA512 | 26a0278af2a9e75ef966bc3f7f40d7669204c2004a043adaad102ef440caa6282e69372ca0c3c7d39a8450691d528c2dc77a4386bfb0c6e5a2a76c3fef900fbe |
memory/848-502-0x0000000002B70000-0x0000000002F58000-memory.dmp
memory/848-503-0x0000000002B70000-0x0000000002F58000-memory.dmp
memory/848-504-0x0000000002B70000-0x0000000002F58000-memory.dmp
memory/1544-505-0x0000000000E10000-0x00000000011F8000-memory.dmp
memory/1544-506-0x0000000000E10000-0x00000000011F8000-memory.dmp
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
| MD5 | f08d9bbc61cff8e8c3504524c3220bef |
| SHA1 | b4268c667469620bb528c04eaa819d508159b398 |
| SHA256 | 2c4d8b48344ae221e349e525ac16eb364ffb5ab8deae80c7caa28dd5967cabdb |
| SHA512 | a64a03d959487399fb57e1bd062c0e9f88a17ff9b3ad15e6b96a4b7332341d0fc9186ef99b2ab9bdcfa51864f21d08bce48479202c01d15470916e90fb09fef4 |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
| MD5 | 1bc013a800b741d24dd540a91a5a2950 |
| SHA1 | ccf23e54cf5feb6b956f244199636564ceed1b6d |
| SHA256 | 623bcf40316abb18f05d461bc7324f3035cf46398e2924b45b714d4b230f7572 |
| SHA512 | c9d402dcc547ed3b7c64f2864d09465e8c010797ec3edd5b265ef07f58d4ef6e77f22277c16576c64afa1329a66f98fb1ed2658d382819c8fe813ff0a10dbb5e |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG
| MD5 | 2799f9daca46770a871ce1b5eed32e7c |
| SHA1 | a2792f571210a7f38cdbe49391017300ee7b1ce4 |
| SHA256 | fc22676f5b6cdae17b78ddfd16bb070687516fbc827a7edd0541f3a32d85c9e9 |
| SHA512 | c41f2e4c4ca59d6f9d11fac11296ab87f1b508b5d64e5db7762f2f6dd387aa96206b2b0fa127f17c0b8c24a0b56e81af12d5937474a450222d9c4416c1acb16a |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG11.PNG
| MD5 | a7abdc35d821b444be3ff4c2c076b9df |
| SHA1 | 1b8b0bef1a10a8b22d32a288efbd32b25dbf46fc |
| SHA256 | 7fae8a0524f3bb30ef060439eefd7660ff67c30b9c22910e124cc1275a55c2df |
| SHA512 | 69b4c2acd15c8dff520c8d1031a344a8cc762440b4eff3b43934709fec2402d558e9bfddd828f0a6dbff45813d57e1d587a65f7d8a79f724729317d87aa16003 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG22.PNG
| MD5 | 46a65321aa1fce57d465c26e8b6eb392 |
| SHA1 | 9efb9a3acd5b32556ea66398c74b014f91087559 |
| SHA256 | 61df7a1f0367209668d4f0f6a285b8baff864d1341d382ebbc7fd4e71036b666 |
| SHA512 | 094d69016f066ae835c71d7a950217b9ad09e8cd4d74131787203cae950e572c18213dc1ded139b1fa46c7f803cc15bf4f596c9d51aefe0d43850ae2865f3707 |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG29.PNG
| MD5 | e6663f52235742a1dc27b96241538ff5 |
| SHA1 | 37234351ade7563f9dc8fb05eba0a13d3fd65a7d |
| SHA256 | 26a99701ea3b890bc5e09dab86f5ed6db99a4d62db5b35b55e2b5a3598478e49 |
| SHA512 | 090719e1745c1e23b7ac623d6a102797c206e03529e7706af7e2cd35b17352750587a5689997a923134ebe988e94843da8deab770bca60935f08964fa7ce6e2b |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG
| MD5 | ce17d7ce06488f394ce124f17d5acafc |
| SHA1 | 8a5dceae9ea369b686123c8f940bb0ea07870ffa |
| SHA256 | c4b04568930f03979d71f48a57b9ad06b4cdf687272f6753ff662006e8e6237f |
| SHA512 | c33f1370213cabd1b84c936f1ac14f9bcc83bc03a633bbe25efe1e906bcee515d0e615c86b7ee3b34404dd1d95ce74d1a00908de8cdacbf9961de3f1ceb8362b |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG
| MD5 | 1f5c8939031a7f93762862cfc88a8e56 |
| SHA1 | 6dc4df87344db0ddf09c777e7a80d1b5661559b8 |
| SHA256 | 14be26e969eb15ef7e76e0ad02d8aa0516c5391e8b09dba0a9a6c5f57ae24aba |
| SHA512 | de45d700c86329c704777917863fd1ddeca90d2bed67a72794164882bf15725ce83c7733f664ee0a2af7df54a6be2def729d19237fb2c434115396ac126ff47f |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP
| MD5 | 0b445ace8798426e7185f52b7b7b6d1e |
| SHA1 | 7a77b46e0848cc9b32283ccb3f91a18c0934c079 |
| SHA256 | 2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6 |
| SHA512 | 51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG8.BMP
| MD5 | d2b43decae0a14deb90423bfb687dc63 |
| SHA1 | c191705fcb927d476d4fc639860bd52e324a274c |
| SHA256 | 3266fb3a33a97fac7d71652129865c3d0dd06e70af6ed5a3b2506d842eb69e70 |
| SHA512 | 3cd903b0c4590e25502cd0f91b678c1e798989211e174d5a6dbfd52b343a426b867204979cc078a4919d63a4c4401c4f8eaa295227cec0ccc043c7e285d3d2df |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG54.PNG
| MD5 | 6c6f8e031e196f2f57c70ea411091c28 |
| SHA1 | 266c1b4feb60f06387c30ec810c52b5a570706b9 |
| SHA256 | ea64efad0cabdb9300ba83804b7b98e36393e1626a684ce0abd38d1ed1d34e90 |
| SHA512 | f4018b1a0bc65390cb96581dbf4f4032317304cbaf8526ef1cbb2f700ab501859b007c13989f5df81247d959c35e721cfceb5ff6c95cbf2cd198a74198d68a58 |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG
| MD5 | 1557c08e187b7783083e0b80051fd321 |
| SHA1 | 2c6ee47799d713e88fd589609b81912a4522044e |
| SHA256 | 0c0e74dd07c45833a5dd7ba931e5d528eb16334defdd06171df2f632d6e47842 |
| SHA512 | 485f69b3878b2bd7fdf52ad020dde2cbc34dd1970aaa4e5eb8f8618f6091b5b827b428447859499c3d61ea9cde2edcbb97c8fb0560cd0aaff50027c0f97ee6f3 |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG73.PNG
| MD5 | 44411a40791606c0445226eff31e43ee |
| SHA1 | f482762866ad847b10b11a3108709cb554d1f9f1 |
| SHA256 | 2205b4c552bcc49ffa7964b61b6c20dc4bbad14c941e8f695db1dbb6719349e4 |
| SHA512 | e5e4e67fc3a5564e7cc5c267f816362558439d0c3c33f6ad52d2f4ebfeb01f0dac4f6e4b72fb6da53ea343d306d4cc662cde54c149d7f8a4767c2f8a57e84066 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG109.PNG
| MD5 | 03b1d78771eb279766efb2d9f2fa8463 |
| SHA1 | 8f10e304fd65e58136ccd6ab012ffc594e6fb707 |
| SHA256 | eec16d2cb57e38b485b6a269e9c2554c1dfc3b70dec9f7bbddc2b62526b3d832 |
| SHA512 | ca51cbaf20e6f62eb6ec69555d259ef61828d3166d09106bcd335dd417ed30660af71e7fd8db6bd22bf134cc530e1a55ecdd2c307e64e8edb28af95299d66f5a |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
| MD5 | da1d0cd400e0b6ad6415fd4d90f69666 |
| SHA1 | de9083d2902906cacf57259cf581b1466400b799 |
| SHA256 | 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575 |
| SHA512 | f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
| MD5 | 1bbf5dd0b6ca80e4c7c77495c3f33083 |
| SHA1 | e0520037e60eb641ec04d1e814394c9da0a6a862 |
| SHA256 | bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b |
| SHA512 | 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
| MD5 | 23ab96644cb4ee20c7cce84ac3c354e2 |
| SHA1 | d433d070373a4bd45b19331d28d7e652a9c876af |
| SHA256 | dd9f6620a3d77fe08fa3814eca83fa1bac9e37e404ae19e169087b2d042fa6f0 |
| SHA512 | 5c9c8f0f59f1e6ea98999c424198b77fa7b2151e0dbbd16e7b2a3e6ff2eb61422bd79d2b5d28ef442cce2ba9c9f37e079963701bd38e84b82fc1cdfe753a5840 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG92.PNG
| MD5 | 5f84b4bf9384d9fea8faecb0ca1abc97 |
| SHA1 | 71c514dcdc0ac966a4c072949fcfadc0150618a5 |
| SHA256 | fa6875692ce4824a5ea7b054e513a6d85351304ef327aa6d179482fad49b91ec |
| SHA512 | 61546cb94e9dd560e483d5ef912212116c20e18b989dcefa3a99444417061ad9038c0806d903ecc39c970ea6b225f80c9df3804a48a91bcd5b7e078cb878d6e2 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG
| MD5 | 667b0b54ee5ba0d1cb66190226596e46 |
| SHA1 | b8658b35e7cf44b24053e4d01d3b51233d6526f6 |
| SHA256 | 3a9ab8c3640f1b40b33553d7d3dd3d15bd6e702ef510ec0b66a2f14aa744bf83 |
| SHA512 | 9ccc773214a0074634be66801d81d7a593ab154351fdbd1b93f56ffa80cf824ee31ff2e13f26536d5f3096e90df43fa223080b4dc55340614b076c08ef976dcb |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG104.PNG
| MD5 | 38c12e1a54f8fd216ed3f13b36798cc6 |
| SHA1 | ccf1fe585d3374ebce4c1ec025e2d8ec39968a7c |
| SHA256 | 608924ba294590b5b706658d9aaa71b480ad9aa1b6797bbc5cf1632ac6c616b1 |
| SHA512 | 0918af63f006d7fa04a3faeeb813e61c060316a126c4742a948a30f5b6ea368c3b8592011319dad3dbf8427dfcc095aa72f7b651d6fc31061f861f070447331b |
memory/1272-1331-0x0000000000BF0000-0x0000000000FD8000-memory.dmp
memory/1272-1332-0x0000000010000000-0x0000000010051000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d15c07bd10ce36165017e2b3dc0be223 |
| SHA1 | 9a9e20988274c957412caac0cebbedc6b34dfac0 |
| SHA256 | 8d7f7cbfbb108f32a7db8b515eac0dc06aada98e39978c6b0a00b3c6326e56d1 |
| SHA512 | bf03d95739d80394e014bdcfe0aa615676beeeddb7e860c400fb34828c57a0f71009b7b7231af304fd0c85beaf4abeb92ba225c2285add4dd216c8372784c631 |
C:\Users\Admin\AppData\Local\Temp\CabC6FB.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
memory/1272-1350-0x0000000003080000-0x0000000003090000-memory.dmp
memory/1272-1351-0x0000000000BF0000-0x0000000000FD8000-memory.dmp
memory/1272-1352-0x0000000010000000-0x0000000010051000-memory.dmp
\Users\Admin\AppData\Local\Temp\jre-windows.exe
| MD5 | 7542ec421a2f6e90751e8b64c22e0542 |
| SHA1 | d207d221a28ede5c2c8415f82c555989aa7068ba |
| SHA256 | 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6 |
| SHA512 | 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc |
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
| MD5 | 7542ec421a2f6e90751e8b64c22e0542 |
| SHA1 | d207d221a28ede5c2c8415f82c555989aa7068ba |
| SHA256 | 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6 |
| SHA512 | 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc |
C:\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 8e2f16cd04e7a3a16ec5f58c987a0405 |
| SHA1 | 5e355dd89475d14221f216800dc1ddb02f72d261 |
| SHA256 | 954fba11ac09b76c0dbef49ffe71a74a7d04e0cd56e20017f404ce7de593a3ee |
| SHA512 | 74c58ecc104ab3b32703aba5bfb4ec2cdfff6fbaf8f4e74a20f661ffc02133a1499667e13b9b601e4296aba5b2ca311abb02f6b70efa196c54c30e7ae2728441 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 8e2f16cd04e7a3a16ec5f58c987a0405 |
| SHA1 | 5e355dd89475d14221f216800dc1ddb02f72d261 |
| SHA256 | 954fba11ac09b76c0dbef49ffe71a74a7d04e0cd56e20017f404ce7de593a3ee |
| SHA512 | 74c58ecc104ab3b32703aba5bfb4ec2cdfff6fbaf8f4e74a20f661ffc02133a1499667e13b9b601e4296aba5b2ca311abb02f6b70efa196c54c30e7ae2728441 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 80887c2e7d28bc59935cfc608066ea61 |
| SHA1 | 2f55c5e428f19b2ea46208b7b62091f75fbcb629 |
| SHA256 | 7d73d3598d13990dba353fd663eb081124557d6d993d46ad2e93b3d0f035633a |
| SHA512 | b4d8219e169c4658dfee21e4048fd124c1da2088ee4c4e0672cbd6913c1ea1f4418abe2e016c1a9682d8cfdf659212c78ad6b6bf5d9203291342bf5b8b713d41 |
memory/1272-1452-0x0000000000BF0000-0x0000000000FD8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H4ZNA46U.txt
| MD5 | 8dd1d8229f61de21a09aacd616cc4360 |
| SHA1 | 5062fdb3e8828e4725319390a001d9418c77fc2a |
| SHA256 | 6ec212b66cb4f5487e6ce94e5a9c7ad421cc476ddb08a54b9c1f0e8d3c797468 |
| SHA512 | e3c8922025a90316d1472f1abde8293283b9f4d6cd2989f02ce284ae0a62b920037674e01f03834013df5a60677d4df85e05c491a1e9fc61044b0beb7dcd7662 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | 691538b2898e5d8740b8619e744c7b0c |
| SHA1 | 380c125a8c7d2127d5e10eb69a883e74c4d51693 |
| SHA256 | 2e41c650d4d485f099c3ebf4c732e7c9cb98c577411af7ebe6577324699bffab |
| SHA512 | 59bf17c8f306c09c05a6e1bf8d66adbe79fea6c359d8a1f877f14311e54871ab384810fe1f5eb38951f53eff31c543d64667b5bb030a774d2df8e18e45e90db0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | f017f4a48f27e5cbd03cea0c7ebc007c |
| SHA1 | cf87cd416271dd29bc2dcbbac9b6ee357ed1328c |
| SHA256 | 12393676800d1cc7a2efea6cad11545c505be3be73901cda5df1ade24aadf2f1 |
| SHA512 | b947ea2686290417811ed15f972221304b29e8895af8ac57a4205845fcf61d22a88aaaffa3a768f4fdb4fd2f26bfcab7d8e922ffe168a4d3d5713ceb5d490b9d |
C:\Users\Admin\AppData\Local\Temp\Tar10A6.tmp
| MD5 | 73b4b714b42fc9a6aaefd0ae59adb009 |
| SHA1 | efdaffd5b0ad21913d22001d91bf6c19ecb4ac41 |
| SHA256 | c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd |
| SHA512 | 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd |
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_351\Java3BillDevices.png
| MD5 | b3c9f084b052e95aa3014e492d16bfa6 |
| SHA1 | 0e33962b2191e7b1a5d85102cdf3c74fcd1254e4 |
| SHA256 | a68ddd67f6fcb0bbf1defa0778ee543e92c1074c442197ab623f733cc6285948 |
| SHA512 | 06f51ac2962a0ec5f05ad6c90a2ba85b851d1fa2f0c079dc264fe930316cead959f68f6e34ff591b131867b482c266ac42400b06385dae712637ff0a90f902d4 |
C:\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
\Users\Admin\AppData\Local\Temp\jds7140196.tmp\jre-windows.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
memory/1272-1510-0x0000000010000000-0x0000000010051000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi
| MD5 | 1794aaa17d114a315a95473c9780fc8b |
| SHA1 | 7f250c022b916b88e22254985e7552bc3ac8db04 |
| SHA256 | 7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4 |
| SHA512 | fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516 |
C:\Windows\Installer\MSIA1D2.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
\Windows\Installer\MSIA1D2.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | f95a8c3b952ee880cfca532368d6e1df |
| SHA1 | 3bbeecf8dd55e3dd4b4cf6c8a9e1a0e6fa4f5ac6 |
| SHA256 | 757d3440a836885f975b14c4c767e8793a8cab5a6b3de9464a7fce897e39252d |
| SHA512 | da4ee72ea36fcb60602c5632eb97d565c4e78c3013074f7aa6e2ab41b9a1ae63fe9d7855545e842f2f444b979c1158ff8276548617da906cadde9862eb87d8f7 |
C:\Windows\Installer\MSIA655.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
\Windows\Installer\MSIA655.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Windows\Installer\MSIA8B8.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Windows\Installer\MSIA8B8.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
\Windows\Installer\MSIA8B8.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Windows\Installer\6d89ca.msi
| MD5 | 1794aaa17d114a315a95473c9780fc8b |
| SHA1 | 7f250c022b916b88e22254985e7552bc3ac8db04 |
| SHA256 | 7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4 |
| SHA512 | fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516 |
\Program Files\Java\jre1.8.0_351\installer.exe
| MD5 | 99e055c9523400fbd19cbfbef7802e45 |
| SHA1 | dd3870a8eb0c6940512a5f05d9d89c7734d596be |
| SHA256 | ae9543e14da6045fc99d22c7c7cc3c361f83fff7d6856dedb2f2a4e3cbe202ac |
| SHA512 | f9cfdb6118c32064e58eecb1fbe54ce100084b94bc95db25c0c54362c322ef99358211a1a24b106c2a5c789ceef3988761404436b8c41d8386bd1e658e4cba02 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 530e8f8883d882ead210877df011d482 |
| SHA1 | ae3208d935868596d6b15d4cc08ed47f9b04d009 |
| SHA256 | 41c60d2f4557d409258594a912b2d87c47828d605396fe8c8fe333ab9e8cee05 |
| SHA512 | 84058e33f5cc9100aa3725aeff6097cc3f9059f5f50a1d8c066df55c5bf39b33fadc69ee8e1964bd1d41d7267efb94fd571befffca21baa16d51da7f586df725 |
C:\Program Files\Java\jre1.8.0_351\installer.exe
| MD5 | 52a70480e8c15b2ed150ba5e6d627236 |
| SHA1 | 8a3a665f59ccf6faeb143abbb4243cc8ded4090e |
| SHA256 | 644b57bb44c7006b0ceb6399341ec95db417353e6ca4a9c3ba6bded0251ce1a4 |
| SHA512 | b12c2d07cb51e6255ff6094963676ab678f18b64811aa102994e9a74757a4cff88514746a15298adf89bd4ee97896c0b1e4f43f917a4f97842ab02fca9486686 |
C:\Windows\Installer\6d89ce.msi
| MD5 | 1794aaa17d114a315a95473c9780fc8b |
| SHA1 | 7f250c022b916b88e22254985e7552bc3ac8db04 |
| SHA256 | 7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4 |
| SHA512 | fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516 |
C:\ProgramData\Oracle\Java\installcache_x64\7191396.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
C:\ProgramData\Oracle\Java\installcache_x64\7191396.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
\ProgramData\Oracle\Java\installcache_x64\7191396.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
\ProgramData\Oracle\Java\installcache_x64\7191396.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
\ProgramData\Oracle\Java\installcache_x64\7191396.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
C:\ProgramData\Oracle\Java\installcache_x64\7191396.tmp\diff
| MD5 | 926bc57fb311cc95bcefa1e1ad0ce459 |
| SHA1 | 8c43b4d7aa223eaf9c73c789072545da0b2c55df |
| SHA256 | 9ccf1e30069b4781362f85c4a30993d86da99f211c2aaad4447ad051cc61600a |
| SHA512 | 216cb6483598960f5aea83beeb37fa700d047352d0b3c6c2405a7ee668554e0ab15358c178a6a2fc8c067f4177a0452cde93783797c15fccf224e640715f0743 |
C:\ProgramData\Oracle\Java\installcache_x64\7191396.tmp\baseimagefam8
| MD5 | 22646919b87d1a6dfc371464405b373b |
| SHA1 | 2296c69b12c3e0244fc59586f794457a4735e692 |
| SHA256 | 0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11 |
| SHA512 | b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0 |
memory/1660-1747-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1660-1748-0x0000000000230000-0x0000000000247000-memory.dmp
memory/1660-1749-0x0000000000230000-0x0000000000247000-memory.dmp
memory/1660-1750-0x0000000000230000-0x0000000000247000-memory.dmp
memory/1660-1753-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1660-1757-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1660-1758-0x0000000000230000-0x0000000000247000-memory.dmp
memory/1660-1759-0x0000000000230000-0x0000000000247000-memory.dmp
memory/1660-1760-0x0000000000230000-0x0000000000247000-memory.dmp
memory/1660-1762-0x0000000000400000-0x0000000000417000-memory.dmp
C:\ProgramData\Oracle\Java\installcache_x64\7191396.tmp\newimage
| MD5 | 922e1568df2ede8ee1be03f8a6945b54 |
| SHA1 | dd51c8c8db519e55e2ab9de513984fba881b6525 |
| SHA256 | ae2cc66101a95a2fbbdba657f881aa328d3996db05627596a2011442bc7b2db5 |
| SHA512 | 76e1a7790656cb3e9739a5da5439d8047746aff884b3c0a013c6557c7164d363f33ad50c83d084a30211a82435375a01548318ce6e46e3d2186451cc5acb809b |
\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
| MD5 | 691f68efcd902bfdfb60b556a3e11c2c |
| SHA1 | c279fa09293185bddfd73d1170b6a73bd266cf07 |
| SHA256 | 471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70 |
| SHA512 | a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f |
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
| MD5 | 691f68efcd902bfdfb60b556a3e11c2c |
| SHA1 | c279fa09293185bddfd73d1170b6a73bd266cf07 |
| SHA256 | 471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70 |
| SHA512 | a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f |
C:\Program Files\Java\jre1.8.0_351\bin\VCRUNTIME140.dll
| MD5 | 1453290db80241683288f33e6dd5e80e |
| SHA1 | 29fb9af50458df43ef40bfc8f0f516d0c0a106fd |
| SHA256 | 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c |
| SHA512 | 4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91 |
C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 883120f9c25633b6c688577d024efd12 |
| SHA1 | e4fa6254623a2b4cdea61712cdfa9c91aa905f18 |
| SHA256 | 4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc |
| SHA512 | f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f |
\Program Files\Java\jre1.8.0_351\bin\vcruntime140.dll
| MD5 | 1453290db80241683288f33e6dd5e80e |
| SHA1 | 29fb9af50458df43ef40bfc8f0f516d0c0a106fd |
| SHA256 | 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c |
| SHA512 | 4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91 |
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
| MD5 | 691f68efcd902bfdfb60b556a3e11c2c |
| SHA1 | c279fa09293185bddfd73d1170b6a73bd266cf07 |
| SHA256 | 471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70 |
| SHA512 | a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f |
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-20 04:46
Reported
2023-03-20 04:49
Platform
win10v2004-20230220-es
Max time kernel
162s
Max time network
156s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4580 wrote to memory of 4152 | N/A | C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe |
| PID 4580 wrote to memory of 4152 | N/A | C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe |
| PID 4580 wrote to memory of 4152 | N/A | C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.7-global.exe" "__IRCT:3" "__IRTSS:23645635" "__IRSID:S-1-5-21-1529757233-3489015626-3409890339-1000"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dl2.tlauncher.org | udp |
| US | 104.20.234.70:443 | dl2.tlauncher.org | tcp |
| US | 8.8.8.8:53 | 70.234.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| JP | 40.79.197.35:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | 185.130.69.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 111dddf2f308abc2a8f7555d5f642751 |
| SHA1 | 11e6cdccbf29a71a97011b9444cf20c83ad8b57b |
| SHA256 | c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0 |
| SHA512 | 11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 111dddf2f308abc2a8f7555d5f642751 |
| SHA1 | 11e6cdccbf29a71a97011b9444cf20c83ad8b57b |
| SHA256 | c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0 |
| SHA512 | 11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 111dddf2f308abc2a8f7555d5f642751 |
| SHA1 | 11e6cdccbf29a71a97011b9444cf20c83ad8b57b |
| SHA256 | c65af78739ffcd7bb6673f167624522ac8172516a1d3783e5171f9eabd625be0 |
| SHA512 | 11662a0f5cd850578d2799217393f979f0dc029450f4fbf17780eae69494fb3f4de5a617d31f3fbf5b3a7179eea7bf9ded2555fb61703baeb74885d6bf0421c4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
memory/4152-206-0x0000000000EA0000-0x0000000001288000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
| MD5 | e043a9cb014d641a56f50f9d9ac9a1b9 |
| SHA1 | 61dc6aed3d0d1f3b8afe3d161410848c565247ed |
| SHA256 | 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946 |
| SHA512 | 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
| MD5 | da1d0cd400e0b6ad6415fd4d90f69666 |
| SHA1 | de9083d2902906cacf57259cf581b1466400b799 |
| SHA256 | 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575 |
| SHA512 | f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
| MD5 | da1d0cd400e0b6ad6415fd4d90f69666 |
| SHA1 | de9083d2902906cacf57259cf581b1466400b799 |
| SHA256 | 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575 |
| SHA512 | f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
| MD5 | 1bbf5dd0b6ca80e4c7c77495c3f33083 |
| SHA1 | e0520037e60eb641ec04d1e814394c9da0a6a862 |
| SHA256 | bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b |
| SHA512 | 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
| MD5 | 1bbf5dd0b6ca80e4c7c77495c3f33083 |
| SHA1 | e0520037e60eb641ec04d1e814394c9da0a6a862 |
| SHA256 | bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b |
| SHA512 | 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab |
memory/4152-440-0x0000000010000000-0x0000000010051000-memory.dmp
memory/4152-441-0x0000000007120000-0x0000000007123000-memory.dmp
memory/4152-456-0x0000000000EA0000-0x0000000001288000-memory.dmp
memory/4152-457-0x0000000010000000-0x0000000010051000-memory.dmp
memory/4152-462-0x0000000000EA0000-0x0000000001288000-memory.dmp
memory/4152-481-0x0000000010000000-0x0000000010051000-memory.dmp