Analysis Overview
SHA256
871650166ffb346d7a8642584e58aea90e544c56b54f145ed9444cdbd1baed60
Threat Level: Known bad
The file TLauncher-2.871-Installer-1.0.5.exe was found to be: Known bad.
Malicious Activity Summary
BazarBackdoor
Bazar/Team9 Backdoor payload
Blocklisted process makes network request
Downloads MZ/PE file
Loads dropped DLL
Checks computer location settings
UPX packed file
Executes dropped EXE
Checks installed software on the system
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-22 01:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-22 01:36
Reported
2023-03-22 01:39
Platform
win7-20230220-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jre-windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre1.8.0_351\installer.exe | N/A |
| N/A | N/A | C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jre1.8.0_351\installer.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\6d978f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6d978f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6d9791.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\6d9793.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB3CC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB997.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBA92.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB8C.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\msiexec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\msiexec.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Version = "134221238" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductIcon = "C:\\Program Files\\Java\\jre1.8.0_351\\\\bin\\javaws.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800\4EA42A62D9304AC4784BF2468130150F | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\PackageCode = "97BA944EF7A3CCC4488541CAD6E00626" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\1 = "DISK1;1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F\jrecore | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\PackageName = "jre1.8.0_35164.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductName = "Java 8 Update 351 (64-bit)" | C:\Windows\system32\msiexec.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe" "__IRCT:3" "__IRTSS:22740112" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe" "STATIC=1"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 5E332489C95299D9DCB2C246B1AAC42E
C:\Program Files\Java\jre1.8.0_351\installer.exe
"C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl2.tlauncher.org | udp |
| US | 104.20.235.70:443 | dl2.tlauncher.org | tcp |
| US | 8.8.8.8:53 | tlauncher.org | udp |
| US | 104.20.234.70:443 | tlauncher.org | tcp |
| US | 8.8.8.8:53 | advancedrepository.com | udp |
| DE | 46.4.112.226:443 | advancedrepository.com | tcp |
| US | 8.8.8.8:53 | javadl.oracle.com | udp |
| NL | 104.74.228.243:80 | javadl.oracle.com | tcp |
| NL | 104.74.228.243:443 | javadl.oracle.com | tcp |
| US | 8.8.8.8:53 | sdlc-esd.oracle.com | udp |
| NL | 173.223.112.78:443 | sdlc-esd.oracle.com | tcp |
| US | 8.8.8.8:53 | javadl-esd-secure.oracle.com | udp |
| NL | 104.74.228.243:443 | javadl-esd-secure.oracle.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | rps-svcs.oracle.com | udp |
| NL | 104.74.228.243:443 | rps-svcs.oracle.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 61fe17c31b911b6830d799fdc0cc7bd0 |
| SHA1 | 2c090e42de01b5739576c549b29239d3e17c0db4 |
| SHA256 | f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af |
| SHA512 | 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390 |
memory/916-60-0x0000000002F00000-0x00000000032E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 61fe17c31b911b6830d799fdc0cc7bd0 |
| SHA1 | 2c090e42de01b5739576c549b29239d3e17c0db4 |
| SHA256 | f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af |
| SHA512 | 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 61fe17c31b911b6830d799fdc0cc7bd0 |
| SHA1 | 2c090e42de01b5739576c549b29239d3e17c0db4 |
| SHA256 | f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af |
| SHA512 | 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 61fe17c31b911b6830d799fdc0cc7bd0 |
| SHA1 | 2c090e42de01b5739576c549b29239d3e17c0db4 |
| SHA256 | f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af |
| SHA512 | 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 61fe17c31b911b6830d799fdc0cc7bd0 |
| SHA1 | 2c090e42de01b5739576c549b29239d3e17c0db4 |
| SHA256 | f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af |
| SHA512 | 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 61fe17c31b911b6830d799fdc0cc7bd0 |
| SHA1 | 2c090e42de01b5739576c549b29239d3e17c0db4 |
| SHA256 | f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af |
| SHA512 | 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 61fe17c31b911b6830d799fdc0cc7bd0 |
| SHA1 | 2c090e42de01b5739576c549b29239d3e17c0db4 |
| SHA256 | f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af |
| SHA512 | 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390 |
memory/916-123-0x0000000002F00000-0x00000000032E8000-memory.dmp
memory/916-137-0x0000000002F00000-0x00000000032E8000-memory.dmp
memory/916-143-0x0000000002F00000-0x00000000032E8000-memory.dmp
memory/1516-202-0x00000000011E0000-0x00000000015C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
| MD5 | e043a9cb014d641a56f50f9d9ac9a1b9 |
| SHA1 | 61dc6aed3d0d1f3b8afe3d161410848c565247ed |
| SHA256 | 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946 |
| SHA512 | 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
| MD5 | da1d0cd400e0b6ad6415fd4d90f69666 |
| SHA1 | de9083d2902906cacf57259cf581b1466400b799 |
| SHA256 | 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575 |
| SHA512 | f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
| MD5 | 1bbf5dd0b6ca80e4c7c77495c3f33083 |
| SHA1 | e0520037e60eb641ec04d1e814394c9da0a6a862 |
| SHA256 | bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b |
| SHA512 | 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab |
memory/1516-367-0x0000000010000000-0x0000000010051000-memory.dmp
memory/1516-368-0x0000000000C20000-0x0000000000C23000-memory.dmp
memory/1516-369-0x00000000011E0000-0x00000000015C8000-memory.dmp
memory/1516-370-0x0000000010000000-0x0000000010051000-memory.dmp
memory/1516-385-0x00000000011E0000-0x00000000015C8000-memory.dmp
memory/1516-386-0x00000000011E0000-0x00000000015C8000-memory.dmp
memory/1516-387-0x0000000010000000-0x0000000010051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG
| MD5 | 4231b73055799fd9f377560cdde2ee77 |
| SHA1 | bbc3f3278d4482d117ccce1bf98379d3b53b88ae |
| SHA256 | 79c31cb9f9480be6380d61d90db709847d295eee8eec3e23a227cc39e90c9cf2 |
| SHA512 | c3fdf4ccab692e59d34b6203c8cb5f4bafd10c9b2bcdb8c8d1964bbe0bc9eb51312da2fb54fb22f9a39f62ac31cda145f37d5e9187fc998018d2fe8acf9a8254 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG
| MD5 | 556ff7feffa68053cfe234bb4768cf8d |
| SHA1 | 1a1d2fcd4852e471f13d169df8f94fff35504a84 |
| SHA256 | 1ea1f1fd6c18f648ac56418a1e372d876508c7338a961501ebfffd3731c4b2b8 |
| SHA512 | 46ec56d7301761eeb24ec0ac26035b2ba663e1b3b3c2e4d75d6b2a9776400506e629e4d2c9806765fdd7a1422eb8bf2e25d16f335d84635559e3b8c43eb69df6 |
memory/1516-421-0x00000000011E0000-0x00000000015C8000-memory.dmp
memory/1516-422-0x0000000010000000-0x0000000010051000-memory.dmp
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 61fe17c31b911b6830d799fdc0cc7bd0 |
| SHA1 | 2c090e42de01b5739576c549b29239d3e17c0db4 |
| SHA256 | f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af |
| SHA512 | 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
| MD5 | aa4de04ccc16b74a4c2301da8d621ec1 |
| SHA1 | d05c6d8200f6e6b1283df82d24d687adc47d9664 |
| SHA256 | e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b |
| SHA512 | 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
| MD5 | aa4de04ccc16b74a4c2301da8d621ec1 |
| SHA1 | d05c6d8200f6e6b1283df82d24d687adc47d9664 |
| SHA256 | e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b |
| SHA512 | 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
| MD5 | aa4de04ccc16b74a4c2301da8d621ec1 |
| SHA1 | d05c6d8200f6e6b1283df82d24d687adc47d9664 |
| SHA256 | e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b |
| SHA512 | 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
| MD5 | aa4de04ccc16b74a4c2301da8d621ec1 |
| SHA1 | d05c6d8200f6e6b1283df82d24d687adc47d9664 |
| SHA256 | e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b |
| SHA512 | 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
| MD5 | aa4de04ccc16b74a4c2301da8d621ec1 |
| SHA1 | d05c6d8200f6e6b1283df82d24d687adc47d9664 |
| SHA256 | e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b |
| SHA512 | 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
| MD5 | aa4de04ccc16b74a4c2301da8d621ec1 |
| SHA1 | d05c6d8200f6e6b1283df82d24d687adc47d9664 |
| SHA256 | e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b |
| SHA512 | 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
| MD5 | aa4de04ccc16b74a4c2301da8d621ec1 |
| SHA1 | d05c6d8200f6e6b1283df82d24d687adc47d9664 |
| SHA256 | e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b |
| SHA512 | 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG46.PNG
| MD5 | 3d385f450c5c8812e048866eef4032cb |
| SHA1 | 0d80a76c05154b6d413acddd67c44e34e70ac7cd |
| SHA256 | 3c382cc1b7f9e5a36254942612c356db62839405d097e69ad5f3c724dbf25f5c |
| SHA512 | cb1cf696cdd8a40e14a7f53b171a59b3ccd176bcdd8312d667889f5c7e76a1e343c4205ea02054e84e74a52b072b5ec7bb0aee92c3963baebcdda043e276f255 |
memory/1516-444-0x0000000003330000-0x0000000003340000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG
| MD5 | 54ff70b2677a2e89add25d9d4c45e827 |
| SHA1 | 42f3e91ae37ffd672bf09051a0bfb91b4417a21e |
| SHA256 | c27d1914c93b485e5ebc3f565355df484f1ebfdfe9b1530659a14bf7362fc903 |
| SHA512 | bc7c188c9ee2de3a88ac0be87ef026ff0d0219807a12db8a9c60de93385381225c239f9231d46ca5ff55d19b7960fef468f510f359365f4d151cd6f440f401cf |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | e801c5847f5f9d207db53aaaf5c6f3a2 |
| SHA1 | 8e6818ce66555e2cca92e5c5f32551fb4a91645e |
| SHA256 | 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03 |
| SHA512 | 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | e801c5847f5f9d207db53aaaf5c6f3a2 |
| SHA1 | 8e6818ce66555e2cca92e5c5f32551fb4a91645e |
| SHA256 | 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03 |
| SHA512 | 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | e801c5847f5f9d207db53aaaf5c6f3a2 |
| SHA1 | 8e6818ce66555e2cca92e5c5f32551fb4a91645e |
| SHA256 | 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03 |
| SHA512 | 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | e801c5847f5f9d207db53aaaf5c6f3a2 |
| SHA1 | 8e6818ce66555e2cca92e5c5f32551fb4a91645e |
| SHA256 | 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03 |
| SHA512 | 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | e801c5847f5f9d207db53aaaf5c6f3a2 |
| SHA1 | 8e6818ce66555e2cca92e5c5f32551fb4a91645e |
| SHA256 | 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03 |
| SHA512 | 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | e801c5847f5f9d207db53aaaf5c6f3a2 |
| SHA1 | 8e6818ce66555e2cca92e5c5f32551fb4a91645e |
| SHA256 | 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03 |
| SHA512 | 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
| MD5 | e801c5847f5f9d207db53aaaf5c6f3a2 |
| SHA1 | 8e6818ce66555e2cca92e5c5f32551fb4a91645e |
| SHA256 | 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03 |
| SHA512 | 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
| MD5 | 51be149c8e20df63087c584165516ecd |
| SHA1 | feabbb95b65e6929f086266b06ee1cfef83539a7 |
| SHA256 | b949eb246d81688efea07a7655652107ad435f37d493d93dd68c88a9fe6f3e33 |
| SHA512 | 6f24e4caafd6af85c2f8641d7f2b066dfafa7d6abb512fa62f3642eaa42b549692b15043a3bf0e13cb1fae377fc1d3139dcf5cea3d4def24de197f75297e17f0 |
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
| MD5 | 09f599406cd41472c21a694c997ac86c |
| SHA1 | 37fcc0253b75968e5d0fe51b8f5186dc110bd979 |
| SHA256 | fd07abd5189c4dc4633456a392e3a325c2ae4326c0c702b02a8a7562a825506e |
| SHA512 | 972906bf392deaeae9e3fa65be0c26d80c3e174908ee4518bd8ee2b183b71b7e63a46cf39d33ae831e373b544b2d94c3a1c854bb1ad74f2b264d611510b47ed2 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
| MD5 | aa4de04ccc16b74a4c2301da8d621ec1 |
| SHA1 | d05c6d8200f6e6b1283df82d24d687adc47d9664 |
| SHA256 | e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b |
| SHA512 | 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
| MD5 | aa4de04ccc16b74a4c2301da8d621ec1 |
| SHA1 | d05c6d8200f6e6b1283df82d24d687adc47d9664 |
| SHA256 | e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b |
| SHA512 | 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e |
memory/1212-478-0x0000000002D60000-0x0000000003148000-memory.dmp
memory/1212-479-0x0000000002D60000-0x0000000003148000-memory.dmp
memory/1212-480-0x0000000002D60000-0x0000000003148000-memory.dmp
memory/1616-481-0x0000000000800000-0x0000000000BE8000-memory.dmp
memory/1616-494-0x0000000000800000-0x0000000000BE8000-memory.dmp
memory/1516-526-0x00000000011E0000-0x00000000015C8000-memory.dmp
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
| MD5 | 58e22c0ee91280156cdaadacac7acddb |
| SHA1 | 189c552c94a9b0ae0208763bca77f2801debc224 |
| SHA256 | 765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714 |
| SHA512 | 9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6 |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
| MD5 | 43f36b57d5ee660347ff2386b74ee6b4 |
| SHA1 | c5f142d9feb63f53a7dcb55cf8ffe73ce1087c49 |
| SHA256 | e1db7857f9a812e17f2fdedf6aabeea720154af539d089883034aec6b220e021 |
| SHA512 | 6bc92ea4bf9ed16c7956471b4a579dc460907399708d325663a4d8b621de05aa9621ec7aa567ba56d94af62ca321947908ed9f715c73a918ebce69f11f3c1a2d |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG
| MD5 | 980d83a891dd26867c175265e8a0cbcc |
| SHA1 | b15eb9baf9299572f33bf01ba0327931d6eed7af |
| SHA256 | 8f6d22333544d1d1ca9e95b7ea9b130896c5cd907f3617eb0d0bb9bc2fbefb93 |
| SHA512 | f0d576b24dd794e4531bb103bca56c475921c4893b6be3356d9915b08682e38f67e09235d4cb2b31e0abb96f9e26be735bd920a353136323e9bd1fffce7c4301 |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG
| MD5 | 4a956b0c212c12268d8ddaaf8d753580 |
| SHA1 | edb79d738da8d9b0d0eae334e5f96743bcd6a172 |
| SHA256 | 8765f68aa0b86d10b7099cef17a9ddb53829c89ef00fce0c0c8af985c001c96d |
| SHA512 | f215cf270d861c3fad3167f1413a5b476641f4836e23101913fe2c442e6c91dc2eb9c9dcf633283d223815a125fc55adbcbd9e019108ede1b24303cfee03320b |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG
| MD5 | 1ec547324c2c1681153f84888278af64 |
| SHA1 | d57d7ff489a3065010ee227d03fc5428e0c658b7 |
| SHA256 | 9daed2a9a9ebbf3d3141704bbc89804c24984b6212a65d54aca881fc5440fbe8 |
| SHA512 | caeddb67ff156c95be0f824e05bb4d878be04ec9dd8cc12479599fcb437083a8ed8a4a1263038fccd10990f3b00359aecb123532bdd9a51d0f89b4c613e87792 |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG
| MD5 | 83f3879bf11185a359cda7301f5ad807 |
| SHA1 | 13c942383808a581bb999d9a91341f307fe81bc8 |
| SHA256 | 81a6043659884fd6492df1d72bf89dc6348e0952f7ef84ce5230e8888bd8a5b6 |
| SHA512 | 5799ef5458458b6a80d2bfad2b467a4f9b2ec6537350750c427f0f8b0a2006873e7966b30deea18f4e133b89c05667f26d8ac97481aa52dda7b2069d37aa796e |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG
| MD5 | 61791d397432462d29df7ee55b03204e |
| SHA1 | e6ba9a68bf3af02fd3b7d4f9a63ca1c073918a25 |
| SHA256 | 08846e2c9fe9f79b276546bf7e0b1c94d61576c52b33381993be7933bdc2e9d0 |
| SHA512 | 6e567d5b1eb83f6c333424ef7eeb46ae50b4446adadd29241a5d9f8f656f8b9a809b9879801379762704196afe978402507d32df9e81a70b74bdcd8f48a81c9e |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG45.PNG
| MD5 | 358613d9e55d35f5b7713065816297ba |
| SHA1 | 2bdd919c831e380fe9a5d6067e2b582fb0bba1cc |
| SHA256 | 79121232eb42674218c04df75b0177c1c328f4f07b832a83b94249b272a7d9a7 |
| SHA512 | a9aecbbb7eddf64196fd5f1e1d79fb43b70843f2fccc819ca3a673c9f5b2951c41516b9c7bafd28cc206656d4ffeeaef7544f9c0e19eded87b626440768a36a0 |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP
| MD5 | 0b445ace8798426e7185f52b7b7b6d1e |
| SHA1 | 7a77b46e0848cc9b32283ccb3f91a18c0934c079 |
| SHA256 | 2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6 |
| SHA512 | 51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG
| MD5 | f17aeb2b2b833a6038394b2c6179b1d2 |
| SHA1 | 9c845ea852742e7060b3c353ac1574b7419c0165 |
| SHA256 | e4239a7a03b8eec869d1fbaeebfc2e545aaded0a284e7dcf8f97b217d926d997 |
| SHA512 | de9f98802c26095a5d98aac0087390a6710d591064a46be77ac1f8d60031e58f7065cf11e10a518c4f67621371dae3175b913adef32b26afeed7344fd54ed926 |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG
| MD5 | 7d644a9b99bb5c850b63afa62df777ff |
| SHA1 | 7bc29d69489025d0a8e98c365bd18ef66a024b8c |
| SHA256 | 64494c345bd6d2cdb78f4e558d23c46ee1248d6e1dd2aaa871bfee9d09c6796e |
| SHA512 | d8e3e616a07e6af54f558a253ad851a44ffe3170a6fa594fd001691a14cced95bd8c06db67f78b64b02a987fc52c01223f9d1c943b2292458203c6c2d4324bd2 |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG
| MD5 | d4c87edc11c5cba29eb551905f7e74c6 |
| SHA1 | bc5f4d6aa4e7838f735aae110c503eae305bd26f |
| SHA256 | c08f3dde69c684e2094ff17783bd0eed3911a9e6a52a6b310e50562cf9a01f77 |
| SHA512 | 0fe51a3bbe8bca132ea44c0f05de1419362214d0b6c39e3e1036a42c287c89413576662585400681aecab1809a15b07c46a3126973af682132528b8efbf50cac |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG108.PNG
| MD5 | e42eb74e41e5593afd3683140a778d06 |
| SHA1 | 6a8ae62f76c7f732ada0eebaf5e334f9029bbb9b |
| SHA256 | 4d15c8898f0abf26fc231fb3fae4daea0e3b797aaae949965c8eb4d7b0bca48a |
| SHA512 | e0047ef633604bd7ef49d63b833c0a9078012196b6b7544d8929e684f6dd7f12e0813bbda97865a826b9b230e8a2b423323aeb59035b977aa6ac7b69792f6b8a |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
| MD5 | da1d0cd400e0b6ad6415fd4d90f69666 |
| SHA1 | de9083d2902906cacf57259cf581b1466400b799 |
| SHA256 | 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575 |
| SHA512 | f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
| MD5 | 1bbf5dd0b6ca80e4c7c77495c3f33083 |
| SHA1 | e0520037e60eb641ec04d1e814394c9da0a6a862 |
| SHA256 | bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b |
| SHA512 | 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab |
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
| MD5 | 465796301cba7f4468544d6bb76e3f9c |
| SHA1 | 28ec1286926a0f48d637171554edc63945f67742 |
| SHA256 | cf7d30c7f825cbdaf695397a31b8554614893047aadae692a77613c89d4aeb33 |
| SHA512 | ce1ff9ec3f00e80d1750cf82ea93dd0b31f68980f7f98c26686671773addab7e74f26e62fd046fb3fd62b43a99e72a813ea76df508a7f7bb6fad166962f91201 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG
| MD5 | a6ec411ef01f6ac4cd62b248363881b4 |
| SHA1 | 099f7514eb950236fa435b8f0fc93b7bde083e3f |
| SHA256 | 892fb8c7ac2a43baa7dd9662e63b7faa1fdbf66a4f86ac859931a19e885d2657 |
| SHA512 | 443958d700d065e346240cf2df26e17677ce6e1509da7ec98a967a56d03c9fd8feb52c11380ce1f5dfb37eb69ba175a1fa066798776ea475fa8b4e01f1c68da8 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG
| MD5 | b64e03f19e1a455877a71d399f5fb768 |
| SHA1 | d05deccf8ab72809b6017c92616ccec0d65ff4a6 |
| SHA256 | 6181711a74f57401701ee9615da080e9be4e4142cbeea3517fa63b01bffa6c65 |
| SHA512 | 2d84c29b346c26777c9d6f0479164f3e866766432ba442170b15b9af4f8c880abec936a1e4a6f1ca2c4787349bd8a28039ebba4a1a33d879f27aab90cf71b602 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a32478ab51f02051aece011b607a5e9a |
| SHA1 | fb662b810342fa76d0a5543e481292dcec9b0032 |
| SHA256 | d9190e2fb5d16f4a0ce5639eccb5edb9cb645316d9010e097b13f4009c8d35e4 |
| SHA512 | f2bef771422f9e4923f84d25a87d812a7eee9685962f440415615b0e7b6ac41e072731cc871562012001e34fe576e4b4e1a6927b398ab22c2658da2d3274fef5 |
C:\Users\Admin\AppData\Local\Temp\CabD2ED.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
memory/1516-1336-0x0000000010000000-0x0000000010051000-memory.dmp
memory/1516-1335-0x00000000011E0000-0x00000000015C8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | e71c8443ae0bc2e282c73faead0a6dd3 |
| SHA1 | 0c110c1b01e68edfacaeae64781a37b1995fa94b |
| SHA256 | 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72 |
| SHA512 | b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6 |
memory/1516-1359-0x00000000011E0000-0x00000000015C8000-memory.dmp
memory/1516-1360-0x0000000010000000-0x0000000010051000-memory.dmp
\Users\Admin\AppData\Local\Temp\jre-windows.exe
| MD5 | 7542ec421a2f6e90751e8b64c22e0542 |
| SHA1 | d207d221a28ede5c2c8415f82c555989aa7068ba |
| SHA256 | 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6 |
| SHA512 | 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc |
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
| MD5 | 7542ec421a2f6e90751e8b64c22e0542 |
| SHA1 | d207d221a28ede5c2c8415f82c555989aa7068ba |
| SHA256 | 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6 |
| SHA512 | 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc |
\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 3fbdf28f555441f1e2ff0c9a616ebeb9 |
| SHA1 | 32f8007a26a95c1f76276b5256f4729a911a5865 |
| SHA256 | 645216379c7bcce5b39e144f3833c8d99e42d682ef270326d61116927aedfdf7 |
| SHA512 | 20931549e4df54da34bb6dc47fb1901bb269a32f16c534c141e050144389e55730adf48688f29fad8dda2b0baccc697044507949053cfb072500011fd9ba1106 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 3fbdf28f555441f1e2ff0c9a616ebeb9 |
| SHA1 | 32f8007a26a95c1f76276b5256f4729a911a5865 |
| SHA256 | 645216379c7bcce5b39e144f3833c8d99e42d682ef270326d61116927aedfdf7 |
| SHA512 | 20931549e4df54da34bb6dc47fb1901bb269a32f16c534c141e050144389e55730adf48688f29fad8dda2b0baccc697044507949053cfb072500011fd9ba1106 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | e6eecbac6c7ce395bca8fa242819efb7 |
| SHA1 | c7c95e2fe9c68b29aff95167e7ff2d16a0cb656a |
| SHA256 | eaccbcfc11deca2dfc5cde90cf9baee1fa3931fadbb665230ee62c3d0b07c955 |
| SHA512 | 9e4da39876e6913e101279d1b135ba6a571fcf47d351c9446494ebffa59587a97342fcb0c29c9820ebb4ba2520f38dc225ec85a939790fc947b41d925e3bf311 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IZB43374.txt
| MD5 | 93b949931650b69744bcc4067e25cda3 |
| SHA1 | 3fb6e571e8c56190853ea46936233fb7b7aac1b8 |
| SHA256 | e4f145cb0d29dba1b33e62aa5e946462caad05b5ee34888fcd10a021d36c647e |
| SHA512 | adfdecacadbf8c5b50c34ccf7d5add0609245acf561a9b9ef3f0ff94e1ad81765664996ac9f5679802f9f7fe1ccf6b5fa5f6068b7201fa76f4ed757961b6f8ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | b2b3764a0eb3b6ee8f395cc1f3c31d85 |
| SHA1 | c3293471d6d018cd316b53c809036835c4060e9b |
| SHA256 | e741768fc8a1a618b926abb44bacd1cb178cd73489d5fd828304c913d785fa52 |
| SHA512 | 99b7549e1a058d37f47977c312ca8c6a83139f7a1a684022205f930ab7d2f00a57e4e09416860770d86dda1fcf9dcef441693cd2cce13ad42369805a0a1b6f23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | 9f107439917c9e91d0534bc2641551ba |
| SHA1 | 5e230e66e0a35bfddbe02ea5199e5589c09b6fe4 |
| SHA256 | 04d0c8763a98980e68d5ec97568a22bf27c145b5dc632cf35a3b86433459f432 |
| SHA512 | cd7599f04c98f229113268a2f4a685e0f8d673a891fc2ec5dea4527af4a167d256b9bb72cb173f288a70c3de76d0d93bad3399e072e6cbe1b197d09bcedb1649 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | e71c8443ae0bc2e282c73faead0a6dd3 |
| SHA1 | 0c110c1b01e68edfacaeae64781a37b1995fa94b |
| SHA256 | 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72 |
| SHA512 | b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d0b750ce13eca4f37644696dcf94bd76 |
| SHA1 | 013608f9a67c6d456966502b66dd6fc3c3231a2c |
| SHA256 | 4501573c336ef49b2ebc2e3033d230f097e504e5cb097f11f9d5312a676d49f7 |
| SHA512 | acc6ad7a23d199fd5fef945d95501ea7f9872864aaf74c7309769b287158fd6d36482571c5c2a5d94977e7c53e73c1eca59911e0b23643c4b3272ad93aa6b432 |
C:\Users\Admin\AppData\Local\Temp\Tar477E.tmp
| MD5 | be2bec6e8c5653136d3e72fe53c98aa3 |
| SHA1 | a8182d6db17c14671c3d5766c72e58d87c0810de |
| SHA256 | 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd |
| SHA512 | 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff |
C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
memory/1516-1485-0x0000000010000000-0x0000000010051000-memory.dmp
\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe
| MD5 | dfcfc788d67437530a50177164db42b0 |
| SHA1 | 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f |
| SHA256 | a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1 |
| SHA512 | dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3 |
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi
| MD5 | 1794aaa17d114a315a95473c9780fc8b |
| SHA1 | 7f250c022b916b88e22254985e7552bc3ac8db04 |
| SHA256 | 7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4 |
| SHA512 | fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | c0cb7a60758e4cf6d3522c16cbfdca88 |
| SHA1 | 527f6b1011e7d1210624a5b780a2233b58feb89b |
| SHA256 | 2a91733bfb2c86146a7e604695418944e6567340fca72c43116e3ff0b593a4ca |
| SHA512 | 5a4403a017cc66d68f322b4914ebea1a236e626c23a80749f065077cdaaf98a730a5b7ddbe6d475eebeea3435b873dad012abafc1eba313750474c0caa11775f |
C:\Windows\Installer\MSIB3CC.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | b42d04b376b6f992dc4e940f30fc32e2 |
| SHA1 | 55d8bdd871d9f7c1d9158783788d651c88e4582b |
| SHA256 | c67f36109d669bd21aefa8179ce536b8444b5cd0a5930816f0477fb37b845967 |
| SHA512 | 0f37b3e7a759283335ba2635f44f0bca20b1304e8b842db3e215a90b868258ebf345d58075244c161827b68427fd3ed0c0fff9a846f5fe2644744d24afe09120 |
\Windows\Installer\MSIB3CC.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Windows\Installer\MSIB997.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
\Windows\Installer\MSIB997.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Windows\Installer\MSIBB8C.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Windows\Installer\MSIBB8C.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
\Windows\Installer\MSIBB8C.tmp
| MD5 | 62cfeb86f117ad91b8bb52f1dda6f473 |
| SHA1 | c753b488938b3e08f7f47df209359c7b78764448 |
| SHA256 | f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e |
| SHA512 | c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e |
C:\Windows\Installer\6d978f.msi
| MD5 | 1794aaa17d114a315a95473c9780fc8b |
| SHA1 | 7f250c022b916b88e22254985e7552bc3ac8db04 |
| SHA256 | 7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4 |
| SHA512 | fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516 |
\Program Files\Java\jre1.8.0_351\installer.exe
| MD5 | 1b7d3a2eb4a3893ea7fec68dbcc09a81 |
| SHA1 | 5abe3f871f41d9226f6b330e0d76f4aeb4987891 |
| SHA256 | 75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5 |
| SHA512 | b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953 |
C:\Program Files\Java\jre1.8.0_351\installer.exe
| MD5 | a573343670a77f384b916608c93973db |
| SHA1 | 88790e5f83d3df417d1fe4abdedffa0fe45f3cae |
| SHA256 | 3e853cfb55ff0dc68aa56bfd4dd5c0227be448cb898af5a086f4009928caf96c |
| SHA512 | 9c5200c3570877bcc6e675b40365f9dd69b236a1b9662993a363ee107ddc85005de0bbee90a5b52f4c6b3631a303bf5d3938e5f55569bba052b257b81543d782 |
C:\Windows\Installer\6d9793.msi
| MD5 | 1794aaa17d114a315a95473c9780fc8b |
| SHA1 | 7f250c022b916b88e22254985e7552bc3ac8db04 |
| SHA256 | 7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4 |
| SHA512 | fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 8a7886153f53ee4f61b0d4a72b8d5d4d |
| SHA1 | faeea5066cb7b26a13e47b11b10e4f32bd461830 |
| SHA256 | b550127d33fba29c654afdf67df3fc3c7ab80ffb71f086515187d66b3de56f63 |
| SHA512 | 0539e666482e51cf8c7fb726cb83e17e74c803172f4048654309a87cd846c40c05a2c270af268d67e747f683cd62e90998fe59fb74aaa58985d343cc98cb5499 |
C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
memory/2164-1744-0x0000000000400000-0x0000000000417000-memory.dmp
C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
| MD5 | 2e7543a4deec9620c101771ca9b45d85 |
| SHA1 | fa33f3098c511a1192111f0b29a09064a7568029 |
| SHA256 | 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1 |
| SHA512 | 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d |
C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\baseimagefam8
| MD5 | 22646919b87d1a6dfc371464405b373b |
| SHA1 | 2296c69b12c3e0244fc59586f794457a4735e692 |
| SHA256 | 0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11 |
| SHA512 | b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0 |
C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\diff
| MD5 | 926bc57fb311cc95bcefa1e1ad0ce459 |
| SHA1 | 8c43b4d7aa223eaf9c73c789072545da0b2c55df |
| SHA256 | 9ccf1e30069b4781362f85c4a30993d86da99f211c2aaad4447ad051cc61600a |
| SHA512 | 216cb6483598960f5aea83beeb37fa700d047352d0b3c6c2405a7ee668554e0ab15358c178a6a2fc8c067f4177a0452cde93783797c15fccf224e640715f0743 |
memory/2164-1752-0x0000000000230000-0x0000000000247000-memory.dmp
memory/2164-1751-0x0000000000230000-0x0000000000247000-memory.dmp
memory/2164-1753-0x0000000000230000-0x0000000000247000-memory.dmp
memory/2164-1756-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2164-1760-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2164-1761-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2164-1765-0x0000000000230000-0x0000000000247000-memory.dmp
memory/2164-1764-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2164-1767-0x0000000000230000-0x0000000000247000-memory.dmp
memory/2164-1766-0x0000000000230000-0x0000000000247000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-22 01:36
Reported
2023-03-22 01:39
Platform
win10v2004-20230220-en
Max time kernel
143s
Max time network
155s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 444 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe |
| PID 444 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe |
| PID 444 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe" "__IRCT:3" "__IRTSS:22740112" "__IRSID:S-1-5-21-2275444769-3691835758-4097679484-1000"
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.20.126:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dl2.tlauncher.org | udp |
| US | 104.20.235.70:443 | dl2.tlauncher.org | tcp |
| US | 8.8.8.8:53 | 70.235.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 20.189.173.5:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| BE | 23.55.97.181:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 61fe17c31b911b6830d799fdc0cc7bd0 |
| SHA1 | 2c090e42de01b5739576c549b29239d3e17c0db4 |
| SHA256 | f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af |
| SHA512 | 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 61fe17c31b911b6830d799fdc0cc7bd0 |
| SHA1 | 2c090e42de01b5739576c549b29239d3e17c0db4 |
| SHA256 | f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af |
| SHA512 | 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 61fe17c31b911b6830d799fdc0cc7bd0 |
| SHA1 | 2c090e42de01b5739576c549b29239d3e17c0db4 |
| SHA256 | f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af |
| SHA512 | 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
memory/1100-147-0x00000000007A0000-0x0000000000B88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
| MD5 | e043a9cb014d641a56f50f9d9ac9a1b9 |
| SHA1 | 61dc6aed3d0d1f3b8afe3d161410848c565247ed |
| SHA256 | 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946 |
| SHA512 | 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
| MD5 | da1d0cd400e0b6ad6415fd4d90f69666 |
| SHA1 | de9083d2902906cacf57259cf581b1466400b799 |
| SHA256 | 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575 |
| SHA512 | f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
| MD5 | da1d0cd400e0b6ad6415fd4d90f69666 |
| SHA1 | de9083d2902906cacf57259cf581b1466400b799 |
| SHA256 | 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575 |
| SHA512 | f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
| MD5 | 1bbf5dd0b6ca80e4c7c77495c3f33083 |
| SHA1 | e0520037e60eb641ec04d1e814394c9da0a6a862 |
| SHA256 | bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b |
| SHA512 | 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
| MD5 | 1bbf5dd0b6ca80e4c7c77495c3f33083 |
| SHA1 | e0520037e60eb641ec04d1e814394c9da0a6a862 |
| SHA256 | bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b |
| SHA512 | 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab |
memory/1100-440-0x0000000010000000-0x0000000010051000-memory.dmp
memory/1100-441-0x0000000003320000-0x0000000003323000-memory.dmp
memory/1100-456-0x00000000007A0000-0x0000000000B88000-memory.dmp
memory/1100-457-0x0000000010000000-0x0000000010051000-memory.dmp
memory/1100-464-0x00000000007A0000-0x0000000000B88000-memory.dmp
memory/1100-481-0x0000000010000000-0x0000000010051000-memory.dmp