Malware Analysis Report

2024-09-22 06:28

Sample ID 230322-b1jr3sgb7v
Target TLauncher-2.871-Installer-1.0.5.exe
SHA256 871650166ffb346d7a8642584e58aea90e544c56b54f145ed9444cdbd1baed60
Tags
bazarbackdoor backdoor discovery upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

871650166ffb346d7a8642584e58aea90e544c56b54f145ed9444cdbd1baed60

Threat Level: Known bad

The file TLauncher-2.871-Installer-1.0.5.exe was found to be: Known bad.

Malicious Activity Summary

bazarbackdoor backdoor discovery upx

BazarBackdoor

Bazar/Team9 Backdoor payload

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

UPX packed file

Executes dropped EXE

Checks installed software on the system

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-03-22 01:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-22 01:36

Reported

2023-03-22 01:39

Platform

win7-20230220-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe N/A
N/A N/A C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe N/A
N/A N/A C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre1.8.0_351\installer.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\6d978f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6d978f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\6d9791.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\6d9793.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB3CC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB997.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBA92.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBB8C.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\msiexec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\msiexec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Version = "134221238" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductIcon = "C:\\Program Files\\Java\\jre1.8.0_351\\\\bin\\javaws.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800\4EA42A62D9304AC4784BF2468130150F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\PackageCode = "97BA944EF7A3CCC4488541CAD6E00626" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_351_x64\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130150F\jrecore C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\PackageName = "jre1.8.0_35164.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductName = "Java 8 Update 351 (64-bit)" C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 916 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 916 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 916 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 916 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 916 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 916 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1516 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1516 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1516 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1516 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1516 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1516 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1516 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1212 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1212 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1212 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1212 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1212 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1212 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1212 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1516 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 1516 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 1516 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 1516 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 1452 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe
PID 1452 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe
PID 1452 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe
PID 1528 wrote to memory of 1488 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1528 wrote to memory of 1488 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1528 wrote to memory of 1488 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1528 wrote to memory of 1488 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1528 wrote to memory of 1488 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1528 wrote to memory of 768 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre1.8.0_351\installer.exe
PID 1528 wrote to memory of 768 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre1.8.0_351\installer.exe
PID 1528 wrote to memory of 768 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre1.8.0_351\installer.exe
PID 768 wrote to memory of 2164 N/A C:\Program Files\Java\jre1.8.0_351\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
PID 768 wrote to memory of 2164 N/A C:\Program Files\Java\jre1.8.0_351\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
PID 768 wrote to memory of 2164 N/A C:\Program Files\Java\jre1.8.0_351\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
PID 768 wrote to memory of 2164 N/A C:\Program Files\Java\jre1.8.0_351\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
PID 768 wrote to memory of 2164 N/A C:\Program Files\Java\jre1.8.0_351\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
PID 768 wrote to memory of 2164 N/A C:\Program Files\Java\jre1.8.0_351\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe
PID 768 wrote to memory of 2164 N/A C:\Program Files\Java\jre1.8.0_351\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe" "__IRCT:3" "__IRTSS:22740112" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1

C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe

"C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe" "STATIC=1"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 5E332489C95299D9DCB2C246B1AAC42E

C:\Program Files\Java\jre1.8.0_351\installer.exe

"C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}

C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe

"bspatch.exe" baseimagefam8 newimage diff

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl2.tlauncher.org udp
US 104.20.235.70:443 dl2.tlauncher.org tcp
US 8.8.8.8:53 tlauncher.org udp
US 104.20.234.70:443 tlauncher.org tcp
US 8.8.8.8:53 advancedrepository.com udp
DE 46.4.112.226:443 advancedrepository.com tcp
US 8.8.8.8:53 javadl.oracle.com udp
NL 104.74.228.243:80 javadl.oracle.com tcp
NL 104.74.228.243:443 javadl.oracle.com tcp
US 8.8.8.8:53 sdlc-esd.oracle.com udp
NL 173.223.112.78:443 sdlc-esd.oracle.com tcp
US 8.8.8.8:53 javadl-esd-secure.oracle.com udp
NL 104.74.228.243:443 javadl-esd-secure.oracle.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 rps-svcs.oracle.com udp
NL 104.74.228.243:443 rps-svcs.oracle.com tcp

Files

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 61fe17c31b911b6830d799fdc0cc7bd0
SHA1 2c090e42de01b5739576c549b29239d3e17c0db4
SHA256 f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af
SHA512 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390

memory/916-60-0x0000000002F00000-0x00000000032E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 61fe17c31b911b6830d799fdc0cc7bd0
SHA1 2c090e42de01b5739576c549b29239d3e17c0db4
SHA256 f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af
SHA512 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 61fe17c31b911b6830d799fdc0cc7bd0
SHA1 2c090e42de01b5739576c549b29239d3e17c0db4
SHA256 f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af
SHA512 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 61fe17c31b911b6830d799fdc0cc7bd0
SHA1 2c090e42de01b5739576c549b29239d3e17c0db4
SHA256 f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af
SHA512 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 61fe17c31b911b6830d799fdc0cc7bd0
SHA1 2c090e42de01b5739576c549b29239d3e17c0db4
SHA256 f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af
SHA512 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 61fe17c31b911b6830d799fdc0cc7bd0
SHA1 2c090e42de01b5739576c549b29239d3e17c0db4
SHA256 f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af
SHA512 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 61fe17c31b911b6830d799fdc0cc7bd0
SHA1 2c090e42de01b5739576c549b29239d3e17c0db4
SHA256 f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af
SHA512 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390

memory/916-123-0x0000000002F00000-0x00000000032E8000-memory.dmp

memory/916-137-0x0000000002F00000-0x00000000032E8000-memory.dmp

memory/916-143-0x0000000002F00000-0x00000000032E8000-memory.dmp

memory/1516-202-0x00000000011E0000-0x00000000015C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

MD5 e043a9cb014d641a56f50f9d9ac9a1b9
SHA1 61dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA256 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA512 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 1bbf5dd0b6ca80e4c7c77495c3f33083
SHA1 e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256 bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA512 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

memory/1516-367-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1516-368-0x0000000000C20000-0x0000000000C23000-memory.dmp

memory/1516-369-0x00000000011E0000-0x00000000015C8000-memory.dmp

memory/1516-370-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1516-385-0x00000000011E0000-0x00000000015C8000-memory.dmp

memory/1516-386-0x00000000011E0000-0x00000000015C8000-memory.dmp

memory/1516-387-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

MD5 4231b73055799fd9f377560cdde2ee77
SHA1 bbc3f3278d4482d117ccce1bf98379d3b53b88ae
SHA256 79c31cb9f9480be6380d61d90db709847d295eee8eec3e23a227cc39e90c9cf2
SHA512 c3fdf4ccab692e59d34b6203c8cb5f4bafd10c9b2bcdb8c8d1964bbe0bc9eb51312da2fb54fb22f9a39f62ac31cda145f37d5e9187fc998018d2fe8acf9a8254

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

MD5 556ff7feffa68053cfe234bb4768cf8d
SHA1 1a1d2fcd4852e471f13d169df8f94fff35504a84
SHA256 1ea1f1fd6c18f648ac56418a1e372d876508c7338a961501ebfffd3731c4b2b8
SHA512 46ec56d7301761eeb24ec0ac26035b2ba663e1b3b3c2e4d75d6b2a9776400506e629e4d2c9806765fdd7a1422eb8bf2e25d16f335d84635559e3b8c43eb69df6

memory/1516-421-0x00000000011E0000-0x00000000015C8000-memory.dmp

memory/1516-422-0x0000000010000000-0x0000000010051000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 61fe17c31b911b6830d799fdc0cc7bd0
SHA1 2c090e42de01b5739576c549b29239d3e17c0db4
SHA256 f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af
SHA512 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG46.PNG

MD5 3d385f450c5c8812e048866eef4032cb
SHA1 0d80a76c05154b6d413acddd67c44e34e70ac7cd
SHA256 3c382cc1b7f9e5a36254942612c356db62839405d097e69ad5f3c724dbf25f5c
SHA512 cb1cf696cdd8a40e14a7f53b171a59b3ccd176bcdd8312d667889f5c7e76a1e343c4205ea02054e84e74a52b072b5ec7bb0aee92c3963baebcdda043e276f255

memory/1516-444-0x0000000003330000-0x0000000003340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

MD5 54ff70b2677a2e89add25d9d4c45e827
SHA1 42f3e91ae37ffd672bf09051a0bfb91b4417a21e
SHA256 c27d1914c93b485e5ebc3f565355df484f1ebfdfe9b1530659a14bf7362fc903
SHA512 bc7c188c9ee2de3a88ac0be87ef026ff0d0219807a12db8a9c60de93385381225c239f9231d46ca5ff55d19b7960fef468f510f359365f4d151cd6f440f401cf

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

MD5 51be149c8e20df63087c584165516ecd
SHA1 feabbb95b65e6929f086266b06ee1cfef83539a7
SHA256 b949eb246d81688efea07a7655652107ad435f37d493d93dd68c88a9fe6f3e33
SHA512 6f24e4caafd6af85c2f8641d7f2b066dfafa7d6abb512fa62f3642eaa42b549692b15043a3bf0e13cb1fae377fc1d3139dcf5cea3d4def24de197f75297e17f0

C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

MD5 09f599406cd41472c21a694c997ac86c
SHA1 37fcc0253b75968e5d0fe51b8f5186dc110bd979
SHA256 fd07abd5189c4dc4633456a392e3a325c2ae4326c0c702b02a8a7562a825506e
SHA512 972906bf392deaeae9e3fa65be0c26d80c3e174908ee4518bd8ee2b183b71b7e63a46cf39d33ae831e373b544b2d94c3a1c854bb1ad74f2b264d611510b47ed2

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

memory/1212-478-0x0000000002D60000-0x0000000003148000-memory.dmp

memory/1212-479-0x0000000002D60000-0x0000000003148000-memory.dmp

memory/1212-480-0x0000000002D60000-0x0000000003148000-memory.dmp

memory/1616-481-0x0000000000800000-0x0000000000BE8000-memory.dmp

memory/1616-494-0x0000000000800000-0x0000000000BE8000-memory.dmp

memory/1516-526-0x00000000011E0000-0x00000000015C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

MD5 58e22c0ee91280156cdaadacac7acddb
SHA1 189c552c94a9b0ae0208763bca77f2801debc224
SHA256 765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714
SHA512 9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

MD5 43f36b57d5ee660347ff2386b74ee6b4
SHA1 c5f142d9feb63f53a7dcb55cf8ffe73ce1087c49
SHA256 e1db7857f9a812e17f2fdedf6aabeea720154af539d089883034aec6b220e021
SHA512 6bc92ea4bf9ed16c7956471b4a579dc460907399708d325663a4d8b621de05aa9621ec7aa567ba56d94af62ca321947908ed9f715c73a918ebce69f11f3c1a2d

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

MD5 980d83a891dd26867c175265e8a0cbcc
SHA1 b15eb9baf9299572f33bf01ba0327931d6eed7af
SHA256 8f6d22333544d1d1ca9e95b7ea9b130896c5cd907f3617eb0d0bb9bc2fbefb93
SHA512 f0d576b24dd794e4531bb103bca56c475921c4893b6be3356d9915b08682e38f67e09235d4cb2b31e0abb96f9e26be735bd920a353136323e9bd1fffce7c4301

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG

MD5 4a956b0c212c12268d8ddaaf8d753580
SHA1 edb79d738da8d9b0d0eae334e5f96743bcd6a172
SHA256 8765f68aa0b86d10b7099cef17a9ddb53829c89ef00fce0c0c8af985c001c96d
SHA512 f215cf270d861c3fad3167f1413a5b476641f4836e23101913fe2c442e6c91dc2eb9c9dcf633283d223815a125fc55adbcbd9e019108ede1b24303cfee03320b

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG

MD5 1ec547324c2c1681153f84888278af64
SHA1 d57d7ff489a3065010ee227d03fc5428e0c658b7
SHA256 9daed2a9a9ebbf3d3141704bbc89804c24984b6212a65d54aca881fc5440fbe8
SHA512 caeddb67ff156c95be0f824e05bb4d878be04ec9dd8cc12479599fcb437083a8ed8a4a1263038fccd10990f3b00359aecb123532bdd9a51d0f89b4c613e87792

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG

MD5 83f3879bf11185a359cda7301f5ad807
SHA1 13c942383808a581bb999d9a91341f307fe81bc8
SHA256 81a6043659884fd6492df1d72bf89dc6348e0952f7ef84ce5230e8888bd8a5b6
SHA512 5799ef5458458b6a80d2bfad2b467a4f9b2ec6537350750c427f0f8b0a2006873e7966b30deea18f4e133b89c05667f26d8ac97481aa52dda7b2069d37aa796e

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG

MD5 61791d397432462d29df7ee55b03204e
SHA1 e6ba9a68bf3af02fd3b7d4f9a63ca1c073918a25
SHA256 08846e2c9fe9f79b276546bf7e0b1c94d61576c52b33381993be7933bdc2e9d0
SHA512 6e567d5b1eb83f6c333424ef7eeb46ae50b4446adadd29241a5d9f8f656f8b9a809b9879801379762704196afe978402507d32df9e81a70b74bdcd8f48a81c9e

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG45.PNG

MD5 358613d9e55d35f5b7713065816297ba
SHA1 2bdd919c831e380fe9a5d6067e2b582fb0bba1cc
SHA256 79121232eb42674218c04df75b0177c1c328f4f07b832a83b94249b272a7d9a7
SHA512 a9aecbbb7eddf64196fd5f1e1d79fb43b70843f2fccc819ca3a673c9f5b2951c41516b9c7bafd28cc206656d4ffeeaef7544f9c0e19eded87b626440768a36a0

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP

MD5 0b445ace8798426e7185f52b7b7b6d1e
SHA1 7a77b46e0848cc9b32283ccb3f91a18c0934c079
SHA256 2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6
SHA512 51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG

MD5 f17aeb2b2b833a6038394b2c6179b1d2
SHA1 9c845ea852742e7060b3c353ac1574b7419c0165
SHA256 e4239a7a03b8eec869d1fbaeebfc2e545aaded0a284e7dcf8f97b217d926d997
SHA512 de9f98802c26095a5d98aac0087390a6710d591064a46be77ac1f8d60031e58f7065cf11e10a518c4f67621371dae3175b913adef32b26afeed7344fd54ed926

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG

MD5 7d644a9b99bb5c850b63afa62df777ff
SHA1 7bc29d69489025d0a8e98c365bd18ef66a024b8c
SHA256 64494c345bd6d2cdb78f4e558d23c46ee1248d6e1dd2aaa871bfee9d09c6796e
SHA512 d8e3e616a07e6af54f558a253ad851a44ffe3170a6fa594fd001691a14cced95bd8c06db67f78b64b02a987fc52c01223f9d1c943b2292458203c6c2d4324bd2

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG

MD5 d4c87edc11c5cba29eb551905f7e74c6
SHA1 bc5f4d6aa4e7838f735aae110c503eae305bd26f
SHA256 c08f3dde69c684e2094ff17783bd0eed3911a9e6a52a6b310e50562cf9a01f77
SHA512 0fe51a3bbe8bca132ea44c0f05de1419362214d0b6c39e3e1036a42c287c89413576662585400681aecab1809a15b07c46a3126973af682132528b8efbf50cac

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG108.PNG

MD5 e42eb74e41e5593afd3683140a778d06
SHA1 6a8ae62f76c7f732ada0eebaf5e334f9029bbb9b
SHA256 4d15c8898f0abf26fc231fb3fae4daea0e3b797aaae949965c8eb4d7b0bca48a
SHA512 e0047ef633604bd7ef49d63b833c0a9078012196b6b7544d8929e684f6dd7f12e0813bbda97865a826b9b230e8a2b423323aeb59035b977aa6ac7b69792f6b8a

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 1bbf5dd0b6ca80e4c7c77495c3f33083
SHA1 e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256 bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA512 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

MD5 465796301cba7f4468544d6bb76e3f9c
SHA1 28ec1286926a0f48d637171554edc63945f67742
SHA256 cf7d30c7f825cbdaf695397a31b8554614893047aadae692a77613c89d4aeb33
SHA512 ce1ff9ec3f00e80d1750cf82ea93dd0b31f68980f7f98c26686671773addab7e74f26e62fd046fb3fd62b43a99e72a813ea76df508a7f7bb6fad166962f91201

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG

MD5 a6ec411ef01f6ac4cd62b248363881b4
SHA1 099f7514eb950236fa435b8f0fc93b7bde083e3f
SHA256 892fb8c7ac2a43baa7dd9662e63b7faa1fdbf66a4f86ac859931a19e885d2657
SHA512 443958d700d065e346240cf2df26e17677ce6e1509da7ec98a967a56d03c9fd8feb52c11380ce1f5dfb37eb69ba175a1fa066798776ea475fa8b4e01f1c68da8

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG

MD5 b64e03f19e1a455877a71d399f5fb768
SHA1 d05deccf8ab72809b6017c92616ccec0d65ff4a6
SHA256 6181711a74f57401701ee9615da080e9be4e4142cbeea3517fa63b01bffa6c65
SHA512 2d84c29b346c26777c9d6f0479164f3e866766432ba442170b15b9af4f8c880abec936a1e4a6f1ca2c4787349bd8a28039ebba4a1a33d879f27aab90cf71b602

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a32478ab51f02051aece011b607a5e9a
SHA1 fb662b810342fa76d0a5543e481292dcec9b0032
SHA256 d9190e2fb5d16f4a0ce5639eccb5edb9cb645316d9010e097b13f4009c8d35e4
SHA512 f2bef771422f9e4923f84d25a87d812a7eee9685962f440415615b0e7b6ac41e072731cc871562012001e34fe576e4b4e1a6927b398ab22c2658da2d3274fef5

C:\Users\Admin\AppData\Local\Temp\CabD2ED.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

memory/1516-1336-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1516-1335-0x00000000011E0000-0x00000000015C8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

memory/1516-1359-0x00000000011E0000-0x00000000015C8000-memory.dmp

memory/1516-1360-0x0000000010000000-0x0000000010051000-memory.dmp

\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 7542ec421a2f6e90751e8b64c22e0542
SHA1 d207d221a28ede5c2c8415f82c555989aa7068ba
SHA256 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
SHA512 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 7542ec421a2f6e90751e8b64c22e0542
SHA1 d207d221a28ede5c2c8415f82c555989aa7068ba
SHA256 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
SHA512 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe

MD5 dfcfc788d67437530a50177164db42b0
SHA1 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f
SHA256 a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1
SHA512 dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe

MD5 dfcfc788d67437530a50177164db42b0
SHA1 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f
SHA256 a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1
SHA512 dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 3fbdf28f555441f1e2ff0c9a616ebeb9
SHA1 32f8007a26a95c1f76276b5256f4729a911a5865
SHA256 645216379c7bcce5b39e144f3833c8d99e42d682ef270326d61116927aedfdf7
SHA512 20931549e4df54da34bb6dc47fb1901bb269a32f16c534c141e050144389e55730adf48688f29fad8dda2b0baccc697044507949053cfb072500011fd9ba1106

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 3fbdf28f555441f1e2ff0c9a616ebeb9
SHA1 32f8007a26a95c1f76276b5256f4729a911a5865
SHA256 645216379c7bcce5b39e144f3833c8d99e42d682ef270326d61116927aedfdf7
SHA512 20931549e4df54da34bb6dc47fb1901bb269a32f16c534c141e050144389e55730adf48688f29fad8dda2b0baccc697044507949053cfb072500011fd9ba1106

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 e6eecbac6c7ce395bca8fa242819efb7
SHA1 c7c95e2fe9c68b29aff95167e7ff2d16a0cb656a
SHA256 eaccbcfc11deca2dfc5cde90cf9baee1fa3931fadbb665230ee62c3d0b07c955
SHA512 9e4da39876e6913e101279d1b135ba6a571fcf47d351c9446494ebffa59587a97342fcb0c29c9820ebb4ba2520f38dc225ec85a939790fc947b41d925e3bf311

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IZB43374.txt

MD5 93b949931650b69744bcc4067e25cda3
SHA1 3fb6e571e8c56190853ea46936233fb7b7aac1b8
SHA256 e4f145cb0d29dba1b33e62aa5e946462caad05b5ee34888fcd10a021d36c647e
SHA512 adfdecacadbf8c5b50c34ccf7d5add0609245acf561a9b9ef3f0ff94e1ad81765664996ac9f5679802f9f7fe1ccf6b5fa5f6068b7201fa76f4ed757961b6f8ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 b2b3764a0eb3b6ee8f395cc1f3c31d85
SHA1 c3293471d6d018cd316b53c809036835c4060e9b
SHA256 e741768fc8a1a618b926abb44bacd1cb178cd73489d5fd828304c913d785fa52
SHA512 99b7549e1a058d37f47977c312ca8c6a83139f7a1a684022205f930ab7d2f00a57e4e09416860770d86dda1fcf9dcef441693cd2cce13ad42369805a0a1b6f23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 9f107439917c9e91d0534bc2641551ba
SHA1 5e230e66e0a35bfddbe02ea5199e5589c09b6fe4
SHA256 04d0c8763a98980e68d5ec97568a22bf27c145b5dc632cf35a3b86433459f432
SHA512 cd7599f04c98f229113268a2f4a685e0f8d673a891fc2ec5dea4527af4a167d256b9bb72cb173f288a70c3de76d0d93bad3399e072e6cbe1b197d09bcedb1649

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0b750ce13eca4f37644696dcf94bd76
SHA1 013608f9a67c6d456966502b66dd6fc3c3231a2c
SHA256 4501573c336ef49b2ebc2e3033d230f097e504e5cb097f11f9d5312a676d49f7
SHA512 acc6ad7a23d199fd5fef945d95501ea7f9872864aaf74c7309769b287158fd6d36482571c5c2a5d94977e7c53e73c1eca59911e0b23643c4b3272ad93aa6b432

C:\Users\Admin\AppData\Local\Temp\Tar477E.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe

MD5 dfcfc788d67437530a50177164db42b0
SHA1 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f
SHA256 a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1
SHA512 dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

memory/1516-1485-0x0000000010000000-0x0000000010051000-memory.dmp

\Users\Admin\AppData\Local\Temp\jds7147373.tmp\jre-windows.exe

MD5 dfcfc788d67437530a50177164db42b0
SHA1 2d9ed0dc5671a358186dcf83abb74bfe39c40e9f
SHA256 a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1
SHA512 dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi

MD5 1794aaa17d114a315a95473c9780fc8b
SHA1 7f250c022b916b88e22254985e7552bc3ac8db04
SHA256 7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4
SHA512 fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c0cb7a60758e4cf6d3522c16cbfdca88
SHA1 527f6b1011e7d1210624a5b780a2233b58feb89b
SHA256 2a91733bfb2c86146a7e604695418944e6567340fca72c43116e3ff0b593a4ca
SHA512 5a4403a017cc66d68f322b4914ebea1a236e626c23a80749f065077cdaaf98a730a5b7ddbe6d475eebeea3435b873dad012abafc1eba313750474c0caa11775f

C:\Windows\Installer\MSIB3CC.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 b42d04b376b6f992dc4e940f30fc32e2
SHA1 55d8bdd871d9f7c1d9158783788d651c88e4582b
SHA256 c67f36109d669bd21aefa8179ce536b8444b5cd0a5930816f0477fb37b845967
SHA512 0f37b3e7a759283335ba2635f44f0bca20b1304e8b842db3e215a90b868258ebf345d58075244c161827b68427fd3ed0c0fff9a846f5fe2644744d24afe09120

\Windows\Installer\MSIB3CC.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

C:\Windows\Installer\MSIB997.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

\Windows\Installer\MSIB997.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

C:\Windows\Installer\MSIBB8C.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

C:\Windows\Installer\MSIBB8C.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

\Windows\Installer\MSIBB8C.tmp

MD5 62cfeb86f117ad91b8bb52f1dda6f473
SHA1 c753b488938b3e08f7f47df209359c7b78764448
SHA256 f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512 c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

C:\Windows\Installer\6d978f.msi

MD5 1794aaa17d114a315a95473c9780fc8b
SHA1 7f250c022b916b88e22254985e7552bc3ac8db04
SHA256 7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4
SHA512 fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

\Program Files\Java\jre1.8.0_351\installer.exe

MD5 1b7d3a2eb4a3893ea7fec68dbcc09a81
SHA1 5abe3f871f41d9226f6b330e0d76f4aeb4987891
SHA256 75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5
SHA512 b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

C:\Program Files\Java\jre1.8.0_351\installer.exe

MD5 a573343670a77f384b916608c93973db
SHA1 88790e5f83d3df417d1fe4abdedffa0fe45f3cae
SHA256 3e853cfb55ff0dc68aa56bfd4dd5c0227be448cb898af5a086f4009928caf96c
SHA512 9c5200c3570877bcc6e675b40365f9dd69b236a1b9662993a363ee107ddc85005de0bbee90a5b52f4c6b3631a303bf5d3938e5f55569bba052b257b81543d782

C:\Windows\Installer\6d9793.msi

MD5 1794aaa17d114a315a95473c9780fc8b
SHA1 7f250c022b916b88e22254985e7552bc3ac8db04
SHA256 7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4
SHA512 fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 8a7886153f53ee4f61b0d4a72b8d5d4d
SHA1 faeea5066cb7b26a13e47b11b10e4f32bd461830
SHA256 b550127d33fba29c654afdf67df3fc3c7ab80ffb71f086515187d66b3de56f63
SHA512 0539e666482e51cf8c7fb726cb83e17e74c803172f4048654309a87cd846c40c05a2c270af268d67e747f683cd62e90998fe59fb74aaa58985d343cc98cb5499

C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

memory/2164-1744-0x0000000000400000-0x0000000000417000-memory.dmp

C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\baseimagefam8

MD5 22646919b87d1a6dfc371464405b373b
SHA1 2296c69b12c3e0244fc59586f794457a4735e692
SHA256 0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11
SHA512 b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

C:\ProgramData\Oracle\Java\installcache_x64\7195811.tmp\diff

MD5 926bc57fb311cc95bcefa1e1ad0ce459
SHA1 8c43b4d7aa223eaf9c73c789072545da0b2c55df
SHA256 9ccf1e30069b4781362f85c4a30993d86da99f211c2aaad4447ad051cc61600a
SHA512 216cb6483598960f5aea83beeb37fa700d047352d0b3c6c2405a7ee668554e0ab15358c178a6a2fc8c067f4177a0452cde93783797c15fccf224e640715f0743

memory/2164-1752-0x0000000000230000-0x0000000000247000-memory.dmp

memory/2164-1751-0x0000000000230000-0x0000000000247000-memory.dmp

memory/2164-1753-0x0000000000230000-0x0000000000247000-memory.dmp

memory/2164-1756-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2164-1760-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2164-1761-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2164-1765-0x0000000000230000-0x0000000000247000-memory.dmp

memory/2164-1764-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2164-1767-0x0000000000230000-0x0000000000247000-memory.dmp

memory/2164-1766-0x0000000000230000-0x0000000000247000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-22 01:36

Reported

2023-03-22 01:39

Platform

win10v2004-20230220-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.5.exe" "__IRCT:3" "__IRTSS:22740112" "__IRSID:S-1-5-21-2275444769-3691835758-4097679484-1000"

Network

Country Destination Domain Proto
NL 8.238.20.126:80 tcp
NL 8.238.20.126:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 dl2.tlauncher.org udp
US 104.20.235.70:443 dl2.tlauncher.org tcp
US 8.8.8.8:53 70.235.20.104.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 20.189.173.5:443 tcp
NL 173.223.113.164:443 tcp
BE 23.55.97.181:80 tcp
US 131.253.33.203:80 tcp
US 52.152.110.14:443 tcp
US 93.184.221.240:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 61fe17c31b911b6830d799fdc0cc7bd0
SHA1 2c090e42de01b5739576c549b29239d3e17c0db4
SHA256 f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af
SHA512 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 61fe17c31b911b6830d799fdc0cc7bd0
SHA1 2c090e42de01b5739576c549b29239d3e17c0db4
SHA256 f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af
SHA512 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 61fe17c31b911b6830d799fdc0cc7bd0
SHA1 2c090e42de01b5739576c549b29239d3e17c0db4
SHA256 f2c17c0388db7c9a885f29cac38bfc1312282a7cf4b2f091498305ad1e2ff3af
SHA512 71058f9eee9fdd4cb90d6a436643591591a57acb974d16b59eafa4121df17ce57cf9320e12d6a3f7dfbe06204ce4998a9ac0c0429e40c184b2c3e0343059c390

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

memory/1100-147-0x00000000007A0000-0x0000000000B88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

MD5 e043a9cb014d641a56f50f9d9ac9a1b9
SHA1 61dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA256 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA512 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 1bbf5dd0b6ca80e4c7c77495c3f33083
SHA1 e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256 bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA512 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 1bbf5dd0b6ca80e4c7c77495c3f33083
SHA1 e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256 bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA512 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

memory/1100-440-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1100-441-0x0000000003320000-0x0000000003323000-memory.dmp

memory/1100-456-0x00000000007A0000-0x0000000000B88000-memory.dmp

memory/1100-457-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1100-464-0x00000000007A0000-0x0000000000B88000-memory.dmp

memory/1100-481-0x0000000010000000-0x0000000010051000-memory.dmp