6a545e114b975fcd271e42b2ad9677c8b8cc1c1dbbda673e00933389fdabbbec

Resubmissions

09/06/2023, 16:21

230609-tt6blsde3x 8

09/06/2023, 16:10

230609-tmqycadd91 8

Analysis

max time kernel
175s
max time network
214s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/06/2023, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.885-Installer-1.1.1.exe
Size

22.6MB
MD5

48dbfef6adefcbf6e2423cc493071ba7
SHA1

5a651d75fbe4a129cf478929c67dde806e73cb15
SHA256

6a545e114b975fcd271e42b2ad9677c8b8cc1c1dbbda673e00933389fdabbbec
SHA512

60847a9cb05afd4d3d22dcaec9bca2ac11de84807b8f1af27115b8199cd9910235716786ca4f67b4b2f5e95b633b82f0842bd711a7d49dee03367e506446a855
SSDEEP

393216:1XO/cjhHQbGPfs/dQETVlOBbpFEjdGphRqV56HpkoaH3D8P2Q6YS6x9DOL:1esQsHExi73qqHpu34kYbzOL

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
30	324	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
1868	irsetup.exe
1164	BrowserInstaller.exe
1712	irsetup.exe
1184	jre-windows.exe
1080	jre-windows.exe
1360	installer.exe
1352	bspatch.exe
1444	unpack200.exe
1304	unpack200.exe
1604	unpack200.exe
1884	unpack200.exe
584	unpack200.exe
660	unpack200.exe
1592	unpack200.exe
1328	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
1384	TLauncher-2.885-Installer-1.1.1.exe
1384	TLauncher-2.885-Installer-1.1.1.exe
1384	TLauncher-2.885-Installer-1.1.1.exe
1384	TLauncher-2.885-Installer-1.1.1.exe
1868	irsetup.exe
1868	irsetup.exe
1868	irsetup.exe
1868	irsetup.exe
1868	irsetup.exe
1868	irsetup.exe
1868	irsetup.exe
1868	irsetup.exe
1164	BrowserInstaller.exe
1164	BrowserInstaller.exe
1164	BrowserInstaller.exe
1164	BrowserInstaller.exe
1712	irsetup.exe
1712	irsetup.exe
1712	irsetup.exe
1868	irsetup.exe
1184	jre-windows.exe
1260	Process not Found
1260	Process not Found
1132	MsiExec.exe
1132	MsiExec.exe
1132	MsiExec.exe
324	msiexec.exe
1352	bspatch.exe
1352	bspatch.exe
1352	bspatch.exe
1360	installer.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1444	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe
1304	unpack200.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0072-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0107-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0092-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0190-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0192-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0097-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0096-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0109-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0087-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0189-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0066-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0082-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0097-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0141-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0063-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0117-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0146-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0147-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0150-ABCDEFFEDCBC}\InprocServer32	installer.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000013110-57.dat	upx
behavioral1/files/0x000a000000013110-60.dat	upx
behavioral1/files/0x000a000000013110-66.dat	upx
behavioral1/files/0x000a000000013110-64.dat	upx
behavioral1/files/0x000a000000013110-61.dat	upx
behavioral1/files/0x000a000000013110-68.dat	upx
behavioral1/files/0x000a000000013110-71.dat	upx
behavioral1/memory/1868-347-0x0000000001060000-0x0000000001448000-memory.dmp	upx
behavioral1/memory/1868-368-0x0000000001060000-0x0000000001448000-memory.dmp	upx
behavioral1/memory/1868-390-0x0000000001060000-0x0000000001448000-memory.dmp	upx
behavioral1/memory/1868-391-0x0000000001060000-0x0000000001448000-memory.dmp	upx
behavioral1/memory/1868-424-0x0000000001060000-0x0000000001448000-memory.dmp	upx
behavioral1/files/0x000a000000013110-430.dat	upx
behavioral1/files/0x000400000001cb39-465.dat	upx
behavioral1/files/0x000400000001cb39-464.dat	upx
behavioral1/files/0x000400000001cb39-461.dat	upx
behavioral1/files/0x000400000001cb39-470.dat	upx
behavioral1/files/0x000400000001cb39-472.dat	upx
behavioral1/files/0x000400000001cb39-468.dat	upx
behavioral1/files/0x000400000001cb39-476.dat	upx
behavioral1/memory/1712-486-0x0000000000EE0000-0x00000000012C8000-memory.dmp	upx
behavioral1/memory/1712-499-0x0000000000EE0000-0x00000000012C8000-memory.dmp	upx
behavioral1/memory/1868-1316-0x0000000001060000-0x0000000001448000-memory.dmp	upx
behavioral1/memory/1868-1343-0x0000000001060000-0x0000000001448000-memory.dmp	upx
behavioral1/memory/1868-1357-0x0000000001060000-0x0000000001448000-memory.dmp	upx
behavioral1/files/0x000400000001dca4-1729.dat	upx
behavioral1/files/0x000400000001dca4-1730.dat	upx
behavioral1/files/0x000400000001dca4-1732.dat	upx
behavioral1/files/0x000400000001dca4-1733.dat	upx
behavioral1/files/0x000400000001dca4-1731.dat	upx
behavioral1/memory/1352-1736-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1352-1741-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1352-1745-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1352-1749-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1868-2317-0x0000000001060000-0x0000000001448000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_351\bin\keytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\policy\unlimited\US_export_policy.jar	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_7247853\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-string-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jsdt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\kinit.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fontconfig.bfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\charsets.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\xalan.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_es.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-interlocked-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\j2pcsc.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\klist.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\policytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\glib.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\decora_sse.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jli.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_fr.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\plugin.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-debug-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-util-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\npt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\rmiregistry.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\cldr.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jsse.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jsound.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\release	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\icu_web.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\webkit.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\dynalink.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\giflib.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\management-agent.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-stdio-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\sound.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jp2ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\msvcp140_2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\java.security	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\vcruntime140_1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\icu.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\ffjcext.zip	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\invalid32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\localedata.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jfxswt.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\plugin.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-console-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\unpack.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\colorimaging.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\relaxngdatatype.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\hijrah-config-umalqura.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\README.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-conio-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\JavaAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\w2k_lsa_auth.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\asm.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\instrument.dll	installer.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6d8bad.msi	msiexec.exe
File created	C:\Windows\Installer\6d8baf.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA952.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC20.tmp	msiexec.exe
File created	C:\Windows\Installer\6d8bb1.msi	msiexec.exe
File created	C:\Windows\Installer\6d8bad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA31A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACBD.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0065-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0042-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0159-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0167-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0179-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0219-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0069-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0162-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0125-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_24"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0142-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0136-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_136"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0121-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_121"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0124-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0130-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_130"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0191-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0047-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_47"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_04"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0075-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_75"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0117-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_117"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0210-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0138-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0199-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0221-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0183-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0193-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_193"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0102-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0071-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_01"	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jnlp\URL Protocol	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0075-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0204-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_37"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_70"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.1_06"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0049-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_49"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0155-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0205-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_54"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_29"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_11"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0157-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_26"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0155-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0155-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0181-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0059-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_14"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0115-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0213-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0132-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0128-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0103-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_17"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0202-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_21"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0143-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0059-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0092-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_35"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0201-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBB}	installer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1080	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1080	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1080	jre-windows.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeSecurityPrivilege	324	msiexec.exe
Token: SeCreateTokenPrivilege	1080	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	1080	jre-windows.exe
Token: SeLockMemoryPrivilege	1080	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1080	jre-windows.exe
Token: SeMachineAccountPrivilege	1080	jre-windows.exe
Token: SeTcbPrivilege	1080	jre-windows.exe
Token: SeSecurityPrivilege	1080	jre-windows.exe
Token: SeTakeOwnershipPrivilege	1080	jre-windows.exe
Token: SeLoadDriverPrivilege	1080	jre-windows.exe
Token: SeSystemProfilePrivilege	1080	jre-windows.exe
Token: SeSystemtimePrivilege	1080	jre-windows.exe
Token: SeProfSingleProcessPrivilege	1080	jre-windows.exe
Token: SeIncBasePriorityPrivilege	1080	jre-windows.exe
Token: SeCreatePagefilePrivilege	1080	jre-windows.exe
Token: SeCreatePermanentPrivilege	1080	jre-windows.exe
Token: SeBackupPrivilege	1080	jre-windows.exe
Token: SeRestorePrivilege	1080	jre-windows.exe
Token: SeShutdownPrivilege	1080	jre-windows.exe
Token: SeDebugPrivilege	1080	jre-windows.exe
Token: SeAuditPrivilege	1080	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	1080	jre-windows.exe
Token: SeChangeNotifyPrivilege	1080	jre-windows.exe
Token: SeRemoteShutdownPrivilege	1080	jre-windows.exe
Token: SeUndockPrivilege	1080	jre-windows.exe
Token: SeSyncAgentPrivilege	1080	jre-windows.exe
Token: SeEnableDelegationPrivilege	1080	jre-windows.exe
Token: SeManageVolumePrivilege	1080	jre-windows.exe
Token: SeImpersonatePrivilege	1080	jre-windows.exe
Token: SeCreateGlobalPrivilege	1080	jre-windows.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe
Token: SeRestorePrivilege	324	msiexec.exe
Token: SeTakeOwnershipPrivilege	324	msiexec.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1868	irsetup.exe
1868	irsetup.exe
1868	irsetup.exe
1868	irsetup.exe
1868	irsetup.exe
1868	irsetup.exe
1712	irsetup.exe
1712	irsetup.exe
1080	jre-windows.exe
1080	jre-windows.exe
1080	jre-windows.exe
1080	jre-windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1868	1384	TLauncher-2.885-Installer-1.1.1.exe	28
PID 1384 wrote to memory of 1868	1384	TLauncher-2.885-Installer-1.1.1.exe	28
PID 1384 wrote to memory of 1868	1384	TLauncher-2.885-Installer-1.1.1.exe	28
PID 1384 wrote to memory of 1868	1384	TLauncher-2.885-Installer-1.1.1.exe	28
PID 1384 wrote to memory of 1868	1384	TLauncher-2.885-Installer-1.1.1.exe	28
PID 1384 wrote to memory of 1868	1384	TLauncher-2.885-Installer-1.1.1.exe	28
PID 1384 wrote to memory of 1868	1384	TLauncher-2.885-Installer-1.1.1.exe	28
PID 1868 wrote to memory of 1164	1868	irsetup.exe	31
PID 1868 wrote to memory of 1164	1868	irsetup.exe	31
PID 1868 wrote to memory of 1164	1868	irsetup.exe	31
PID 1868 wrote to memory of 1164	1868	irsetup.exe	31
PID 1868 wrote to memory of 1164	1868	irsetup.exe	31
PID 1868 wrote to memory of 1164	1868	irsetup.exe	31
PID 1868 wrote to memory of 1164	1868	irsetup.exe	31
PID 1164 wrote to memory of 1712	1164	BrowserInstaller.exe	32
PID 1164 wrote to memory of 1712	1164	BrowserInstaller.exe	32
PID 1164 wrote to memory of 1712	1164	BrowserInstaller.exe	32
PID 1164 wrote to memory of 1712	1164	BrowserInstaller.exe	32
PID 1164 wrote to memory of 1712	1164	BrowserInstaller.exe	32
PID 1164 wrote to memory of 1712	1164	BrowserInstaller.exe	32
PID 1164 wrote to memory of 1712	1164	BrowserInstaller.exe	32
PID 1868 wrote to memory of 1184	1868	irsetup.exe	34
PID 1868 wrote to memory of 1184	1868	irsetup.exe	34
PID 1868 wrote to memory of 1184	1868	irsetup.exe	34
PID 1868 wrote to memory of 1184	1868	irsetup.exe	34
PID 1184 wrote to memory of 1080	1184	jre-windows.exe	35
PID 1184 wrote to memory of 1080	1184	jre-windows.exe	35
PID 1184 wrote to memory of 1080	1184	jre-windows.exe	35
PID 324 wrote to memory of 1132	324	msiexec.exe	38
PID 324 wrote to memory of 1132	324	msiexec.exe	38
PID 324 wrote to memory of 1132	324	msiexec.exe	38
PID 324 wrote to memory of 1132	324	msiexec.exe	38
PID 324 wrote to memory of 1132	324	msiexec.exe	38
PID 324 wrote to memory of 1360	324	msiexec.exe	39
PID 324 wrote to memory of 1360	324	msiexec.exe	39
PID 324 wrote to memory of 1360	324	msiexec.exe	39
PID 1360 wrote to memory of 1352	1360	installer.exe	40
PID 1360 wrote to memory of 1352	1360	installer.exe	40
PID 1360 wrote to memory of 1352	1360	installer.exe	40
PID 1360 wrote to memory of 1352	1360	installer.exe	40
PID 1360 wrote to memory of 1352	1360	installer.exe	40
PID 1360 wrote to memory of 1352	1360	installer.exe	40
PID 1360 wrote to memory of 1352	1360	installer.exe	40
PID 1360 wrote to memory of 1444	1360	installer.exe	42
PID 1360 wrote to memory of 1444	1360	installer.exe	42
PID 1360 wrote to memory of 1444	1360	installer.exe	42
PID 1360 wrote to memory of 1304	1360	installer.exe	47
PID 1360 wrote to memory of 1304	1360	installer.exe	47
PID 1360 wrote to memory of 1304	1360	installer.exe	47
PID 1360 wrote to memory of 1604	1360	installer.exe	46
PID 1360 wrote to memory of 1604	1360	installer.exe	46
PID 1360 wrote to memory of 1604	1360	installer.exe	46
PID 1360 wrote to memory of 1884	1360	installer.exe	48
PID 1360 wrote to memory of 1884	1360	installer.exe	48
PID 1360 wrote to memory of 1884	1360	installer.exe	48
PID 1360 wrote to memory of 584	1360	installer.exe	51
PID 1360 wrote to memory of 584	1360	installer.exe	51
PID 1360 wrote to memory of 584	1360	installer.exe	51
PID 1360 wrote to memory of 660	1360	installer.exe	52
PID 1360 wrote to memory of 660	1360	installer.exe	52
PID 1360 wrote to memory of 660	1360	installer.exe	52
PID 1360 wrote to memory of 1592	1360	installer.exe	54
PID 1360 wrote to memory of 1592	1360	installer.exe	54
PID 1360 wrote to memory of 1592	1360	installer.exe	54

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.1.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.1.exe" "__IRCT:3" "__IRTSS:23661293" "__IRSID:S-1-5-21-3499517378-2376672570-1134980332-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1841947" "__IRSID:S-1-5-21-3499517378-2376672570-1134980332-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1712
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\jds7135158.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7135158.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 8E31D027F3ADCE57F1D0C7A7818C4720
  2⤵
  - Loads dropped DLL
  PID:1132
- C:\Program Files\Java\jre1.8.0_351\installer.exe
  "C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\ProgramData\Oracle\Java\installcache_x64\7190881.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1352
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:1444
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    PID:1604
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1304
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    PID:1884
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    PID:584
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:660
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    PID:1592
- - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    PID:1328
- - C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    PID:1676
- - C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:1556
  - - C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_351\bin\dtplugin\npdeployJava1.dll

Filesize
1.8MB

MD5
ff91ac355dc6b1df63795886125bccf8

SHA1
90979fc6ea3a89031598d2146bf5cdbbb6db6b77

SHA256
14b30467cfea0071dffc658dd31b8a25b7b4e79608933f171911c2cba6aa9a0a

SHA512
77aa8c7930730004bdb8d49a82712e1042db978102f6eca0d38317b6fd98ef03e52279130eadc7a0da1148e759db6589f7f8334d4c2eccfb2613e8f19542e197

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javacpl.exe

Filesize
103KB

MD5
7a9d69862a2021508931a197cd6501ec

SHA1
a0f7d313a874552f4972784d15042b564e4067fc

SHA256
51ff63cbac78bd133333e98d91b02b652c88cd57cedd0052519051a17be77856

SHA512
5c331e6deefc8256ea203d63770484f6b485d4c3832a60ecf4a540dff3cb75a76dbde37980fe1763ca487401b68126f58f8d1a4c72ee610f5144c624c4736850

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe

Filesize
446KB

MD5
24ccb37646e1f52ce4f47164cccf2b91

SHA1
bc265e26417026286d6ed951904305086c4f693c

SHA256
adf2d659c2b2a4afff1ca58f3a742d27d767d27eabeca6a8b6ee243e9c913a39

SHA512
cb174e7a219f6ffae3715e37beb428979bc1462202729c05a25fa7b8da90e2dd6faa92c03cd9ca21567d354dce7acc1852669f4071298e953d6a286243794e32

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk

Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
182B

MD5
7fadb9e200dbbd992058cefa41212796

SHA1
e2525d7ba66bb07bc1cd5ba93f88c54e7e2042b4

SHA256
b05abacd15117b1ffcd2a288308f50c0542214d264b852eddfa9025307ac401b

SHA512
94b7bf1f1f5cea2a74f8c326113dd25652cb14e5fa356ac83d16b6ac5a5cac26c9d2b20259f5c2cf8ebc1e022490511e2996335a5d8dd7f5b64dce429fb6dfb1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
178B

MD5
3b1c6b5701ef2829986a6bdc3f6fbf94

SHA1
1a2fe685aba9430625cba281d1a8f7ba9d392af0

SHA256
6a2cdce88637830202e1031bc8c11f083103a6bbb8c1ce16fb805671a46633c8

SHA512
f3391d790bb6acb1c25b82253b19c334e7cd73648e9821b7050fefbd5b0bc4b48a0cedd97e425a83c788f9b798337d33dee2e989771604c4f886da46d2debea0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7190881.tmp\baseimagefam8

Filesize
78.7MB

MD5
22646919b87d1a6dfc371464405b373b

SHA1
2296c69b12c3e0244fc59586f794457a4735e692

SHA256
0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11

SHA512
b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7190881.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7190881.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7190881.tmp\diff

Filesize
50.4MB

MD5
926bc57fb311cc95bcefa1e1ad0ce459

SHA1
8c43b4d7aa223eaf9c73c789072545da0b2c55df

SHA256
9ccf1e30069b4781362f85c4a30993d86da99f211c2aaad4447ad051cc61600a

SHA512
216cb6483598960f5aea83beeb37fa700d047352d0b3c6c2405a7ee668554e0ab15358c178a6a2fc8c067f4177a0452cde93783797c15fccf224e640715f0743

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7190881.tmp\newimage

Filesize
144.2MB

MD5
42f911bd9577dba41abfec153b50afdc

SHA1
e75303e84e59c81105db4aeb0e09ba92c0edfaa5

SHA256
a81763f447f212a42eddeecc63c58e580f1e4fb695480d24fba0bc43aa8c17e0

SHA512
40e22192db53eb84a117fbf729f83cbc79ff168509149b2281357295b72770816f260c9320cb7c5559f2242d7f7362dd7af4fa80d99a5db327cb2b690c9b6c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
dbe3a6f90afbd158084a49f835827355

SHA1
c8d99017e52a67e6be97f54ee3ce8af71034074d

SHA256
2d2165801e3a440a742992aae83042c09ff3585f9ff78e0629c0601dc803164c

SHA512
674a03a078c6648d2ac47c1d3fdab3eac90d6b48728a2487905817d7351a4e7c8c9bb2a631df943ee90690c6fcd18124a4d22e41746665b6b59b06b59daed34a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
466aa8673725757444df42aade57e690

SHA1
f7b5d55120f4c212404679b9298f5bc6b39c2141

SHA256
bd1472d6fd724239affa23d2a02070d0437d78ab210fa378b29148df63b58cef

SHA512
8e6050810023282b5620aa544931695e8740297319f1d5ba852c8e7327090071d6cfe738ef9d98f572ed8ffffe1084a73f7e69b42e606499065b9a883170764a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
6cf20017058eadd491046536ccf77220

SHA1
f0cda6e19be2f938f7acf02a07fc73886e5b2e11

SHA256
7e763b80b83677a40350cd86fdfd0bd980594082251688a46a715b460a203894

SHA512
c1f76edc3d88891e9cb501aa62c71a0e3403ebb30a8affb6a85051c9ae1f25722ba1981d1fc3733514f04b1c725de676ce86089199fc3d0a11230dab799c7e71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
7c0589abcce971181f9ec98188fbb303

SHA1
5d314ca5c0e10fe383e05c3716d508de08fffb80

SHA256
4707a958caf217a7752edbf765fedb98496730618a1bda8e0e32aaf1b6a239fa

SHA512
d8f5f9e69a7bb8467f1d37886c3ca934ee077c45c3c1efb534c0a7db641f250238d7bddf2afd52db02d6884c6d78d2146dfcdcd4da03ec7e5dafa6787c604519

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB55F.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar14EA.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

Filesize
339B

MD5
90da62cce54019991806c5eaf3e9064b

SHA1
8dfc1ac38441f0f27fc7f26ed138809995662026

SHA256
b9af78ceb70b3c183e62411eb44575b5a2b5be182801c22a0dbac9d4d9ae8d60

SHA512
6150517a28bdaa3d0a9e4df8d2a2e1549d650d355a5bc773136612f5274b6006223ba8eec7606468a0224d4b165a9029ec296bfa3a4bd7d31e819be647b0ce56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG104.PNG

Filesize
644B

MD5
c36be73412efcb80bad09ddbfb9dae60

SHA1
03f53249f5af14a0d48308fe75240300301996f4

SHA256
7522abc20e1b8f658946705aaf37342d69530749ff0c56370b1e93557e512911

SHA512
36fb7d477f3d68a20bc32dafda3037af9f9decca422d4336f0c27c81287b75bbe1e3d8a4e751031d2c9f9d38776e701501e6a7ff0c402f12172930580eaacbab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG109.PNG

Filesize
2KB

MD5
09a90acedcd211fb5e769969f1cf45c0

SHA1
0dc0b73875429bffe22917cf8779c8d3a54a69aa

SHA256
7fed67bf5b6d045f8c36534f2919a03557ae98aaa1a274906a0d8ebaf728d10d

SHA512
d8f654cdf46233b9ac73115e6fc22123da2226ceec9db3da2a6392388fcf5721d6a495527bed823ff83d0ea8721fc58ba3701cfedb43a927474697174c48aea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG124.PNG

Filesize
40KB

MD5
079246a69adfd4247dee7bd21116263e

SHA1
dab3304d28c191dcee09e86fff0ff404322afdb4

SHA256
086053e4f0fe1f6ae52a717ac7100547732a77b6e6e43b8ad561b3218f90cd45

SHA512
3fa4d4344b6ef863bac73081e31fa846244e9f3d91b26707eb992f7a0eeb0470331bb2a21fb88656658aa578a581acc8ac078e1bded225645d8e99482f81cc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
61f22775048d0885f58409a398b4c0d0

SHA1
754c90833ca9b94c4260fa0f0a2644d9e5a2e2cb

SHA256
45eed3d76c16132b33e4ce69e00ead5e28af36ca0d90e725a5fa807e076fc381

SHA512
952b96fb96416925825429ee3db589873b530c7fd34c4c336c9ff15431eefa390b4baf59d0d9218497d2d6f15ad35b85443a94202be9685c46b8ee69ce012cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG22.PNG

Filesize
1KB

MD5
c5aca643f8c4a971ff68e3d13f3779a3

SHA1
3bcf6169f17b14c14c8aa529a354c777ddd63ad5

SHA256
7bf23421e816787038b51f470bc406cd6804b45de3ffe091df6968753ac3c0f2

SHA512
4f86b3f6b6aa545cbe0aa211adf8db526ed1a172f79b3d7e9c4b96f43d15e3759ea407dc640f0c2082185ee7599c18d4d2e095d5eefbb10f03c291a5d07d20f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
290237681e54e52b3404303607422192

SHA1
1d525e52112a38be241b577c080046b6f14f1d51

SHA256
7694bf25bc3a1082ccd636f22e112e1e61c39c86569fe084a6dbd16c01beda02

SHA512
c0f4919223b2282e3afa6d1a955619bc74cd3426fec3d54759c7cb8852cf5ad3777816708330a0d9c5d4368cdd0638cae724f6d8b3306fec3c5f7089c82f9215

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG46.PNG

Filesize
206B

MD5
d818bfb06c18d793968684abca5bc0b5

SHA1
05f644bd58daa051e97897d8f251ad85f3e5bfdd

SHA256
65750bae7411c5ecf0fb46c48187eb728f3c00d402ff404aa3a3d9dc3f86962d

SHA512
6c6cc5da2720794d4616ab314228dae2c3cd1569b00204cde293e7f3e3bbca97b04091076e03d63d8aae9f2b5b3c045c699edfbc0ed1c7e2eb21b72e13e1d689

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG

Filesize
43KB

MD5
8738164870dbd16e5e5ca64ff87c3a5f

SHA1
828234e8f33f7b6ed0f322f17f0526d920bc72c9

SHA256
641380ee47a9ea307df5f478a62cf2b75f18433b424fedf1ab64c3d310cf888f

SHA512
9d7eec2e93252774155b8b2300b2d83c6d4428116ac43115c6ab8da87c3d6a0a1927d1b48fea12047d0e4a4212253c6d2961789535222af1495734b5f4cd791c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG

Filesize
1KB

MD5
9a0d31fe71c47df32a35d1e618ab3745

SHA1
ef472b4af3df0196987161b623716e633bb48122

SHA256
ccbce067bab40f4b572312d77b26e67f0544488e54d2704a874252ddcd541ed6

SHA512
8734955cce9a9c282f9b92f1783669f539f56248badf775b70dd492b7c0b401ccecf05576197f7d5452f072fc29ed0e5989ca898d6e2a274e2fa42b9c5feaa36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
8f2b958cbb1815db2f5a7488bd7425c9

SHA1
9652c48bfd86d147ef039de09952b9447c0fb749

SHA256
c31d8c6954e998702a1bc8851bdbe256432d9ac47f876aff5f1d6ce1b39345b5

SHA512
047259d93275a5218b1d1cd470a6a616cae75a0fd48bc5e743be2643b43dfbfe6bd0c27965bdb76b4b444b65a079d312c382304a87aa5e9225670e2e859e92dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
8f2b958cbb1815db2f5a7488bd7425c9

SHA1
9652c48bfd86d147ef039de09952b9447c0fb749

SHA256
c31d8c6954e998702a1bc8851bdbe256432d9ac47f876aff5f1d6ce1b39345b5

SHA512
047259d93275a5218b1d1cd470a6a616cae75a0fd48bc5e743be2643b43dfbfe6bd0c27965bdb76b4b444b65a079d312c382304a87aa5e9225670e2e859e92dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
8f2b958cbb1815db2f5a7488bd7425c9

SHA1
9652c48bfd86d147ef039de09952b9447c0fb749

SHA256
c31d8c6954e998702a1bc8851bdbe256432d9ac47f876aff5f1d6ce1b39345b5

SHA512
047259d93275a5218b1d1cd470a6a616cae75a0fd48bc5e743be2643b43dfbfe6bd0c27965bdb76b4b444b65a079d312c382304a87aa5e9225670e2e859e92dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
114KB

MD5
bd5626a0237933e0f1dccf10e7c9fbd6

SHA1
10c47d382d4f44d8d44efaa203501749e42c6d50

SHA256
7dfc1176d8a507135140b23a0c014093b7e2673f0f3e5727c3d85df4e7323762

SHA512
1fd864a5386580cf8bbafbacb12a043ef51948b729b9aedfe6dc81e6c2948a100526c7c600069f22454d550f7f736ad3045a930cc2ef97458dc1d6c782928087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7135158.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7135158.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
aaf9b6fabf4f76bcda4de4a6594679f9

SHA1
e2c8ed3ab10167d4b271c290e2af8749c45d75e5

SHA256
74cbd97d140f52a0fcd579e37304171ec9aa5f8baf590f9643240e83330d6999

SHA512
9a9190995fd7a59e224ca508a182eae39ddc9a8caf10098ddad564e3201720e4757ba4ee52c5bec8ee4c95958c75f29dedfb493d6a52cabdbdfdb3e55d580acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
aaf9b6fabf4f76bcda4de4a6594679f9

SHA1
e2c8ed3ab10167d4b271c290e2af8749c45d75e5

SHA256
74cbd97d140f52a0fcd579e37304171ec9aa5f8baf590f9643240e83330d6999

SHA512
9a9190995fd7a59e224ca508a182eae39ddc9a8caf10098ddad564e3201720e4757ba4ee52c5bec8ee4c95958c75f29dedfb493d6a52cabdbdfdb3e55d580acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
12KB

MD5
4aece3e01571ecc9815fec020d538856

SHA1
f96cc9d1f31c998bbd4968bd8c1d0e30789a0c73

SHA256
5f659d55f17bd9db2f37633f015a1ee747e7ccd4d7821e0691214b74d64771c7

SHA512
efa9a53f1fa47dae05ddd9fcb4b639b4279748384f6e23eb46684a1bc46e884a81a382716c38e45f834c6ba8ffdd8d4c483dda1dda623f7b26e457bd8253b91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
20KB

MD5
e7afeee17fbb416da3764332cd04af0d

SHA1
61f1c35d2479a6a8e04c51abb2a1301f19ea4d05

SHA256
fd91a5ca1ce33265bfe8fd6624c6d4fb8391a0dfdb156663b5159e71b265ff5c

SHA512
94c5dcf2d90b770f913ddb91be6906887e0321a7614bfda7978a2ec23221119c3a1894d82280557f107612a2e87ef3189a88a5e4271cca90b31db1e77bc12c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
36KB

MD5
4580191307f51d164099c21886802761

SHA1
00883f79a03209ccc1313969e3c1ebc8d469a661

SHA256
ab1e111cc7bebf880acf925803b56e5dbb8f225748c163c84dbdb1bf63606587

SHA512
69121d85fe25b985d835954d4d3d898d153c8e0cf4ec0f9453a88d5d2d957b4c459aee051dc813440fb426399ddf5e9a63e24d196f5c3bbecd15645865e02fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
591B

MD5
d4e70c36612fdd15b8abd82f43a48400

SHA1
c8a52fcfd1d19a6acf1987745eb965129b20f49c

SHA256
7a0d12dc3b889da36b132fd9fdb36ba6fb080796ef05b8943ba74846a5f1b0a7

SHA512
d6e379dd743e088adcead3b39085e2dd254d26b44c5dc5fdfaeb09d0360d22f4c21c98b43b982e5b0290f051a9793cd85dffcc15e0ed634002f9491e318adf19

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
6.3MB

MD5
a09d58d5281883d9b555cb8f99974f57

SHA1
f900108770e0ee69a88df27bfeb3aa13322385b0

SHA256
dd5891adfd1f98f945cd02c02a231a41c8224ccc350050b65e2b987e075920aa

SHA512
0f9fc01df7bd6fcf25893ef1a31d0105e19a853d81d475312c1ad4d3f17b77ad6cba659c4b78bda8040279c91947d9277987447a3795b7acb393a5eb95ae8f3c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP

Filesize
451KB

MD5
0b445ace8798426e7185f52b7b7b6d1e

SHA1
7a77b46e0848cc9b32283ccb3f91a18c0934c079

SHA256
2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6

SHA512
51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG

Filesize
1KB

MD5
cb8caaebfaa05146719ce0a5f8b899ae

SHA1
fc12e3451fe47fe3706306cb986b474de55a0088

SHA256
ff326331563fa9cd327d1fad02859810f8c9b03931b7a4cfd6447bc0bed60626

SHA512
ee85776e7cb81d3eb59ebbdfc1c164f65ddcbe509ae0008a6fe42ab239d9c4a24a7298dec77668ecc671b8561d80a1d42d136b67e65433757ea813e6880ac3b4

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
45KB

MD5
f568af9c68a0251fc566e406094240ba

SHA1
14df4c283e3c619dd85b8265df9f1ca5b282d267

SHA256
7388d341fec9c5466ecc3c3ea440c46cf1cfa2f894c65eeb25a6be2166c706cc

SHA512
ef7392696f6c6a0de6f07aa74780e5819a54edb7977a9731239ce19572e9e4633fb6c99929c5b24185d6de9346679ac40fd7a8fd742ab4230f5855c7665ab531

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG

Filesize
457B

MD5
72cdbf8e7308de199beb08050d3a1b3c

SHA1
2f585899c281fe18cdb08828bcb30300e002cb67

SHA256
4dec1fa9651c306b770969b647d2d026c91ca5956f227a922aec118d299736d3

SHA512
57993293646ece82f3de6a43e4ff2a267102a8fc483bd19025c886411ecd0ca1c4bdcf581b08996cb5f9203cef71f89d882d38a4a7967ec98b844cd982813c38

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG

Filesize
352B

MD5
09fc430b812e6614251bbde4b8717845

SHA1
c4721c87609365fa794aa07a5408647b96333d11

SHA256
80eb5b37ab14b7d359c00ec7c0d40c16790029cd0b22c53d5192ec7a8d472c7a

SHA512
b548ed1b0c14feafe3b0cc097886116b454d57beb96986a682083071a7bc7183d43a73f196d4ea84f97aa59ab941b5cb53c47e6284f9833ae4a46c16da2dd425

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG45.PNG

Filesize
438B

MD5
5557c0ca7f386739d24f2cd216147b93

SHA1
9682ec2353719dd41be33e8e6b0a44d18408bcc5

SHA256
ad17aecc09ad2f5b291591535bbcb80dd4bcf1c10b3ad653abe148e2c66522dd

SHA512
6b32d545e6ef1d9379cc7754f30e4d5aaa96b97a84e376f425c406e8e6425ef98a19138bd85275ba69589ab174f1a430782417b135ecf4db2867055c18cbf90a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG

Filesize
1KB

MD5
35e572a4d698ef8552bc609cdfdbd3dc

SHA1
994287a8dac2435d7a07626ed4f4c6e8aadbcc89

SHA256
d21de58079d820e47d525e56f8c30127e15c43c7efe8578603ffac4f049a7ac5

SHA512
7005d395be234a5b2503e22b730221ac53ad2057f4a767d9915e06df533bac867196b992c20eff009f4eee4d27b3e334b53b4c2a1f0df59bd504529b8739eff5

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG

Filesize
1KB

MD5
67da0da128a0c5fe0fbb4a2fe6221c30

SHA1
a794319f2ef0abd2adfb3dbc50dfeb89f1d548a1

SHA256
bae67bd30cb9a50712a66d204bcc88d72ac6aa634e6f01a7768c4af183031778

SHA512
40fdbd636cd3fb148ed39de10d4432d197903e3c50d2edd72913e6c19aaa77552d82a676e8dbb267c04fcff93ac1e788d2b243c91b30b6122ae1e37567c8a01d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG

Filesize
41KB

MD5
5a1dc42913de74154d9be8a0e0ab9921

SHA1
c80e10ac08d7cccfcbdd426a028606fae2b256ec

SHA256
187c4b7d0974d05dc174cdfce223eaeae19e68b424dcd5848729d90dc7bb8cad

SHA512
5ad8db1d9e48ec9b3a63534df7d4750adf670def4887def39f9e81fe006a671db220ab38dc2a18fb32dd10b10a53b5c739a97101ed9ba5eea870f336437a1223

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG

Filesize
1KB

MD5
33db84115298eb5d63de69d845cc5881

SHA1
bd5727ccef3bae866284e1f2af84e4594847fa55

SHA256
10e5c76e179bcacd5a68d443728aaca93c6d690dc1df8c5a149fd7f7986a3511

SHA512
0078cc486c577fb52df512d77d16c74df79fd87b3a080ae1a5cc7119fc5790f852d8109f1dca833ab5aac6c5e5c93c3d964da1268ad59d67dc3c9bf44e5eb7ad

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
33KB

MD5
1d308cc20c5d17c1e29ce16500780cd2

SHA1
6465faeffe51f63d78849cc69543828b43a44c97

SHA256
76d0c6cd76440d29ffbd455c3a523fbc596fc354e413fa91dab1deb6623b0c17

SHA512
01a8a1ac79d64f91dd8800ba83c63233cd63bb9dab0b00302729b37534af49efedfb0f67ee4c42d1f2b2e67570b0a6a6a6e8bd55a875fc7e62586240ca07e58f

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
6KB

MD5
4f7be9736242579cb8afa1af86980dfe

SHA1
1c486393847996db4f6b78532dd7bd9a0a924549

SHA256
9cecc28716f392d2394829f4cc3f307d08f5aecaf3e2124bdaaa0d6d9c3400b4

SHA512
4c55bc2698d8934713e791c015480248198e22efa66dd5ca79ea834b9835c9e85ca8c2869c9b40dc394ae7e27da039f79c392f88472dedc1adfa83dd1e94f1c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N0NYKL1P.txt

Filesize
869B

MD5
209f0020388d75bd86f04416c5ee5645

SHA1
18d2f6a95aac206fc5f5aeca48ad1728e86f35b2

SHA256
0f18257093011a292e90f3481e587b23d35c0fe3b4154a84330dc38059926314

SHA512
89428bb503eeb6abf2e0d14c1bb256cfacf06bf48ae10e397833ced34a0792960dcbdf59d18cad6e67adcf7ca8110e2722f1de673b687d03087f7d1b06d67cf1

Download Submit
C:\Windows\Installer\6d8bad.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\6d8bb1.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\MSIA31A.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIA952.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIACBD.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIACBD.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Program Files\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7190881.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7190881.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7190881.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
8f2b958cbb1815db2f5a7488bd7425c9

SHA1
9652c48bfd86d147ef039de09952b9447c0fb749

SHA256
c31d8c6954e998702a1bc8851bdbe256432d9ac47f876aff5f1d6ce1b39345b5

SHA512
047259d93275a5218b1d1cd470a6a616cae75a0fd48bc5e743be2643b43dfbfe6bd0c27965bdb76b4b444b65a079d312c382304a87aa5e9225670e2e859e92dd

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
8f2b958cbb1815db2f5a7488bd7425c9

SHA1
9652c48bfd86d147ef039de09952b9447c0fb749

SHA256
c31d8c6954e998702a1bc8851bdbe256432d9ac47f876aff5f1d6ce1b39345b5

SHA512
047259d93275a5218b1d1cd470a6a616cae75a0fd48bc5e743be2643b43dfbfe6bd0c27965bdb76b4b444b65a079d312c382304a87aa5e9225670e2e859e92dd

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
8f2b958cbb1815db2f5a7488bd7425c9

SHA1
9652c48bfd86d147ef039de09952b9447c0fb749

SHA256
c31d8c6954e998702a1bc8851bdbe256432d9ac47f876aff5f1d6ce1b39345b5

SHA512
047259d93275a5218b1d1cd470a6a616cae75a0fd48bc5e743be2643b43dfbfe6bd0c27965bdb76b4b444b65a079d312c382304a87aa5e9225670e2e859e92dd

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
8f2b958cbb1815db2f5a7488bd7425c9

SHA1
9652c48bfd86d147ef039de09952b9447c0fb749

SHA256
c31d8c6954e998702a1bc8851bdbe256432d9ac47f876aff5f1d6ce1b39345b5

SHA512
047259d93275a5218b1d1cd470a6a616cae75a0fd48bc5e743be2643b43dfbfe6bd0c27965bdb76b4b444b65a079d312c382304a87aa5e9225670e2e859e92dd

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
8f2b958cbb1815db2f5a7488bd7425c9

SHA1
9652c48bfd86d147ef039de09952b9447c0fb749

SHA256
c31d8c6954e998702a1bc8851bdbe256432d9ac47f876aff5f1d6ce1b39345b5

SHA512
047259d93275a5218b1d1cd470a6a616cae75a0fd48bc5e743be2643b43dfbfe6bd0c27965bdb76b4b444b65a079d312c382304a87aa5e9225670e2e859e92dd

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jds7135158.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7135158.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7135158.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Windows\Installer\MSIA31A.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIA952.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIACBD.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
memory/1164-475-0x0000000002B30000-0x0000000002F18000-memory.dmp

Filesize
3.9MB

Download
memory/1164-478-0x0000000002B30000-0x0000000002F18000-memory.dmp

Filesize
3.9MB

Download
memory/1164-485-0x0000000002B30000-0x0000000002F18000-memory.dmp

Filesize
3.9MB

Download
memory/1328-2107-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1352-1746-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1352-1736-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1352-1749-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1352-1747-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1352-1745-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1352-1741-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1352-1738-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1352-1737-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1384-197-0x0000000002C00000-0x0000000002FE8000-memory.dmp

Filesize
3.9MB

Download
memory/1384-225-0x0000000002C00000-0x0000000002FE8000-memory.dmp

Filesize
3.9MB

Download
memory/1384-339-0x0000000002C00000-0x0000000002FE8000-memory.dmp

Filesize
3.9MB

Download
memory/1444-2383-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1444-2382-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1444-2379-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1444-2373-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1444-2372-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1444-2366-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1444-2362-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1444-2358-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1712-486-0x0000000000EE0000-0x00000000012C8000-memory.dmp

Filesize
3.9MB

Download
memory/1712-499-0x0000000000EE0000-0x00000000012C8000-memory.dmp

Filesize
3.9MB

Download
memory/1868-1344-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1868-424-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download
memory/1868-392-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1868-391-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download
memory/1868-443-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/1868-369-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1868-1342-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/1868-1343-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download
memory/1868-2317-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download
memory/1868-390-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download
memory/1868-1357-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download
memory/1868-366-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1868-1316-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download
memory/1868-367-0x0000000000480000-0x0000000000483000-memory.dmp

Filesize
12KB

Download
memory/1868-347-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download
memory/1868-425-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1868-1324-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1868-368-0x0000000001060000-0x0000000001448000-memory.dmp

Filesize
3.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads