7ede8fb3d0562caabd9c3f273546d907cb52ac1d987af651311469781336305f

Analysis

max time kernel
168s
max time network
247s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
10-06-2023 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.885-Installer-1.1.2.exe
Size

22.6MB
MD5

2f7a2e72fa039fa1664378b0ca4a6eca
SHA1

57c1724a1da9309dece727a2ca597824ff967db7
SHA256

7ede8fb3d0562caabd9c3f273546d907cb52ac1d987af651311469781336305f
SHA512

7e8fdbe08005c8111256812e9d90609818b08cd5656b4b6f73c389e98a240c60d18f31432e51f58e752a13eabc3274d46447aebcf4924cce7b3354694f875ca2
SSDEEP

393216:2XVrUiQrh2NPfs/dQETVlOBbpFEjdGphRqV56HpkoaH3D8P2Q6YS6x9DOY:2lrUfrhSHExi73qqHpu34kYbzOY

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

32 2908 msiexec.exe
Downloads MZ/PE file

flow	pid	process
32	2908	msiexec.exe

Executes dropped EXE 15 IoCs

Processes:

irsetup.exeBrowserInstaller.exeirsetup.exejre-windows.exejre-windows.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exejavaws.exejp2launcher.exeunpack200.exeunpack200.exejavaw.exe

pid	process
1316	irsetup.exe
1264	BrowserInstaller.exe
1340	irsetup.exe
732	jre-windows.exe
820	jre-windows.exe
2192	installer.exe
2472	bspatch.exe
2752	unpack200.exe
2820	unpack200.exe
2872	unpack200.exe
3020	javaws.exe
3056	jp2launcher.exe
1584	unpack200.exe
1032	unpack200.exe
1272	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-2.885-Installer-1.1.2.exeirsetup.exeBrowserInstaller.exeirsetup.exejre-windows.exeMsiExec.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exe

pid	process
2020	TLauncher-2.885-Installer-1.1.2.exe
2020	TLauncher-2.885-Installer-1.1.2.exe
2020	TLauncher-2.885-Installer-1.1.2.exe
2020	TLauncher-2.885-Installer-1.1.2.exe
1316	irsetup.exe
1316	irsetup.exe
1316	irsetup.exe
1316	irsetup.exe
1316	irsetup.exe
1316	irsetup.exe
1316	irsetup.exe
1316	irsetup.exe
1264	BrowserInstaller.exe
1264	BrowserInstaller.exe
1264	BrowserInstaller.exe
1264	BrowserInstaller.exe
1340	irsetup.exe
1340	irsetup.exe
1340	irsetup.exe
1316	irsetup.exe
732	jre-windows.exe
1196
924	MsiExec.exe
924	MsiExec.exe
924	MsiExec.exe
2908	msiexec.exe
2472	bspatch.exe
2472	bspatch.exe
2472	bspatch.exe
2192	installer.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2752	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe
2820	unpack200.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0059-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0099-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0050-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0064-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0090-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0063-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0044-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0059-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0077-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0077-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0083-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0078-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0046-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0070-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0092-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1316-187-0x0000000000060000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1316-368-0x0000000000060000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1316-381-0x0000000000060000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1316-392-0x0000000000060000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1316-431-0x0000000000060000-0x0000000000448000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/1340-485-0x0000000000DD0000-0x00000000011B8000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/1340-506-0x0000000000DD0000-0x00000000011B8000-memory.dmp	upx
behavioral1/memory/1316-959-0x0000000000060000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1316-1350-0x0000000000060000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1316-1361-0x0000000000060000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1316-1482-0x0000000000060000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1316-1522-0x0000000000060000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1316-1591-0x0000000000060000-0x0000000000448000-memory.dmp	upx
\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\bspatch.exe	upx
C:\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\bspatch.exe	upx
C:\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\bspatch.exe	upx
behavioral1/memory/2472-1771-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2472-1777-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2472-1779-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1316-2348-0x0000000000060000-0x0000000000448000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 1 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exejavaw.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\npt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\libxml2.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\pkcs11cryptotoken.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\CIEXYZ.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jfr.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\javaws.policy	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\server\classes.jsa	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_351\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\GRAY.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\tzmappings	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\fxplugins.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\accessibility.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\nashorn.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\blacklist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jdwp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jfr.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jjs.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jp2iexp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\directshow.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\jpeg_fx.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\colorimaging.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-namedpipe-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\LICENSE	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\server\Xusage.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\amd64\jvm.cfg	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-file-l2-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\splashscreen.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\libffi.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_zh_TW.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\zipfs.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-string-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\pack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-private-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\ktab.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_MoveNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_zh_HK.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-process-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\server\jvm.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\xalan.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\management\management.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\jcup.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_ko.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\java.policy	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-timezone-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-conio-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jp2native.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\servertool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\icu_web.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\management\jmxremote.password.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-debug-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-file-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\blacklisted.certs	installer.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\6d6f95.msi	msiexec.exe
File created	C:\Windows\Installer\6d6f97.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB565.tmp	msiexec.exe
File created	C:\Windows\Installer\6d6f99.msi	msiexec.exe
File created	C:\Windows\Installer\6d6f95.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84F0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFD7.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exeirsetup.exejre-windows.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0082-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0044-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0094-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0097-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0095-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0097-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_06"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_89"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.1_03"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0064-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0073-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0080-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_58"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0064-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_64"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0063-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_63"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0042-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_92"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0046-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0049-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0077-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0091-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0041-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0053-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0080-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0064-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_64"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_23"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_43"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0066-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_91"	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_30"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0063-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0056-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0088-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_88"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0056-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_07"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0065-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0080-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_23"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0097-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_67"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.1_01"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_28"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0099-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0082-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0094-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0058-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_58"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_29"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0069-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_69"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_33"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.0_02"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0059-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_02"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0051-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0093-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_05"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0082-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0075-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

irsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

jre-windows.exe

pid process

820 jre-windows.exe

pid	process
820	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	820	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	820	jre-windows.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeSecurityPrivilege	2908	msiexec.exe
Token: SeCreateTokenPrivilege	820	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	820	jre-windows.exe
Token: SeLockMemoryPrivilege	820	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	820	jre-windows.exe
Token: SeMachineAccountPrivilege	820	jre-windows.exe
Token: SeTcbPrivilege	820	jre-windows.exe
Token: SeSecurityPrivilege	820	jre-windows.exe
Token: SeTakeOwnershipPrivilege	820	jre-windows.exe
Token: SeLoadDriverPrivilege	820	jre-windows.exe
Token: SeSystemProfilePrivilege	820	jre-windows.exe
Token: SeSystemtimePrivilege	820	jre-windows.exe
Token: SeProfSingleProcessPrivilege	820	jre-windows.exe
Token: SeIncBasePriorityPrivilege	820	jre-windows.exe
Token: SeCreatePagefilePrivilege	820	jre-windows.exe
Token: SeCreatePermanentPrivilege	820	jre-windows.exe
Token: SeBackupPrivilege	820	jre-windows.exe
Token: SeRestorePrivilege	820	jre-windows.exe
Token: SeShutdownPrivilege	820	jre-windows.exe
Token: SeDebugPrivilege	820	jre-windows.exe
Token: SeAuditPrivilege	820	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	820	jre-windows.exe
Token: SeChangeNotifyPrivilege	820	jre-windows.exe
Token: SeRemoteShutdownPrivilege	820	jre-windows.exe
Token: SeUndockPrivilege	820	jre-windows.exe
Token: SeSyncAgentPrivilege	820	jre-windows.exe
Token: SeEnableDelegationPrivilege	820	jre-windows.exe
Token: SeManageVolumePrivilege	820	jre-windows.exe
Token: SeImpersonatePrivilege	820	jre-windows.exe
Token: SeCreateGlobalPrivilege	820	jre-windows.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

jre-windows.exe

pid process

820 jre-windows.exe

pid	process
820	jre-windows.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

irsetup.exeirsetup.exejre-windows.exe

pid	process
1316	irsetup.exe
1316	irsetup.exe
1316	irsetup.exe
1316	irsetup.exe
1316	irsetup.exe
1316	irsetup.exe
1340	irsetup.exe
1340	irsetup.exe
820	jre-windows.exe
820	jre-windows.exe
820	jre-windows.exe
820	jre-windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-2.885-Installer-1.1.2.exeirsetup.exeBrowserInstaller.exejre-windows.exemsiexec.exeinstaller.exe

description	pid	process	target process
PID 2020 wrote to memory of 1316	2020	TLauncher-2.885-Installer-1.1.2.exe	irsetup.exe
PID 2020 wrote to memory of 1316	2020	TLauncher-2.885-Installer-1.1.2.exe	irsetup.exe
PID 2020 wrote to memory of 1316	2020	TLauncher-2.885-Installer-1.1.2.exe	irsetup.exe
PID 2020 wrote to memory of 1316	2020	TLauncher-2.885-Installer-1.1.2.exe	irsetup.exe
PID 2020 wrote to memory of 1316	2020	TLauncher-2.885-Installer-1.1.2.exe	irsetup.exe
PID 2020 wrote to memory of 1316	2020	TLauncher-2.885-Installer-1.1.2.exe	irsetup.exe
PID 2020 wrote to memory of 1316	2020	TLauncher-2.885-Installer-1.1.2.exe	irsetup.exe
PID 1316 wrote to memory of 1264	1316	irsetup.exe	BrowserInstaller.exe
PID 1316 wrote to memory of 1264	1316	irsetup.exe	BrowserInstaller.exe
PID 1316 wrote to memory of 1264	1316	irsetup.exe	BrowserInstaller.exe
PID 1316 wrote to memory of 1264	1316	irsetup.exe	BrowserInstaller.exe
PID 1316 wrote to memory of 1264	1316	irsetup.exe	BrowserInstaller.exe
PID 1316 wrote to memory of 1264	1316	irsetup.exe	BrowserInstaller.exe
PID 1316 wrote to memory of 1264	1316	irsetup.exe	BrowserInstaller.exe
PID 1264 wrote to memory of 1340	1264	BrowserInstaller.exe	irsetup.exe
PID 1264 wrote to memory of 1340	1264	BrowserInstaller.exe	irsetup.exe
PID 1264 wrote to memory of 1340	1264	BrowserInstaller.exe	irsetup.exe
PID 1264 wrote to memory of 1340	1264	BrowserInstaller.exe	irsetup.exe
PID 1264 wrote to memory of 1340	1264	BrowserInstaller.exe	irsetup.exe
PID 1264 wrote to memory of 1340	1264	BrowserInstaller.exe	irsetup.exe
PID 1264 wrote to memory of 1340	1264	BrowserInstaller.exe	irsetup.exe
PID 1316 wrote to memory of 732	1316	irsetup.exe	jre-windows.exe
PID 1316 wrote to memory of 732	1316	irsetup.exe	jre-windows.exe
PID 1316 wrote to memory of 732	1316	irsetup.exe	jre-windows.exe
PID 1316 wrote to memory of 732	1316	irsetup.exe	jre-windows.exe
PID 732 wrote to memory of 820	732	jre-windows.exe	jre-windows.exe
PID 732 wrote to memory of 820	732	jre-windows.exe	jre-windows.exe
PID 732 wrote to memory of 820	732	jre-windows.exe	jre-windows.exe
PID 2908 wrote to memory of 924	2908	msiexec.exe	MsiExec.exe
PID 2908 wrote to memory of 924	2908	msiexec.exe	MsiExec.exe
PID 2908 wrote to memory of 924	2908	msiexec.exe	MsiExec.exe
PID 2908 wrote to memory of 924	2908	msiexec.exe	MsiExec.exe
PID 2908 wrote to memory of 924	2908	msiexec.exe	MsiExec.exe
PID 2908 wrote to memory of 2192	2908	msiexec.exe	installer.exe
PID 2908 wrote to memory of 2192	2908	msiexec.exe	installer.exe
PID 2908 wrote to memory of 2192	2908	msiexec.exe	installer.exe
PID 2192 wrote to memory of 2472	2192	installer.exe	bspatch.exe
PID 2192 wrote to memory of 2472	2192	installer.exe	bspatch.exe
PID 2192 wrote to memory of 2472	2192	installer.exe	bspatch.exe
PID 2192 wrote to memory of 2472	2192	installer.exe	bspatch.exe
PID 2192 wrote to memory of 2472	2192	installer.exe	bspatch.exe
PID 2192 wrote to memory of 2472	2192	installer.exe	bspatch.exe
PID 2192 wrote to memory of 2472	2192	installer.exe	bspatch.exe
PID 2192 wrote to memory of 2752	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 2752	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 2752	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 2820	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 2820	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 2820	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 2872	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 2872	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 2872	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 3020	2192	installer.exe	javaws.exe
PID 2192 wrote to memory of 3020	2192	installer.exe	javaws.exe
PID 2192 wrote to memory of 3020	2192	installer.exe	javaws.exe
PID 2192 wrote to memory of 3056	2192	installer.exe	jp2launcher.exe
PID 2192 wrote to memory of 3056	2192	installer.exe	jp2launcher.exe
PID 2192 wrote to memory of 3056	2192	installer.exe	jp2launcher.exe
PID 2192 wrote to memory of 1584	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 1584	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 1584	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 1032	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 1032	2192	installer.exe	unpack200.exe
PID 2192 wrote to memory of 1032	2192	installer.exe	unpack200.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.2.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.2.exe" "__IRCT:3" "__IRTSS:23661025" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1841988" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\jds7141210.tmp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jds7141210.tmp\jre-windows.exe" "STATIC=1"
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding F142465E85A1B6DBB103E9C1B7F51BC1
2⤵
- Loads dropped DLL
PID:924

C:\Program Files\Java\jre1.8.0_351\installer.exe
"C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192

C:\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2872

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
3⤵
PID:3020

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
3⤵
PID:3056

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
3⤵
- Executes dropped EXE
PID:1584

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
PID:1032

C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1272

C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe
"C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
PID:2844

C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
PID:3020

C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
PID:3056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_351\bin\dtplugin\npdeployJava1.dll
Filesize
1.8MB

MD5
ff91ac355dc6b1df63795886125bccf8

SHA1
90979fc6ea3a89031598d2146bf5cdbbb6db6b77

SHA256
14b30467cfea0071dffc658dd31b8a25b7b4e79608933f171911c2cba6aa9a0a

SHA512
77aa8c7930730004bdb8d49a82712e1042db978102f6eca0d38317b6fd98ef03e52279130eadc7a0da1148e759db6589f7f8334d4c2eccfb2613e8f19542e197

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javacpl.exe
Filesize
103KB

MD5
7a9d69862a2021508931a197cd6501ec

SHA1
a0f7d313a874552f4972784d15042b564e4067fc

SHA256
51ff63cbac78bd133333e98d91b02b652c88cd57cedd0052519051a17be77856

SHA512
5c331e6deefc8256ea203d63770484f6b485d4c3832a60ecf4a540dff3cb75a76dbde37980fe1763ca487401b68126f58f8d1a4c72ee610f5144c624c4736850

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
Filesize
446KB

MD5
24ccb37646e1f52ce4f47164cccf2b91

SHA1
bc265e26417026286d6ed951904305086c4f693c

SHA256
adf2d659c2b2a4afff1ca58f3a742d27d767d27eabeca6a8b6ee243e9c913a39

SHA512
cb174e7a219f6ffae3715e37beb428979bc1462202729c05a25fa7b8da90e2dd6faa92c03cd9ca21567d354dce7acc1852669f4071298e953d6a286243794e32

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\Program Files\Java\jre1.8.0_351\installer.exe
Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Documentación de Referencia.lnk
Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Obtener Ayuda.url
Filesize
182B

MD5
7fadb9e200dbbd992058cefa41212796

SHA1
e2525d7ba66bb07bc1cd5ba93f88c54e7e2042b4

SHA256
b05abacd15117b1ffcd2a288308f50c0542214d264b852eddfa9025307ac401b

SHA512
94b7bf1f1f5cea2a74f8c326113dd25652cb14e5fa356ac83d16b6ac5a5cac26c9d2b20259f5c2cf8ebc1e022490511e2996335a5d8dd7f5b64dce429fb6dfb1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visite Java.com.url
Filesize
178B

MD5
3b1c6b5701ef2829986a6bdc3f6fbf94

SHA1
1a2fe685aba9430625cba281d1a8f7ba9d392af0

SHA256
6a2cdce88637830202e1031bc8c11f083103a6bbb8c1ce16fb805671a46633c8

SHA512
f3391d790bb6acb1c25b82253b19c334e7cd73648e9821b7050fefbd5b0bc4b48a0cedd97e425a83c788f9b798337d33dee2e989771604c4f886da46d2debea0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\baseimagefam8
Filesize
78.7MB

MD5
22646919b87d1a6dfc371464405b373b

SHA1
2296c69b12c3e0244fc59586f794457a4735e692

SHA256
0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11

SHA512
b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\diff
Filesize
50.4MB

MD5
926bc57fb311cc95bcefa1e1ad0ce459

SHA1
8c43b4d7aa223eaf9c73c789072545da0b2c55df

SHA256
9ccf1e30069b4781362f85c4a30993d86da99f211c2aaad4447ad051cc61600a

SHA512
216cb6483598960f5aea83beeb37fa700d047352d0b3c6c2405a7ee668554e0ab15358c178a6a2fc8c067f4177a0452cde93783797c15fccf224e640715f0743

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\newimage
Filesize
144.2MB

MD5
42f911bd9577dba41abfec153b50afdc

SHA1
e75303e84e59c81105db4aeb0e09ba92c0edfaa5

SHA256
a81763f447f212a42eddeecc63c58e580f1e4fb695480d24fba0bc43aa8c17e0

SHA512
40e22192db53eb84a117fbf729f83cbc79ff168509149b2281357295b72770816f260c9320cb7c5559f2242d7f7362dd7af4fa80d99a5db327cb2b690c9b6c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
9bdcb1aead0c35159e5498504a5b9bca

SHA1
7c929dab9fbce36f6a848a77f5557b17257f963c

SHA256
4b0d1e9ee04aa4ed53ab7447430689cc90669ec4816a624410200d1bdd88e5a8

SHA512
34896b0c8e1a285e83fe81f4e1ad0666a8e62dda551126ca87cf4fbe1bf49568eac5950489482fb1a9051280b94db67be92ebbacb8e2c1e2b147d9ea7d062f5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9f1e406b6e7ef73968f55238a0ce38b6

SHA1
cf4eb3ebd829ef979b3bce0f44ae825c7c301b72

SHA256
f719ed3a3cef809e9d844c33d450bf80bc9922aa61b3fc36e869d714da2cc58b

SHA512
734e35475ca1b5c98c180d17981aba73ae512e5d81fc2c175f827ca4b1838ce33ca6b641ac7c308a8d5d97f71df1551860fe25514072bb5139ab1cc228cd7c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
15fb9676221f929d2b945217515ec2b0

SHA1
5fe6dd5e218d7ab923d9b02e196f249fd6db726b

SHA256
5480018f0838d9a29b256a9f010cb3f47958306e2baf21439c22a1f85d831192

SHA512
cdf357a0bc5ba4b10cb048c3130c454de96e99979876db3c15db32220abde83ff32d195bec2e1473bb9fba6c86f8bc1c87ff1360a6dcea7c99c24e37dbf4751a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
46b8bc93deb119470243d1b79266e1b4

SHA1
6ac9b67fc1f4bff596f023a536ed7d29182fb0f4

SHA256
fa1a8c662dcfea57a52e64f870599d7a0b817b35e26ecd9df6401639c999a6c8

SHA512
7ca8935eada1e0142b1065383128b4a84441da492882a51fa8b5de6709944e5f75d37d3cd8c22e356d7d2e2c995dff29df554c1e2dfab278ea062e456c680128

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi
Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_351\Java3BillDevices.png
Filesize
11KB

MD5
b3c9f084b052e95aa3014e492d16bfa6

SHA1
0e33962b2191e7b1a5d85102cdf3c74fcd1254e4

SHA256
a68ddd67f6fcb0bbf1defa0778ee543e92c1074c442197ab623f733cc6285948

SHA512
06f51ac2962a0ec5f05ad6c90a2ba85b851d1fa2f0c079dc264fe930316cead959f68f6e34ff591b131867b482c266ac42400b06385dae712637ff0a90f902d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC787.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1A27.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe
Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG
Filesize
339B

MD5
bd0ec2c8929e31c899d9922769c3443a

SHA1
1e94470a60895011b38f3892aa6fb078f4c7ad9f

SHA256
28557b88fd35a7572f4cdf988b6ad16239b273693d31bab43c178862b87df693

SHA512
f5dd09c3e10d20f375807c5af6ee4b0266f789e461bbe67c489981cd33054a767e83d6cc2c79b3281ac263b143eb860e79937277de390c4cb911c86cd8b697bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG104.PNG
Filesize
644B

MD5
909b9867508018d84d31613a221e439b

SHA1
3e804ad6f5310f3450698b626e9feb57fcc7d8a4

SHA256
c2f82de9a55928605e8f8d0e24208160d042e7217a8a5e9df086b5d4442d7e79

SHA512
5295afc0e3774539e1de1c8a59f74b73be314c804f1e4e5f1097a1394e35b31d10e2979b38038cb0d925b5dc4944576d38e4691a1c4b58df6aeea888af40e39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG105.PNG
Filesize
40KB

MD5
ef130f96156895727477c06ffccbace1

SHA1
126537b9c70b237b08a75431953908dfd0ca8ed3

SHA256
2c264b42ffa122e3ee120f07fd31c5a3ef77111f8df082e3b7af0e6ec857ee21

SHA512
a157e4fc0fb14d72c3049832bf74d461f421d2d3b7b54d0d80f5c6354225098fa4f099eaf9c34757992aa2855a3347db128e36a054dfdfb25ca32d65e54247a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG109.PNG
Filesize
2KB

MD5
533fd70b9d6f912b6bdd6b38ff900cd9

SHA1
767a3ded7c2e8f21a6231e36bc7337a1b9960fb6

SHA256
83c4b1e150ef6536b633cc58e9f7a7e45063ded41f5a726d2e8113136cba1537

SHA512
f90abcddf927348fab7c7d23787107b11e17bfa35c54899cd92e6b4dd68ed8d37791834f9dfbf63fa8910d961ca335f78d952ccf1afc7e434cf4a4f53badac8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG112.PNG
Filesize
2KB

MD5
f0551d96c614aacca6d2757da0e276b5

SHA1
779f6010944bc28ea3ded514a7199fd4e5f1c806

SHA256
e26aed1030140a23124966ccfbd4b6350de5b0ef32fb5fcb798e1b27faaec95c

SHA512
da82185d2d64505bbddcef248558b0776131050598913321dce65c75f624fa94a39b1b6b6b8d6bd205b39898fb58f9b9720b0b7d271232a82e8b208b5696f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG
Filesize
280B

MD5
24062346552ffff2672f1040fa2c121f

SHA1
86a9866c40e9456df33df17f4b6a6baf4b2ab240

SHA256
da450089f19b7cbfc3f55853f2faf7b39b70b0a961e05371212ce46b1db1b494

SHA512
813f077ecc64233f30e51493504048371fa4c48b3e43715bc5287724b1727461d710872a75e3c668493b3579a9654c78d4473251b218fe25505b111f5692e0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG22.PNG
Filesize
1KB

MD5
4ba04da1954faf8c1c3a52552a736e90

SHA1
bc513229ae23e3037fc31f1290c5d60990195931

SHA256
a2ccae53bbbbd2ec354f211bc27c935f93c4b345872d99a6b519668ce4ac5d5f

SHA512
e8755726f14d6a1baed08deb83934516c42847546babdad60800efe3199e5b5e5653195439549b1ec4469a8bfdafa24c91a24281806d73b54599c3b70143c3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG
Filesize
281B

MD5
8a76b6b1f0097a0f29e92c15024fd7c9

SHA1
e12e3446ab3c80c6d6d2fc234364ae03f813bcdf

SHA256
da837851cd5d4ac4297be6e3dd7f6647217a77579926eeb7dfa90bcc2949a19f

SHA512
c619163e571f94c1653d1d282005d253033b6b03c66dd9ae3b3fb23b0fffba52c8dbb12a62860478b8805382e854711a628992882c199f73fcf328fb1a6cf411

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG45.PNG
Filesize
438B

MD5
9312b473218c18f6a4ef0014c7b949af

SHA1
8a703bb09bb3c392e66f7d94c79f94b3cee21745

SHA256
f990efd93d1e1fa2f91c5bb10edbac2243d78b7d50b7a42c811c0bfb48fd8459

SHA512
2c69c4eda6b624091afdd44b45e9a0b2703d312fd46e69260a3f1ae09e94afaebd3f416b78534069ffd07b7c3b00c5919de71d353a5ed2de25c59cc89437a0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG46.PNG
Filesize
206B

MD5
1d2588f51cc8eea0139b29dd751da00a

SHA1
579469327830aac9f045104e746870bd8c64dd4b

SHA256
592f9e63cfb2915ddbdbf0ba47ea8dd83c2308883f50090d2739765c13b08721

SHA512
5964b8aa8c97d8c3064b77214956d358b55e40eab10885ee25e1b402dac4a4ba969990a6571d233851956d2b0ea6e2b42f802fde9ec849903c5d003c6b3afbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG
Filesize
43KB

MD5
44ed12004ffb5c180767e03f0585cdc3

SHA1
aea7588444ce9dd8b5829aa42f3183296f1ca38e

SHA256
7c0e1e5a92d8c9fac95e7e9950f8bc67eb615a76d121c66eabb3628d677ec051

SHA512
bcb6cb6a416a4736b6ac9f6a294168a9c61a549015cffde88c735ed0f1a3d2487d3fb29207b9ba85f881e1eb3013e6e940268c4c107511d319eaec11cb6fd695

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG92.PNG
Filesize
1KB

MD5
700c6235880f7d9267b5c4e66d3e0f0b

SHA1
c928b8551da704ea7569377eca0a8c0eac842dbd

SHA256
ac844117cc9d0225e1987b42830d17733e1eb16d2007b53264a6096bb9f437dd

SHA512
9caee199c4c648e03ae30ab2fc678a82e2b583ed7a5f21ea4782255c2869153c045e2e0d1d9e79a480300d8268a9d5b412eb2b24c98bfd8ea2c970f9184a91d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9ccf7ce8b92bdb4e94edace9bc52943b

SHA1
c2a58b4dee453876152d82238c2d74c8ec71c209

SHA256
999e88f074bb3f1dc316e52df5b9f9ac21b45533c70e178f089368067543d4c7

SHA512
dcc1f8b2b5e0c1a6cc156c3f5b26d8fbfa503fdb9a588c52bd4e28040dad005ebf1d02649022dace6e7c00c17fff1bf27eab18043c2226793add29ae0a527efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9ccf7ce8b92bdb4e94edace9bc52943b

SHA1
c2a58b4dee453876152d82238c2d74c8ec71c209

SHA256
999e88f074bb3f1dc316e52df5b9f9ac21b45533c70e178f089368067543d4c7

SHA512
dcc1f8b2b5e0c1a6cc156c3f5b26d8fbfa503fdb9a588c52bd4e28040dad005ebf1d02649022dace6e7c00c17fff1bf27eab18043c2226793add29ae0a527efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9ccf7ce8b92bdb4e94edace9bc52943b

SHA1
c2a58b4dee453876152d82238c2d74c8ec71c209

SHA256
999e88f074bb3f1dc316e52df5b9f9ac21b45533c70e178f089368067543d4c7

SHA512
dcc1f8b2b5e0c1a6cc156c3f5b26d8fbfa503fdb9a588c52bd4e28040dad005ebf1d02649022dace6e7c00c17fff1bf27eab18043c2226793add29ae0a527efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
Filesize
114KB

MD5
4a6a32076a6ec33b804682a0630d916e

SHA1
5f59244343506596b8b13145cc7b7685a85b25af

SHA256
91106348245a378a20028de836ca8c4f8b21248d6d5b115892f1d915d3f83ab5

SHA512
a0ac7f21f4d9c247915615faaaff2e164e6defb58bf015cdd3420a63238df8d3c984545179a4567d48882c4c59b483819f6bf59ca532d2449cd6deb081451fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7141210.tmp\jre-windows.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7141210.tmp\jre-windows.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
3KB

MD5
5c9a66d33979f8750ae1ffa6776618b8

SHA1
6adfb1c5604e8d4e005e8d14afcb0b94b83aa870

SHA256
e4afccd992aa80fc91992c4fbb196f672649b0cbaeb890687d5a92a5a17cc9a5

SHA512
67ee280e4c2b007ca062814af0ea23f681f6442715e61fef87e6a55a23a06dcdb7021cb465b1810399a20f341fe470ca481a6fcb0f46c25eb61e27a08622ea6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
3KB

MD5
5c9a66d33979f8750ae1ffa6776618b8

SHA1
6adfb1c5604e8d4e005e8d14afcb0b94b83aa870

SHA256
e4afccd992aa80fc91992c4fbb196f672649b0cbaeb890687d5a92a5a17cc9a5

SHA512
67ee280e4c2b007ca062814af0ea23f681f6442715e61fef87e6a55a23a06dcdb7021cb465b1810399a20f341fe470ca481a6fcb0f46c25eb61e27a08622ea6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
12KB

MD5
a4be2298326cac8ae5dd4c4a65e7a85f

SHA1
7805c5bc55c05bfd8fb8fbdf3cc77749a88d4ceb

SHA256
97e37a037014101cf5cd7d12098bb885443abdfc42d11875654b1938404ac7bf

SHA512
9919521729278e16b02be983dc4a6e8d195274d6cb58cc820eeb74c036e50521c401164707dc4b6aebcf1940e3abad01cbc9c434b0b2c92b013da9ad303e47de

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
28KB

MD5
361f1a9207cdbaef5fdb2f136ce19699

SHA1
0a8d80ed436a485e36f575e42e327be6531be6fa

SHA256
05a1842703646dcad0cf0b9e9e14ece84cd06085d863dc2fd19b15c24e8298d1

SHA512
1e837ae6b70b009779f56f9ac5fe3e3cd7513115bb90312f0460185a00bc56bbca74dbea2314abd30a6fd416b4c999b23a649577c06c0d7d0ce8cc38abd0df05

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
43KB

MD5
5839ab328b9533aed5ea664f7eebe0b7

SHA1
962b469d052c22e7b80ab6a0c6efd1421206f1ed

SHA256
09bec4b32eeeae6d3b4ccda072bb07cc806d302de2351b3999b16825826f2d25

SHA512
aa8736deb45215f2d1606309673c36c8a9c2375acc9ed5deddc0dafe65e7edef546e7691cab1788765bf55438254d3ebc8dbf5a1035d8a9749efcb36eb1558d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
Filesize
591B

MD5
dbbd4373ee4ffb046f1fc0364614fa89

SHA1
cfcf460e4ecc506bf2b7a54d92d82bef41a40266

SHA256
15cc053a7a6d0a7833a12f19268ac338e12c1f5dcef23531f97010be0ccb6143

SHA512
b7cf76511c46fd55a429c2ab94c3279d2cea23b060409410f25623ac6d50cbc9962bb4ea8301d1c84d07d2117b2f04035f56a0d5dfe2c4dad753dbffb63e4b25

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
6.3MB

MD5
a09d58d5281883d9b555cb8f99974f57

SHA1
f900108770e0ee69a88df27bfeb3aa13322385b0

SHA256
dd5891adfd1f98f945cd02c02a231a41c8224ccc350050b65e2b987e075920aa

SHA512
0f9fc01df7bd6fcf25893ef1a31d0105e19a853d81d475312c1ad4d3f17b77ad6cba659c4b78bda8040279c91947d9277987447a3795b7acb393a5eb95ae8f3c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP
Filesize
451KB

MD5
0b445ace8798426e7185f52b7b7b6d1e

SHA1
7a77b46e0848cc9b32283ccb3f91a18c0934c079

SHA256
2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6

SHA512
51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG11.PNG
Filesize
1KB

MD5
0baac6a227cf66b1ba61b0e260d60772

SHA1
c460c1b0d0c0b13d5ea1235727f215ab4fe097df

SHA256
2391924d2604943b07ffab3ab20ef45a29ecf5ff5fdd280135e0dd1cddc19ef6

SHA512
8947c4d30384d9fe5a191bbcea360f33ce731ae846997773db8b7ae645fcf8d2796b0dda58090fe2ede908066b5cd2ac10bdb2e66a4d14d09daaf75542c4e8a8

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG29.PNG
Filesize
1KB

MD5
a3f64d5905c92731ad751763cf03cc45

SHA1
7cae27994b6861f0e97ba2dbae3895fb0500ee60

SHA256
1996a2e5c9c69fdaf0418cb195238059364d23ee584867a574d2e52664940ae3

SHA512
c8629a92786b49509150ba2caabef90177e4b5cd39ea667764e3b498f65b33327c098c19f39ef0b485611fbd8f04271cd4c176f2f82d37c92f48767247c73676

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG
Filesize
45KB

MD5
6a0abb8b83cab5d8d9208d96ec92da5f

SHA1
9d077f967398d47b8aa96f4a9dcbd9d9351eab68

SHA256
ed33106cb3e5300684e7bb5579a3de20011354d74665b760d8dc080532a8dc2a

SHA512
2f7070795dd7984bf6cd9ccc833abf92b703bdf5eb56b636529bea08dafc72e5a6c9b7e8491b1425d25c1ba56683e3c0930b5da97723024eb3e4dffed3a6d245

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG
Filesize
457B

MD5
1aeaae8978ce4d4663799c2233f4a4fc

SHA1
47ce4008a879ad45d34fda0a3b8558c9636bb301

SHA256
c803b2d2739d5578d1402211d7ed2886ebba64cbae0ccb1face7eff3c59ff2b0

SHA512
fec89cbcd5a669829be8558a60abdd6f98a0f64a28212547355db6a9f7acb22b7d0d1d18d8fd4a4e14320cd7fecd1d3aefb09cf16ed796ea7890951519f16a20

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG
Filesize
352B

MD5
630cf1915986415adf98aa5ece5d46a3

SHA1
4cdd5e3a7f576002dfe426b74ae98df9fe4cd163

SHA256
ab521628feeed84a225c7eb2104b3f078377c34c3e9f3e8bcded030a05aecdb7

SHA512
5b628bca89b14f2695730c847e8cae40e7aa0530a6f49208bf2dda95a37be68843c25cfa7e6cab535ee8680964df2acdee1598a1d3bd90acb60dfd676661531a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG54.PNG
Filesize
2KB

MD5
23b78ebbe84c21c8e3b3af9e96665361

SHA1
fc0ee75cfcf4e4791541c14c0bdb48c848ca134a

SHA256
26db2a1b9fcd040cf853525e5d941acce10ac4e4158b7cc47c17d8c8b6f52220

SHA512
596842f005ad94ea4d2a454acbe9145d87ed4d10c15d08d0dca144f00c50d0f8a64096331c2b7e6feebd364ef915eeb0fa970b358323fc35759a25c0c494f67f

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG
Filesize
41KB

MD5
86eb2f83c22f86c1a04402deaa3d394a

SHA1
4a5b85ec7cdcf1ec3b5ce866b65f6f58845e4ae0

SHA256
ff1a259bd0d4c0f1f66ff5a8298ac3217272c162d5db439c0d9394c41ef37bbd

SHA512
22b9e8672c45667fe0347c3279e6c362cd7a09b7eeabb2674789afb4f6cd3a0ef2d00c286608a122ed609cfc1ae480f191b39359199bb907077495b90a41a511

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG73.PNG
Filesize
1KB

MD5
0b2f7e83e2da62a510c5be309e4e85bf

SHA1
04faec975a72950495c17a61a6b9ff7dbc6c2097

SHA256
c0237e5fdc15979e58d8f63fae1d2cb23e44db31eabe1f5ea1a35839081a9838

SHA512
2539c6b90728b7931ed6b6aff61bc96334f620945a5f40897a9659950a1238cc78e28f5557c891541ff91d5b5d01ed1a38f59b467e00b8bbcf953a70c8f32b4e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG8.BMP
Filesize
451KB

MD5
d2b43decae0a14deb90423bfb687dc63

SHA1
c191705fcb927d476d4fc639860bd52e324a274c

SHA256
3266fb3a33a97fac7d71652129865c3d0dd06e70af6ed5a3b2506d842eb69e70

SHA512
3cd903b0c4590e25502cd0f91b678c1e798989211e174d5a6dbfd52b343a426b867204979cc078a4919d63a4c4401c4f8eaa295227cec0ccc043c7e285d3d2df

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
33KB

MD5
4d713533627749e69ad93a2c198fed99

SHA1
2858976eac2b13dde58139d8c8b69f64637a8ef3

SHA256
272962ed29cab4d107b0e511a0ecf9e90938c4a7ab8fa33d140fa2971be040f0

SHA512
2a16a3600dc73dde0bb09ac8ec136382871315a7d9f26eb716bb35fa5afc23b0700d12ae81bb96997f6c50ee1683b2a83b02e426143d6ba8ef458d65298ce5c4

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
6KB

MD5
4f7be9736242579cb8afa1af86980dfe

SHA1
1c486393847996db4f6b78532dd7bd9a0a924549

SHA256
9cecc28716f392d2394829f4cc3f307d08f5aecaf3e2124bdaaa0d6d9c3400b4

SHA512
4c55bc2698d8934713e791c015480248198e22efa66dd5ca79ea834b9835c9e85ca8c2869c9b40dc394ae7e27da039f79c392f88472dedc1adfa83dd1e94f1c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GCKUMIG6.txt
Filesize
867B

MD5
f613e1e6e04ff919077d45346fbddf69

SHA1
a9ef4930bd8e4f1342664c3baa65e9204990d2a4

SHA256
16d5e186f072c65e7a0151026f2b0828c48352c3ba579cf3e1f54fec7a913dd4

SHA512
7cd8fe047caaf1a41b9a5304b2b2b3894abcce44aeb7ee515578aa37a909ef493dfa199f5045f142d387ab322d9a987e33c1f850392952d5935171dc6a7dee66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IRX5V4YS.txt
Filesize
867B

MD5
7a775f826441996ebf972c63a39b8664

SHA1
b4f603750dc11881fe53ea7ce089de897bd9dca9

SHA256
b2b46c510bee416a08dfbdb295c5c60a2fca27a631550b4af30b1c08923319f8

SHA512
f7e1a18869d34de54dddaa3402ae6936498ed5acaea851dd9ab0f9f9a5a71c99d76801629343032fdd858b5603d991cbc1ccbd4b98011e226373b990457d87b9

Download Submit
C:\Windows\Installer\6d6f95.msi
Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\6d6f99.msi
Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\MSI84F0.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIAFD7.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIB565.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIB565.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
\Program Files\Java\jre1.8.0_351\installer.exe
Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7192394.tmp\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9ccf7ce8b92bdb4e94edace9bc52943b

SHA1
c2a58b4dee453876152d82238c2d74c8ec71c209

SHA256
999e88f074bb3f1dc316e52df5b9f9ac21b45533c70e178f089368067543d4c7

SHA512
dcc1f8b2b5e0c1a6cc156c3f5b26d8fbfa503fdb9a588c52bd4e28040dad005ebf1d02649022dace6e7c00c17fff1bf27eab18043c2226793add29ae0a527efa

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9ccf7ce8b92bdb4e94edace9bc52943b

SHA1
c2a58b4dee453876152d82238c2d74c8ec71c209

SHA256
999e88f074bb3f1dc316e52df5b9f9ac21b45533c70e178f089368067543d4c7

SHA512
dcc1f8b2b5e0c1a6cc156c3f5b26d8fbfa503fdb9a588c52bd4e28040dad005ebf1d02649022dace6e7c00c17fff1bf27eab18043c2226793add29ae0a527efa

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9ccf7ce8b92bdb4e94edace9bc52943b

SHA1
c2a58b4dee453876152d82238c2d74c8ec71c209

SHA256
999e88f074bb3f1dc316e52df5b9f9ac21b45533c70e178f089368067543d4c7

SHA512
dcc1f8b2b5e0c1a6cc156c3f5b26d8fbfa503fdb9a588c52bd4e28040dad005ebf1d02649022dace6e7c00c17fff1bf27eab18043c2226793add29ae0a527efa

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9ccf7ce8b92bdb4e94edace9bc52943b

SHA1
c2a58b4dee453876152d82238c2d74c8ec71c209

SHA256
999e88f074bb3f1dc316e52df5b9f9ac21b45533c70e178f089368067543d4c7

SHA512
dcc1f8b2b5e0c1a6cc156c3f5b26d8fbfa503fdb9a588c52bd4e28040dad005ebf1d02649022dace6e7c00c17fff1bf27eab18043c2226793add29ae0a527efa

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
9ccf7ce8b92bdb4e94edace9bc52943b

SHA1
c2a58b4dee453876152d82238c2d74c8ec71c209

SHA256
999e88f074bb3f1dc316e52df5b9f9ac21b45533c70e178f089368067543d4c7

SHA512
dcc1f8b2b5e0c1a6cc156c3f5b26d8fbfa503fdb9a588c52bd4e28040dad005ebf1d02649022dace6e7c00c17fff1bf27eab18043c2226793add29ae0a527efa

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jds7141210.tmp\jre-windows.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7141210.tmp\jre-windows.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe
Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Windows\Installer\MSI84F0.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIAFD7.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIB565.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
memory/1264-482-0x0000000002B60000-0x0000000002F48000-memory.dmp

Filesize
3.9MB

Download
memory/1264-481-0x0000000002B60000-0x0000000002F48000-memory.dmp

Filesize
3.9MB

Download
memory/1264-483-0x0000000002B60000-0x0000000002F48000-memory.dmp

Filesize
3.9MB

Download
memory/1272-2141-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1316-432-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1316-480-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/1316-393-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1316-1522-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1316-381-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1316-1482-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1316-1361-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1316-369-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1316-368-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1316-1524-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1316-1350-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1316-1351-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1316-367-0x0000000000850000-0x0000000000853000-memory.dmp

Filesize
12KB

Download
memory/1316-366-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1316-1352-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/1316-2348-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1316-1591-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1316-392-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1316-959-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1316-187-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1316-431-0x0000000000060000-0x0000000000448000-memory.dmp

Filesize
3.9MB

Download
memory/1340-485-0x0000000000DD0000-0x00000000011B8000-memory.dmp

Filesize
3.9MB

Download
memory/1340-506-0x0000000000DD0000-0x00000000011B8000-memory.dmp

Filesize
3.9MB

Download
memory/2020-124-0x0000000002E90000-0x0000000003278000-memory.dmp

Filesize
3.9MB

Download
memory/2020-380-0x0000000002E90000-0x0000000003278000-memory.dmp

Filesize
3.9MB

Download
memory/2020-145-0x0000000002E90000-0x0000000003278000-memory.dmp

Filesize
3.9MB

Download
memory/2020-139-0x0000000002E90000-0x0000000003278000-memory.dmp

Filesize
3.9MB

Download
memory/2472-1774-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2472-1773-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2472-1772-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2472-1771-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2472-1779-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2472-1777-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3056-2392-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3056-2389-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3056-2393-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3056-2400-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3056-2402-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3056-2406-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3056-2412-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3056-2413-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download