f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.885-Installer-1.1.3.exe
Size

22.6MB
MD5

bd3eefe3f5a4bb0c948251a5d05727e7
SHA1

b18722304d297aa384a024444aadd4e5f54a115e
SHA256

f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0
SHA512

d7df966eeda90bf074249ba983aac4ba32a7f09fe4bb6d95811951df08f24e55e01c790ffebc3bc50ce7b1c501ff562f0de5e01ca340c8596881f69f8fed932d
SSDEEP

393216:KXGWOLBh2NPfs/dQETVlOBbpFEjdGphRqV56HpkoaH3D8P2Q6YS6x9DOc:K2/BhSHExi73qqHpu34kYbzOc

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

pid	Process
1368	irsetup.exe
2640	BrowserInstaller.exe
2748	irsetup.exe
1540	opera-installer-bro.exe
2496	jre-windows.exe
2552	jre-windows.exe
576	installer.exe
2264	bspatch.exe
1880	unpack200.exe
2908	unpack200.exe
2272	unpack200.exe
1352	unpack200.exe
2400	unpack200.exe
2372	unpack200.exe
2744	unpack200.exe
2532	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
1180	TLauncher-2.885-Installer-1.1.3.exe
1180	TLauncher-2.885-Installer-1.1.3.exe
1180	TLauncher-2.885-Installer-1.1.3.exe
1180	TLauncher-2.885-Installer-1.1.3.exe
1368	irsetup.exe
1368	irsetup.exe
1368	irsetup.exe
1368	irsetup.exe
1368	irsetup.exe
1368	irsetup.exe
1368	irsetup.exe
1368	irsetup.exe
2640	BrowserInstaller.exe
2640	BrowserInstaller.exe
2640	BrowserInstaller.exe
2640	BrowserInstaller.exe
2748	irsetup.exe
2748	irsetup.exe
2748	irsetup.exe
2748	irsetup.exe
2748	irsetup.exe
2748	irsetup.exe
2748	irsetup.exe
2748	irsetup.exe
1540	opera-installer-bro.exe
1540	opera-installer-bro.exe
1368	irsetup.exe
2496	jre-windows.exe
1308	Process not Found
1012	MsiExec.exe
1012	MsiExec.exe
1012	MsiExec.exe
2632	msiexec.exe
2264	bspatch.exe
2264	bspatch.exe
2264	bspatch.exe
576	installer.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
2908	unpack200.exe
2908	unpack200.exe
2908	unpack200.exe
2908	unpack200.exe
2908	unpack200.exe
2908	unpack200.exe
2908	unpack200.exe
2908	unpack200.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0097-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0087-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0069-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0098-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\wsdetect.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0051-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0063-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0082-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0041-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012257-3.dat	upx
behavioral1/memory/1180-6-0x0000000002E40000-0x0000000003228000-memory.dmp	upx
behavioral1/files/0x000a000000012257-7.dat	upx
behavioral1/files/0x000a000000012257-13.dat	upx
behavioral1/files/0x000a000000012257-11.dat	upx
behavioral1/files/0x000a000000012257-8.dat	upx
behavioral1/files/0x000a000000012257-15.dat	upx
behavioral1/files/0x000a000000012257-18.dat	upx
behavioral1/memory/1368-20-0x00000000000D0000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/1368-334-0x00000000000D0000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/1368-336-0x00000000000D0000-0x00000000004B8000-memory.dmp	upx
behavioral1/files/0x000a000000012257-371.dat	upx
behavioral1/files/0x000400000001cd19-402.dat	upx
behavioral1/files/0x000400000001cd19-411.dat	upx
behavioral1/files/0x000400000001cd19-413.dat	upx
behavioral1/files/0x000400000001cd19-409.dat	upx
behavioral1/files/0x000400000001cd19-406.dat	upx
behavioral1/files/0x000400000001cd19-405.dat	upx
behavioral1/files/0x000400000001cd19-417.dat	upx
behavioral1/memory/1368-426-0x00000000000D0000-0x00000000004B8000-memory.dmp	upx
behavioral1/files/0x000400000001cd19-494.dat	upx
behavioral1/files/0x000400000001d13e-514.dat	upx
behavioral1/files/0x000400000001d13e-517.dat	upx
behavioral1/files/0x000400000001d13e-518.dat	upx
behavioral1/files/0x000400000001d13e-521.dat	upx
behavioral1/files/0x000400000001d13e-523.dat	upx
behavioral1/files/0x000400000001d13e-526.dat	upx
behavioral1/memory/1540-1336-0x0000000000020000-0x0000000000548000-memory.dmp	upx
behavioral1/memory/2748-1340-0x0000000000C70000-0x0000000001058000-memory.dmp	upx
behavioral1/memory/1368-1368-0x00000000000D0000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/1368-1469-0x00000000000D0000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/1368-1494-0x00000000000D0000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/1368-1538-0x00000000000D0000-0x00000000004B8000-memory.dmp	upx
behavioral1/files/0x000400000001dda7-1750.dat	upx
behavioral1/memory/2264-1751-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x000400000001dda7-1752.dat	upx
behavioral1/memory/2264-1753-0x0000000000230000-0x0000000000247000-memory.dmp	upx
behavioral1/memory/2264-1758-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2264-1764-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2264-1770-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2264-1772-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Blocklisted process makes network request 2 IoCs

flow	pid	Process
37	2632	msiexec.exe
38	2632	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-string-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java-rmi.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javacpl.cpl	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\pack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\sound.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-locale-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\ecc.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_it.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jce.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\calendars.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\ffjcext.zip	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\sunec.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-datetime-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\bci.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\cursors.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\javaws.pack	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259558035\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-filesystem-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jsdt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\server\Xusage.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\sunec.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\ucrtbase.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-processthreads-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\management.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\prism_common.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\logging.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\cacerts	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\policytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\CIEXYZ.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\tzmappings	installer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-runtime-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_CopyDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\santuario.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_zh_HK.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\jfxrt.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-errorhandling-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-multibyte-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\resource.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\vcruntime140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\directshow.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\policy\unlimited\local_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-file-l1-2-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-handle-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\libxslt.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fontconfig.bfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_pt_BR.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\javafx.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\wsdetect.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\gstreamer.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\bcel.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\zipfs.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\splash.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\glass.dll	installer.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID6E7.tmp	msiexec.exe
File created	C:\Windows\Installer\f77b81c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE098.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1D1.tmp	msiexec.exe
File created	C:\Windows\Installer\f77b81e.msi	msiexec.exe
File created	C:\Windows\Installer\f77b819.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77b819.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE490.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\ = "Java Plug-in 1.3.0_02"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0041-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Environment	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_55"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_33"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_52"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_13"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_17"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0068-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_68"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_01"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_23"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_73"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0060-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_73"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0064-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0090-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0095-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_13"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_46"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_94"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0095-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\ProductName = "Java 8 Update 351 (64-bit)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp\ = "JNLPFile"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Programmable	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_93"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp\Content Type = "application/x-java-jnlp-file"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_16"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jnlp\Shell	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0090-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0097-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_17"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0088-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_20"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0097-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0063-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_33"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0086-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_17"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130150F\Language = "1033"	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2552	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2552	jre-windows.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeSecurityPrivilege	2632	msiexec.exe
Token: SeCreateTokenPrivilege	2552	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2552	jre-windows.exe
Token: SeLockMemoryPrivilege	2552	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2552	jre-windows.exe
Token: SeMachineAccountPrivilege	2552	jre-windows.exe
Token: SeTcbPrivilege	2552	jre-windows.exe
Token: SeSecurityPrivilege	2552	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2552	jre-windows.exe
Token: SeLoadDriverPrivilege	2552	jre-windows.exe
Token: SeSystemProfilePrivilege	2552	jre-windows.exe
Token: SeSystemtimePrivilege	2552	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2552	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2552	jre-windows.exe
Token: SeCreatePagefilePrivilege	2552	jre-windows.exe
Token: SeCreatePermanentPrivilege	2552	jre-windows.exe
Token: SeBackupPrivilege	2552	jre-windows.exe
Token: SeRestorePrivilege	2552	jre-windows.exe
Token: SeShutdownPrivilege	2552	jre-windows.exe
Token: SeDebugPrivilege	2552	jre-windows.exe
Token: SeAuditPrivilege	2552	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2552	jre-windows.exe
Token: SeChangeNotifyPrivilege	2552	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2552	jre-windows.exe
Token: SeUndockPrivilege	2552	jre-windows.exe
Token: SeSyncAgentPrivilege	2552	jre-windows.exe
Token: SeEnableDelegationPrivilege	2552	jre-windows.exe
Token: SeManageVolumePrivilege	2552	jre-windows.exe
Token: SeImpersonatePrivilege	2552	jre-windows.exe
Token: SeCreateGlobalPrivilege	2552	jre-windows.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1368	irsetup.exe
1368	irsetup.exe
1368	irsetup.exe
1368	irsetup.exe
1368	irsetup.exe
1368	irsetup.exe
2748	irsetup.exe
2748	irsetup.exe
2552	jre-windows.exe
2552	jre-windows.exe
2552	jre-windows.exe
2552	jre-windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1368	1180	TLauncher-2.885-Installer-1.1.3.exe	28
PID 1180 wrote to memory of 1368	1180	TLauncher-2.885-Installer-1.1.3.exe	28
PID 1180 wrote to memory of 1368	1180	TLauncher-2.885-Installer-1.1.3.exe	28
PID 1180 wrote to memory of 1368	1180	TLauncher-2.885-Installer-1.1.3.exe	28
PID 1180 wrote to memory of 1368	1180	TLauncher-2.885-Installer-1.1.3.exe	28
PID 1180 wrote to memory of 1368	1180	TLauncher-2.885-Installer-1.1.3.exe	28
PID 1180 wrote to memory of 1368	1180	TLauncher-2.885-Installer-1.1.3.exe	28
PID 1368 wrote to memory of 2640	1368	irsetup.exe	31
PID 1368 wrote to memory of 2640	1368	irsetup.exe	31
PID 1368 wrote to memory of 2640	1368	irsetup.exe	31
PID 1368 wrote to memory of 2640	1368	irsetup.exe	31
PID 1368 wrote to memory of 2640	1368	irsetup.exe	31
PID 1368 wrote to memory of 2640	1368	irsetup.exe	31
PID 1368 wrote to memory of 2640	1368	irsetup.exe	31
PID 2640 wrote to memory of 2748	2640	BrowserInstaller.exe	32
PID 2640 wrote to memory of 2748	2640	BrowserInstaller.exe	32
PID 2640 wrote to memory of 2748	2640	BrowserInstaller.exe	32
PID 2640 wrote to memory of 2748	2640	BrowserInstaller.exe	32
PID 2640 wrote to memory of 2748	2640	BrowserInstaller.exe	32
PID 2640 wrote to memory of 2748	2640	BrowserInstaller.exe	32
PID 2640 wrote to memory of 2748	2640	BrowserInstaller.exe	32
PID 2748 wrote to memory of 1540	2748	irsetup.exe	33
PID 2748 wrote to memory of 1540	2748	irsetup.exe	33
PID 2748 wrote to memory of 1540	2748	irsetup.exe	33
PID 2748 wrote to memory of 1540	2748	irsetup.exe	33
PID 2748 wrote to memory of 1540	2748	irsetup.exe	33
PID 2748 wrote to memory of 1540	2748	irsetup.exe	33
PID 2748 wrote to memory of 1540	2748	irsetup.exe	33
PID 1368 wrote to memory of 2496	1368	irsetup.exe	38
PID 1368 wrote to memory of 2496	1368	irsetup.exe	38
PID 1368 wrote to memory of 2496	1368	irsetup.exe	38
PID 1368 wrote to memory of 2496	1368	irsetup.exe	38
PID 2496 wrote to memory of 2552	2496	jre-windows.exe	39
PID 2496 wrote to memory of 2552	2496	jre-windows.exe	39
PID 2496 wrote to memory of 2552	2496	jre-windows.exe	39
PID 2632 wrote to memory of 1012	2632	msiexec.exe	43
PID 2632 wrote to memory of 1012	2632	msiexec.exe	43
PID 2632 wrote to memory of 1012	2632	msiexec.exe	43
PID 2632 wrote to memory of 1012	2632	msiexec.exe	43
PID 2632 wrote to memory of 1012	2632	msiexec.exe	43
PID 2632 wrote to memory of 576	2632	msiexec.exe	44
PID 2632 wrote to memory of 576	2632	msiexec.exe	44
PID 2632 wrote to memory of 576	2632	msiexec.exe	44
PID 576 wrote to memory of 2264	576	installer.exe	45
PID 576 wrote to memory of 2264	576	installer.exe	45
PID 576 wrote to memory of 2264	576	installer.exe	45
PID 576 wrote to memory of 2264	576	installer.exe	45
PID 576 wrote to memory of 2264	576	installer.exe	45
PID 576 wrote to memory of 2264	576	installer.exe	45
PID 576 wrote to memory of 2264	576	installer.exe	45
PID 576 wrote to memory of 1880	576	installer.exe	47
PID 576 wrote to memory of 1880	576	installer.exe	47
PID 576 wrote to memory of 1880	576	installer.exe	47
PID 576 wrote to memory of 2908	576	installer.exe	49
PID 576 wrote to memory of 2908	576	installer.exe	49
PID 576 wrote to memory of 2908	576	installer.exe	49
PID 576 wrote to memory of 2272	576	installer.exe	51
PID 576 wrote to memory of 2272	576	installer.exe	51
PID 576 wrote to memory of 2272	576	installer.exe	51
PID 576 wrote to memory of 1352	576	installer.exe	53
PID 576 wrote to memory of 1352	576	installer.exe	53
PID 576 wrote to memory of 1352	576	installer.exe	53
PID 576 wrote to memory of 2400	576	installer.exe	55
PID 576 wrote to memory of 2400	576	installer.exe	55

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe" "__IRCT:3" "__IRTSS:23661420" "__IRSID:S-1-5-21-3425689832-2386927309-2650718742-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1841988" "__IRSID:S-1-5-21-3425689832-2386927309-2650718742-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1540
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\jds259477882.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds259477882.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2552

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding AD274E4746FC91C071C1C642B2C43D24
  2⤵
  - Loads dropped DLL
  PID:1012
- C:\Program Files\Java\jre1.8.0_351\installer.exe
  "C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\ProgramData\Oracle\Java\installcache_x64\259519659.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2264
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1880
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2908
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    PID:2272
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    PID:1352
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    PID:2400
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:2372
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    PID:2744
- - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_351\bin\javacpl.exe

Filesize
103KB

MD5
7a9d69862a2021508931a197cd6501ec

SHA1
a0f7d313a874552f4972784d15042b564e4067fc

SHA256
51ff63cbac78bd133333e98d91b02b652c88cd57cedd0052519051a17be77856

SHA512
5c331e6deefc8256ea203d63770484f6b485d4c3832a60ecf4a540dff3cb75a76dbde37980fe1763ca487401b68126f58f8d1a4c72ee610f5144c624c4736850

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe

Filesize
446KB

MD5
24ccb37646e1f52ce4f47164cccf2b91

SHA1
bc265e26417026286d6ed951904305086c4f693c

SHA256
adf2d659c2b2a4afff1ca58f3a742d27d767d27eabeca6a8b6ee243e9c913a39

SHA512
cb174e7a219f6ffae3715e37beb428979bc1462202729c05a25fa7b8da90e2dd6faa92c03cd9ca21567d354dce7acc1852669f4071298e953d6a286243794e32

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk

Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
182B

MD5
7fadb9e200dbbd992058cefa41212796

SHA1
e2525d7ba66bb07bc1cd5ba93f88c54e7e2042b4

SHA256
b05abacd15117b1ffcd2a288308f50c0542214d264b852eddfa9025307ac401b

SHA512
94b7bf1f1f5cea2a74f8c326113dd25652cb14e5fa356ac83d16b6ac5a5cac26c9d2b20259f5c2cf8ebc1e022490511e2996335a5d8dd7f5b64dce429fb6dfb1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
178B

MD5
3b1c6b5701ef2829986a6bdc3f6fbf94

SHA1
1a2fe685aba9430625cba281d1a8f7ba9d392af0

SHA256
6a2cdce88637830202e1031bc8c11f083103a6bbb8c1ce16fb805671a46633c8

SHA512
f3391d790bb6acb1c25b82253b19c334e7cd73648e9821b7050fefbd5b0bc4b48a0cedd97e425a83c788f9b798337d33dee2e989771604c4f886da46d2debea0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259519659.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259519659.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
d9cb9ba8ca8a50edd32452f08c0031a8

SHA1
a1d21c7bd9e5e020694e2a54a2a82888ed263561

SHA256
1ce6a2895e80d095f37d0bd79db38cc4fa7bc1e38f02f0da7d348c7fe550eec0

SHA512
1f43a90ba4dbd5c9391954a73825cbf60f88bcee2515bfad996993b84d23f63f7a15aa97269417977bf75746105d0ba961c86cbba146cd2e5eb999fbac6d6a2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9bb21dabeeed5cfe47f559d708f5d9a

SHA1
9cbcbf8871d7a7d78de7c6651d91f1543ddccb13

SHA256
1fbd5e6a9d5b79a8312166209c10db46bec539bd6985673dd1d3c490160ac4f4

SHA512
29c0d5c413e06a6ce005b8d3097d70e82225beb3df2e5749b385b36c6cdcf287fa0a7a0a0dfe1eb9dab71dbad1c4377af5e259ff4442fac0a20ea0d211d6e8f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c81e9044373225c93b4f881111a35223

SHA1
374500d29708d3c0f594e6bdeffeaa4602111404

SHA256
8c0b570d473c8cfc1d58e1e80b20f321c75f19114a0e37a2e68dd21920f85465

SHA512
41cf72ae018bd3117219295a587a1dff8ca9906b073b5578bac5e58c28cc97cb793feb3c25b315c6c32bbc0e6b7a93c910c20de16a1c8cba9532de2e032e115c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
e67be55ca8df5c5ebfa19dd64550da67

SHA1
6f8e54584d1356cd2474027907be45938d903bd1

SHA256
65e894f8997633a10302f0510d829641dcf49e7cddefb30d811f4134594d6a9c

SHA512
d1dc332658eb2afc2014513478a861b9b3c58a20cbe83bd1caca694e815d7daa1755d7e74c4c707e06f14a5bd3760b7ba53d4b9c60d0f6b40920e67fcb7ed685

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
cb71e7046e1319d2579582e4a79da180

SHA1
b41f76009604b45904c513b2b89c9acd00aac1ea

SHA256
02fafd03355fd0a3272355961c7a8a52a0a2480347dcba33a0c181afcad93526

SHA512
3b51149c92f3fbef76fc345fed065bb75078fa0d476a05a64e658c249564e1ed59f03f1c0e076d0f3d45ea252f3320687ae7c80659a59fbb6178606b216a4369

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFE9D.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFF1D.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

Filesize
339B

MD5
e5e9c323b6a9533a09982b2117c61528

SHA1
3dc0e877803d6e16b28ce0840e2967cc74494a61

SHA256
ba1f3e4598c5716bbfea508fada40b7dfd0989ddabd453e8c8703c04270151fd

SHA512
bbfa29299a1e948506f6ec3802aceb27f8aef3a5b2e3c9789a92b2bcc959fc2523d2344739ccc89df370dde6ea23c1db5ffc7e4799b5e532b0ec85dc98996865

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG104.PNG

Filesize
644B

MD5
d59d425a5672bdb23aced47f2cf4c897

SHA1
6eb8bf3f328975250fb0f9fcf56bd1fe530971a9

SHA256
09858e3e9eea849635ec67d94dac9b6f0c1f8d4bf021fd4bd2998f7e23069026

SHA512
0f45ec639bb40c216dfd858df1a65766fd7ca95d5015ddbeff525dbe5433bb83ff786665864e386c92ce3ab3de0c3e409bd90b93260dc5f8ff5a983dec87b7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG105.PNG

Filesize
40KB

MD5
5c1172831dec567dbdf05ae8e8a0a7f5

SHA1
cf9281b3bbfed132faece1c19ff5c9c0ef700d4a

SHA256
4d04ba36110afcd0c4d0e3c214cdfa42fb975bf3f5da6b78fd7e8f6a97eea4c5

SHA512
03f5341bb49404d96bf3532d1432ee3b40f377891f7ee1464011bbc7a6c76f0ea7162931fb18d89b5c16950c93bc0288da0ae5bce4f04565b627c92cd9c9972c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG106.PNG

Filesize
1KB

MD5
a708af8ccc9c0b2ba65a828eb09651f0

SHA1
adefd77a4a1bc13f836b2ff7f773abb69e7f6177

SHA256
4ba6951d4f317a5fd8c38ccbdfb7f9731e7c5421b4bd9aeb7f83bff87ef3912a

SHA512
6e8e4d511bb8861a0dccba17da26147516ff70feb9ddff816e27e516432c99493a40624e482074f9fca04b9d638060e2bcf1346eeeee24019902c91b23793fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG109.PNG

Filesize
2KB

MD5
9e6e117037f3eea2ac5ba39de4891519

SHA1
156773a282502194ebc894922269dfea9fb3ba4c

SHA256
43398f595e5a0498cb9303252dcd5d0c0f98c1a1bc843c21debe8386e82700bd

SHA512
6afd9968434878ad1b739e298b351a221b00b9f140c475c9ab00d70b7e5ebaf6df6d20c70356db6f6f41c3ccb9ddbc34f1e8b4bf70f5ffcb64f0e0bdc0d9797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
5803b5d5f862418b64caa83396e69c7f

SHA1
97b6c8209b8ad65f4f9f3b953fe966bb09ee4e13

SHA256
ee340f8560ba2e71d7e6d305b959ff8fa77869dac916287da2bff7ce5aa2e159

SHA512
e9bf37f0c89299bfa369a8677ac56b12177dd3153246e5e6a9390577658111b731b0ab987044d30f43e05cb41d79ed31dae3b6f4521f225925920617d0414edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG22.PNG

Filesize
1KB

MD5
2003db45b3b05d65f34d7047e68a25bf

SHA1
418d27146938b810c31ddb6a1f8075e7be1d2f14

SHA256
10cf5fdda26ed5f3762d5a527fd2bac692034b8d848547e5c320037026317310

SHA512
8eb6143e3732bde22ba72da70b6ce6ee4ec9c9038334c2380b60e49dc24021792c32a2c7224bf04aa1cd8d77d57b0e3fdaf4606eeb3d4c2985bb9bd91b10738c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
60a19921c7ff3c75e28c302f95460994

SHA1
07ac64ffbb153c8675e2ce0651afeaa5e8c6652d

SHA256
33341d30463fbc7cf3fba5070925569c822b6835aabdb8ef2c3cf09547912d46

SHA512
b30b960152dc13b1a9d384c4972169392cd405bdf4d3ecf73f85cf8a9a68a075131b2495c0348f54d43d0e7a279907bc7b76ac103f4a624738cbfc73bbeeba02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG

Filesize
43KB

MD5
380f7b952bf592f1d46afc860e9634ad

SHA1
50c467afe895945bb246b700d66af758662bdbb0

SHA256
43303ebbb809356c71c8b040d2fa289106996aa04ccf54d9bf742db763a7213a

SHA512
08cba7883a4ed219f9da8537756d75a94219e2a3fb6dd50c81ca607b97388e7aedc19bebaa5d375f533f7ab17d8a748f85589f61a2e09d8a9c591ac5cd0bca8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG

Filesize
1KB

MD5
93dfe531659e394eea5e5c7d6e99ccca

SHA1
00be7e0e02a48371c120b850410f46dd2cd4718a

SHA256
3fffd66684072e9aeafbda1679718a4dd1e569efa7e04df580a487aa9e4e08df

SHA512
a67ab0cd46fcb247e1ea47d17017aedd9e7359c739eabded9d2622d11c0a8fd49664ea383209c965d084a52b3134edd5a5be5902f1e85a85102f2c5cbc328af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
114KB

MD5
4a6a32076a6ec33b804682a0630d916e

SHA1
5f59244343506596b8b13145cc7b7685a85b25af

SHA256
91106348245a378a20028de836ca8c4f8b21248d6d5b115892f1d915d3f83ab5

SHA512
a0ac7f21f4d9c247915615faaaff2e164e6defb58bf015cdd3420a63238df8d3c984545179a4567d48882c4c59b483819f6bf59ca532d2449cd6deb081451fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259477882.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259477882.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
15KB

MD5
8c9e9b15eb203b66afd59dce6adb1c17

SHA1
a32788aa9d7dab3e71f9a3fe84a9cbbde87ea624

SHA256
4a15f14fb27f4f92994fbf28c93d7880c9585c15331b390f07b4c7886d474a53

SHA512
e9995fa8a13316d763eb4e1a60135f25e9ba32850fe8c90bb66f5514eb597f81c866381b15bce03207da0c0cfb3892cc8b844d8e521e519569842de3842c6f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
15KB

MD5
8c9e9b15eb203b66afd59dce6adb1c17

SHA1
a32788aa9d7dab3e71f9a3fe84a9cbbde87ea624

SHA256
4a15f14fb27f4f92994fbf28c93d7880c9585c15331b390f07b4c7886d474a53

SHA512
e9995fa8a13316d763eb4e1a60135f25e9ba32850fe8c90bb66f5514eb597f81c866381b15bce03207da0c0cfb3892cc8b844d8e521e519569842de3842c6f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
27KB

MD5
24c318ba26f9283b5e92e7b596729204

SHA1
c65121eb2aad0702eb045af97074245a41ae2a3e

SHA256
e24ca4fdbb69920a5bff0866a0e0921903c7dce1129c6147e9d7ef438dd5ce75

SHA512
a037bc24ffeefd4bc5a178609fcf202c24f9379acdfe93bec4fc68905912584ce7b158a5fbbcce1b896f0fe1e1373d225a37817d23e2193564517086da587dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
36KB

MD5
3e0380417f360b67b3073a5bc3d586cf

SHA1
709378fd44bfa1ab1b26f7d756dd9b81baee75d3

SHA256
9ead0714abf0aa928857f0cdf389ccba4a4f9951a14d916404d5e592c7355db2

SHA512
fa8aab3e1313f20ceb34d3b9403bdab8ffb113a6463195cca7ef63321bc37951435076222376331232f3ad0d6101996854543cef01b9fca598021c688d2d7f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.8MB

MD5
3a56992851f2c25e34c076660eed6329

SHA1
5d175857ac1eac956eaf7f040c463991aab6f978

SHA256
8bc55de0b98330cd5c9dad052dc09870c492906a6efcdb75a265ee2251c1f892

SHA512
52e16a8107841e75054c15aecbfbd7a14ac1c904b2038e9fec95d053d2dc4aff4a6b8421d8843f1d72428903dadd5f38be2f13d08902bebdd5d5764736224ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.8MB

MD5
3a56992851f2c25e34c076660eed6329

SHA1
5d175857ac1eac956eaf7f040c463991aab6f978

SHA256
8bc55de0b98330cd5c9dad052dc09870c492906a6efcdb75a265ee2251c1f892

SHA512
52e16a8107841e75054c15aecbfbd7a14ac1c904b2038e9fec95d053d2dc4aff4a6b8421d8843f1d72428903dadd5f38be2f13d08902bebdd5d5764736224ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
590B

MD5
1ac6a07c7ea7ee4be31e2cde190f27dc

SHA1
5e5eff83b598c6f54dd8694a1ec1240beeb5e611

SHA256
6ea22effc8053871778ddc30cc189ce06d14e4eaf0b40d04b92d8e366124c41e

SHA512
14a01815819207c89929880ab1144a526b1faf05a4bcd3cccc5e213aeaed07ac20706daba6fb293d9031f17c7048dff59f8b45e583aa6906c317e3c026835f78

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
6.3MB

MD5
a09d58d5281883d9b555cb8f99974f57

SHA1
f900108770e0ee69a88df27bfeb3aa13322385b0

SHA256
dd5891adfd1f98f945cd02c02a231a41c8224ccc350050b65e2b987e075920aa

SHA512
0f9fc01df7bd6fcf25893ef1a31d0105e19a853d81d475312c1ad4d3f17b77ad6cba659c4b78bda8040279c91947d9277987447a3795b7acb393a5eb95ae8f3c

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
8.8MB

MD5
c6fef94e9c8d29da29461f6fa20b52c9

SHA1
2744165dda5e2a5bd2e635068d040dcfe4e865ad

SHA256
004c078e6521a2cf61efc7a0a35bcfd8b71468124cac0cf116d853c4cb61a4dc

SHA512
90bc2cc5291e1d7be71db7bd43804995b83b48fde86d5af61ebe83c14d989cdf9a6dbadb174d38bd0eb953b6e7832da30513d2ee21fd3c3f6a9c401e82389539

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP

Filesize
451KB

MD5
0b445ace8798426e7185f52b7b7b6d1e

SHA1
7a77b46e0848cc9b32283ccb3f91a18c0934c079

SHA256
2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6

SHA512
51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG

Filesize
1KB

MD5
714ff209a00d50ca301063a38165db1d

SHA1
1400fdbe5e535b581b34c054183929a7e5548a69

SHA256
7749ac363a9f638040d0fb132be254e7569ca94e8e9e7917d1cb78050d2387d6

SHA512
d6bb2a5229300b6ad307e430d9e5e02fcbc9316dfbac0b836fcb6cb2f95739716c628d4afef61e8d34dae33f6345550bccd57b3b01cdc5f9335811e5e3fac6e4

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
45KB

MD5
b3af6be5f4d16abd764157ec3cffb2c4

SHA1
bdb2c7ae18e9dd6d2edf3ed59be14ccfc400f4b1

SHA256
0e34299965ba1e761daabad45cad9aa27dccaf90a30a4badf5008b6a3d15cb5c

SHA512
eaf0951a615dbc0c7d6a364a53fd3401b60f53875f5d9a3bba922eeeadff83cb12b81e4b8cae1c612c3782c3c16b20a6e0d882dd913bbb533277d82af71a317d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG

Filesize
457B

MD5
6afc90de971a64e963b2b2b2c9cfe0d3

SHA1
2198f7fc711a848ee4c20b51e72819b07bb81ce9

SHA256
d720258ffe5025af550847c3f674ca9854eb052b0bd964a40b920188d26f3ab4

SHA512
e418485b852e6ebed96bd85da59254ff63b7c6e390e71ae3e298252fee980b89942bd26070c4ae6615f44685fb496a87f7549a1ae45e2fcf091c10ae2bef661a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG

Filesize
352B

MD5
269665f4752b9a668b8ead9b4d6cead8

SHA1
9eac14e0358fde1a2d7bbcdaf61eee90b46589bb

SHA256
68c133a816069421a9e384aeffdb3dff59945ce69da2a77da947545aead75b27

SHA512
0c2040775584d05271b701b3e43c45c621b48e63b537f9d441bddd44d25d18042fdb3a213836c6b52582bb358d7cb08bce9c292f4ce0c79dc0ad879d259fb74e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG45.PNG

Filesize
438B

MD5
1f4c666195230d70d3eb563429d7f2fe

SHA1
841e76c2570b50edb29560ff2d4c9a2cd460e4ef

SHA256
f1fb2782f6b321afa66a82c686ac0ce11919f38e7f33496f0f0b7241a901019b

SHA512
eacb98e7f9cef2f8d2ba13808f1f7a77d4244bac0b4a45ed788628064e8c86c4e15cf091b8adac1539a4705c867e72714c4b7d902ac0c281f04925661d3bce89

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG46.PNG

Filesize
206B

MD5
6b2addb09533ae5cc0650ebc8779f948

SHA1
7bef900d216614f9f498d33b345372e40d872628

SHA256
260b130f51840a7b353a640ae69484498c6ec957e37f3bac831a140db533da84

SHA512
769bbde3aaac255bd5464acaedae0a5b9ca0e11e9cc9ce0d71cdb4e47ee21fc3610bf43240d52cf2d9bdc74478384f5c1130f0d919927067631d01a1446aece4

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG

Filesize
1KB

MD5
6ac1b334813957693405396f4796860b

SHA1
0b65e65880496bb6a610bd9f247557ac82d8a977

SHA256
2e7817a1fac90ec183ec3d2325162a23078ddff4cd2c387d2b74f7d70321b4aa

SHA512
9319cd0beb9a114c334bc82ae618708fef4ef43ca3d70b112f60dcc38a68ecb8c728073c169d65d76e05e72e47624859a48e80e8e44e0e8d2fa4cd425f6f59fb

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG

Filesize
1KB

MD5
14a02d0eb05243706364523f60261125

SHA1
d46052613634f65f7b2fb02058edd65acc7f79f0

SHA256
3d8a062470073015df141295ca78a41b68b39d24b17f50b212060c3677c02494

SHA512
15d99962f96cde8329b981701d2fdc8a46085b6b60d324c41cca5a27ba425fa24567a51b0ed91e2da70c7717e2a70e6882691a509a25d2c6a306527d0507ec61

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG

Filesize
41KB

MD5
93989ba5ff12871a1574740f636c8698

SHA1
44c795f434bffd4efcdb915cffd1f18f959e08ba

SHA256
8585b72b8a5088e213b97ddb2f25a4bf5502a7c65058817722e0332b6017facb

SHA512
bd8f78d1ea50d05a528784b276b846f091a258bb51e27c7e6fb4d8757c05c62c801df570edaba67ad457e7cf3ef2363c777bccf56e9c8b68a74acf2a453825d2

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG

Filesize
1KB

MD5
63710485777644af1779a06c56114dc3

SHA1
0c3fa7da31833a1e38acb5a7ef8b67e4fe96bba3

SHA256
9b55555c0b68c45073787fe674e622c38b0052baaed0ce72c209248ae2b084e4

SHA512
f5d7b20fd5207e71ee59cebffb8efffb5dd5bb24fde40622805da09e2ffc6c9d22fa31830f26780cdb67283d201c473829a116de5a67f3d5aa1a41c44d16adfe

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
33KB

MD5
bd5ba0b879245799e06d17a8ae2c4c6f

SHA1
114017095c4f856fa0e2c49b02f08288db8e4946

SHA256
a2a79cdcb62a167519db917ea4cb5ed15f4674b10db63e00d6eec26792ba675c

SHA512
b5bf10ff240702c14a4cee92d17a177837314c557913702b365ef62027fd65d8a4466518b9805249dcf9bb356eadf18c26808b8ecf0cff5963e871d04f083120

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
8KB

MD5
4772be0e6610cb0daf4a3fa7361092fb

SHA1
867e857f68d60c1efb4a19539bfe986bd7e1ff4e

SHA256
6eeed9de83b89afd62fbd76a8a16ab654913782afc409f378429f13b8221dcd9

SHA512
633eaecb238be1a07cd906a699424df55a63239f08bf9cb8dd3feb5b6cb70889044551b00842a6d182a50eaaf882d701c0f57e9ddb5b2e426ef5c41391a1356a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O846H2A4.txt

Filesize
869B

MD5
0d17e7740b9ac9c4ade38b994d14a62e

SHA1
61526f553e0d968f9f6ef885f9d89fa1e2ca2278

SHA256
052c4cd48b94cbbe994aae68ce6759dae7ea36487273b642c9948c40b3a44105

SHA512
a206abe3e3f67cb0b9da3c9cf39064fac9657fdeb7ab1b14a0a0e3177f2c9f2696ba1634cf1c335ca784924aa2b35f513530fb9f9eaa7dea7610b80b3b86fcb3

Download Submit
C:\Windows\Installer\MSID6E7.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIE098.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIE490.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIE490.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\f77b819.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\f77b81e.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2311260545516961540.dll

Filesize
4.6MB

MD5
21b50971a7fddce167df551192f3f5bd

SHA1
83b5148b53da8965eb0292129c5f224cc6bd0261

SHA256
74e83a6ee9e464d296292681ab8f8d83a5d83f43b6b3aa084584046acd89996d

SHA512
f9e82df4c56c0f7fac8c2befb2715833b6c8d1d3e3d16ee17675912cdaf33e021ccb57ebc92873e7515cb36428175aee0cdb5f56e1eaf6308ee2a060b114d19b

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2311260546000571540.dll

Filesize
4.6MB

MD5
21b50971a7fddce167df551192f3f5bd

SHA1
83b5148b53da8965eb0292129c5f224cc6bd0261

SHA256
74e83a6ee9e464d296292681ab8f8d83a5d83f43b6b3aa084584046acd89996d

SHA512
f9e82df4c56c0f7fac8c2befb2715833b6c8d1d3e3d16ee17675912cdaf33e021ccb57ebc92873e7515cb36428175aee0cdb5f56e1eaf6308ee2a060b114d19b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jds259477882.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds259477882.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.8MB

MD5
3a56992851f2c25e34c076660eed6329

SHA1
5d175857ac1eac956eaf7f040c463991aab6f978

SHA256
8bc55de0b98330cd5c9dad052dc09870c492906a6efcdb75a265ee2251c1f892

SHA512
52e16a8107841e75054c15aecbfbd7a14ac1c904b2038e9fec95d053d2dc4aff4a6b8421d8843f1d72428903dadd5f38be2f13d08902bebdd5d5764736224ceb

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.8MB

MD5
3a56992851f2c25e34c076660eed6329

SHA1
5d175857ac1eac956eaf7f040c463991aab6f978

SHA256
8bc55de0b98330cd5c9dad052dc09870c492906a6efcdb75a265ee2251c1f892

SHA512
52e16a8107841e75054c15aecbfbd7a14ac1c904b2038e9fec95d053d2dc4aff4a6b8421d8843f1d72428903dadd5f38be2f13d08902bebdd5d5764736224ceb

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.8MB

MD5
3a56992851f2c25e34c076660eed6329

SHA1
5d175857ac1eac956eaf7f040c463991aab6f978

SHA256
8bc55de0b98330cd5c9dad052dc09870c492906a6efcdb75a265ee2251c1f892

SHA512
52e16a8107841e75054c15aecbfbd7a14ac1c904b2038e9fec95d053d2dc4aff4a6b8421d8843f1d72428903dadd5f38be2f13d08902bebdd5d5764736224ceb

Download Submit
\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe

Filesize
2.8MB

MD5
3a56992851f2c25e34c076660eed6329

SHA1
5d175857ac1eac956eaf7f040c463991aab6f978

SHA256
8bc55de0b98330cd5c9dad052dc09870c492906a6efcdb75a265ee2251c1f892

SHA512
52e16a8107841e75054c15aecbfbd7a14ac1c904b2038e9fec95d053d2dc4aff4a6b8421d8843f1d72428903dadd5f38be2f13d08902bebdd5d5764736224ceb

Download Submit
\Windows\Installer\MSID6E7.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIE098.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIE490.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
memory/1180-19-0x0000000002E40000-0x0000000003228000-memory.dmp

Filesize
3.9MB

Download
memory/1180-78-0x0000000002E40000-0x0000000003228000-memory.dmp

Filesize
3.9MB

Download
memory/1180-6-0x0000000002E40000-0x0000000003228000-memory.dmp

Filesize
3.9MB

Download
memory/1368-337-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1368-335-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1368-336-0x00000000000D0000-0x00000000004B8000-memory.dmp

Filesize
3.9MB

Download
memory/1368-1368-0x00000000000D0000-0x00000000004B8000-memory.dmp

Filesize
3.9MB

Download
memory/1368-334-0x00000000000D0000-0x00000000004B8000-memory.dmp

Filesize
3.9MB

Download
memory/1368-1538-0x00000000000D0000-0x00000000004B8000-memory.dmp

Filesize
3.9MB

Download
memory/1368-1494-0x00000000000D0000-0x00000000004B8000-memory.dmp

Filesize
3.9MB

Download
memory/1368-1553-0x0000000003100000-0x0000000003110000-memory.dmp

Filesize
64KB

Download
memory/1368-1426-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1368-1472-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1368-308-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1368-426-0x00000000000D0000-0x00000000004B8000-memory.dmp

Filesize
3.9MB

Download
memory/1368-427-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1368-309-0x0000000000800000-0x0000000000803000-memory.dmp

Filesize
12KB

Download
memory/1368-374-0x0000000003100000-0x0000000003110000-memory.dmp

Filesize
64KB

Download
memory/1368-20-0x00000000000D0000-0x00000000004B8000-memory.dmp

Filesize
3.9MB

Download
memory/1368-1469-0x00000000000D0000-0x00000000004B8000-memory.dmp

Filesize
3.9MB

Download
memory/1540-1336-0x0000000000020000-0x0000000000548000-memory.dmp

Filesize
5.2MB

Download
memory/2264-1764-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2264-1754-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2264-1755-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2264-1766-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2264-1767-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2264-1770-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2264-1772-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2264-1758-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2264-1751-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2264-1753-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2532-2124-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2532-2125-0x00000000022A0000-0x00000000032A0000-memory.dmp

Filesize
16.0MB

Download
memory/2640-425-0x0000000002D90000-0x0000000003178000-memory.dmp

Filesize
3.9MB

Download
memory/2640-416-0x0000000002D90000-0x0000000003178000-memory.dmp

Filesize
3.9MB

Download
memory/2748-1340-0x0000000000C70000-0x0000000001058000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads