0b1b9037233b62a601b31def961ed5a43773b7407d864c7ad40da9ab9ab91b71

Analysis

max time kernel
120s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/02/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.899-Installer-1.1.5.exe
Size

24.9MB
MD5

dc18b7f4917cb800b1fa51251bc5b6b3
SHA1

268524e70c51f2f1e0eeb82ef183943aa5285a7c
SHA256

0b1b9037233b62a601b31def961ed5a43773b7407d864c7ad40da9ab9ab91b71
SHA512

e02ace9761c7736175b5a2c2541a51246adc5090c87724962362ec540118b331be1aeffbecd15b469eb4ee0ec29d436cd76b005ef7f7f34cad9084bb2ff03420
SSDEEP

393216:QXeigDRT3h2dPfs/dQETVlOBbpFEjLsZqV56HpkBrr6of5MJ7ZWqxPAIgtMIMlFN:QOigJ3hGHExiTZqqHpCrrKJBH5lFRqs

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 17 IoCs

pid	Process
3020	irsetup.exe
2852	BrowserInstaller.exe
2468	irsetup.exe
2996	TLauncher.exe
884	TLauncher.exe
2060	jre-8u51-windows-x64.exe
2192	installer.exe
1480	bspatch.exe
884	unpack200.exe
1736	unpack200.exe
2476	unpack200.exe
2452	unpack200.exe
812	unpack200.exe
2620	unpack200.exe
1608	unpack200.exe
1968	unpack200.exe
2856	javaw.exe

Loads dropped DLL 56 IoCs

pid	Process
2276	TLauncher-2.899-Installer-1.1.5.exe
2276	TLauncher-2.899-Installer-1.1.5.exe
2276	TLauncher-2.899-Installer-1.1.5.exe
2276	TLauncher-2.899-Installer-1.1.5.exe
3020	irsetup.exe
3020	irsetup.exe
3020	irsetup.exe
3020	irsetup.exe
3020	irsetup.exe
3020	irsetup.exe
3020	irsetup.exe
3020	irsetup.exe
2852	BrowserInstaller.exe
2852	BrowserInstaller.exe
2852	BrowserInstaller.exe
2852	BrowserInstaller.exe
2468	irsetup.exe
2468	irsetup.exe
2468	irsetup.exe
3020	irsetup.exe
3020	irsetup.exe
664	iexplore.exe
1192	Process not Found
1192	Process not Found
2592	msiexec.exe
1480	bspatch.exe
1480	bspatch.exe
1480	bspatch.exe
2192	installer.exe
884	unpack200.exe
1736	unpack200.exe
2476	unpack200.exe
2452	unpack200.exe
812	unpack200.exe
2620	unpack200.exe
1608	unpack200.exe
1968	unpack200.exe
2192	installer.exe
2192	installer.exe
2192	installer.exe
836	Process not Found
836	Process not Found
2856	javaw.exe
2856	javaw.exe
2856	javaw.exe
2856	javaw.exe
2856	javaw.exe
2192	installer.exe
2192	installer.exe
2192	installer.exe
2192	installer.exe
2192	installer.exe
2192	installer.exe
2192	installer.exe
2192	installer.exe
2192	installer.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0087-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0069-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0053-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0075-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0083-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0068-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBA}\InprocServer32	installer.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e0000000167bf-3.dat	upx
behavioral1/memory/2276-6-0x00000000030B0000-0x0000000003498000-memory.dmp	upx
behavioral1/memory/3020-17-0x0000000000BB0000-0x0000000000F98000-memory.dmp	upx
behavioral1/memory/3020-350-0x0000000000BB0000-0x0000000000F98000-memory.dmp	upx
behavioral1/files/0x000400000001cfb0-392.dat	upx
behavioral1/files/0x000400000001cfb0-405.dat	upx
behavioral1/memory/2468-439-0x0000000001080000-0x0000000001468000-memory.dmp	upx
behavioral1/memory/2468-485-0x0000000001080000-0x0000000001468000-memory.dmp	upx
behavioral1/memory/3020-488-0x0000000000BB0000-0x0000000000F98000-memory.dmp	upx
behavioral1/memory/3020-490-0x0000000000BB0000-0x0000000000F98000-memory.dmp	upx
behavioral1/memory/3020-885-0x0000000000BB0000-0x0000000000F98000-memory.dmp	upx
behavioral1/memory/3020-902-0x0000000000BB0000-0x0000000000F98000-memory.dmp	upx
behavioral1/memory/3020-1154-0x0000000000BB0000-0x0000000000F98000-memory.dmp	upx
behavioral1/memory/1480-1888-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1480-1892-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaSansRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\installer.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\decora_sse.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\amd64\jvm.cfg	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_common.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\jmxremote.access	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jdwp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jli.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kinit.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\w2k_lsa_auth.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fontconfig.bfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\cursors.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\management.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_pt_BR.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jaas_nt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\THIRDPARTYLICENSEREADME.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\fontmanager.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_HK.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\zipfs.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\klist.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\snmp.acl.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\plugin2\npjp2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_es.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\jaccess.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfxwebkit.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\US_export_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dt_socket.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\psfontj2d.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\policytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\hijrah-config-umalqura.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\resources.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\ffjcext.zip	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\local_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\rmiregistry.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunec.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dt_shmem.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\verify.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jjs.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\THIRDPARTYLICENSEREADME-JAVAFX.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jce.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\calendars.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\cacerts	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\LINEAR_RGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunmscapi.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunpkcs11.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\logging.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\LICENSE	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2native.dll	installer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f77ec14.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77ec14.msi	msiexec.exe
File created	C:\Windows\Installer\f77ec17.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9CC.tmp	msiexec.exe
File created	C:\Windows\Installer\f77ec19.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 0066b2f69169da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3003DFD9-D585-11EE-AD89-66DD11CD6629} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2AA69171-D585-11EE-AD89-66DD11CD6629} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2AA69173-D585-11EE-AD89-66DD11CD6629}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 801294069269da01	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fffacc0240230f40b575ac5982df49bd000000000200000000001066000000010000200000009d6f9691ab18f03f935b508e25480823439726e25197412f6210ad5b665847eb000000000e8000000002000020000000e967b0a1e4930e91314f8ec90156fda6163fee897d1b65dfc8de692b8b5c92512000000069a155c7c38a1b3b58a5f9754fe27d02e06f979f5e3b3b1769dbbfe5ccbe0092400000001836641b75166a4aed11d961601867adecbdd4d2abcf428c1e15dc0d3e248f664ae7c15766b27bae34ad23acd271f99b269698f3a8c182eadbe10d259b5ee323	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fffacc0240230f40b575ac5982df49bd000000000200000000001066000000010000200000007a4d0c473ba6f280e4862556529faf5cdbd42eb61326c55c20d0ac826c69013e000000000e80000000020000200000005a6ca9966ece436f2f7f12b720bbdb4ac0a1b338bca6637d05e931eddcd4294290000000e4dfa8dc846575de2a6fea0b4e247e2243df0577f7a0b4a56aba346dd912c0435da7947ee18f56a9ca33f16406304d078cea96a62df99f2cf90b306fece6d2b1d4235205485d8e992986b6f27f9f78353e8638681432171e41564760876e53f55ef5d6c0036fbde65619e07147cd02f119dfee7877f87925fd1e5253328f2b6045571efe5d0ca36287bf48a070c4f42440000000bf0d72a2005f047b48c64b25d135da287b0ddc51ec4ce766f52f5121d7c8c258a8c740fb87fc9043a6667cbce535a1ee10d199d7a548afbd4bc0e7ae5f4ee813	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0069-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_69"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0088-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_02"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0044-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_44"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_42"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_12"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.1_06"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.1_02"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_20"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0072-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_72"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_29"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_92"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_08"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_16"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.1"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_17"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeSecurityPrivilege	2592	msiexec.exe
Token: SeCreateTokenPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeLockMemoryPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeMachineAccountPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeTcbPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeSecurityPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeTakeOwnershipPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeLoadDriverPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeSystemProfilePrivilege	2060	jre-8u51-windows-x64.exe
Token: SeSystemtimePrivilege	2060	jre-8u51-windows-x64.exe
Token: SeProfSingleProcessPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeIncBasePriorityPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeCreatePagefilePrivilege	2060	jre-8u51-windows-x64.exe
Token: SeCreatePermanentPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeBackupPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	2060	jre-8u51-windows-x64.exe
Token: SeShutdownPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeDebugPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeAuditPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeChangeNotifyPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeRemoteShutdownPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeUndockPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeSyncAgentPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeEnableDelegationPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeManageVolumePrivilege	2060	jre-8u51-windows-x64.exe
Token: SeImpersonatePrivilege	2060	jre-8u51-windows-x64.exe
Token: SeCreateGlobalPrivilege	2060	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
640	iexplore.exe
664	iexplore.exe
664	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3020	irsetup.exe
3020	irsetup.exe
3020	irsetup.exe
3020	irsetup.exe
2468	irsetup.exe
2468	irsetup.exe
640	iexplore.exe
640	iexplore.exe
740	IEXPLORE.EXE
740	IEXPLORE.EXE
640	iexplore.exe
664	iexplore.exe
664	iexplore.exe
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3020	2276	TLauncher-2.899-Installer-1.1.5.exe	28
PID 2276 wrote to memory of 3020	2276	TLauncher-2.899-Installer-1.1.5.exe	28
PID 2276 wrote to memory of 3020	2276	TLauncher-2.899-Installer-1.1.5.exe	28
PID 2276 wrote to memory of 3020	2276	TLauncher-2.899-Installer-1.1.5.exe	28
PID 2276 wrote to memory of 3020	2276	TLauncher-2.899-Installer-1.1.5.exe	28
PID 2276 wrote to memory of 3020	2276	TLauncher-2.899-Installer-1.1.5.exe	28
PID 2276 wrote to memory of 3020	2276	TLauncher-2.899-Installer-1.1.5.exe	28
PID 3020 wrote to memory of 2852	3020	irsetup.exe	30
PID 3020 wrote to memory of 2852	3020	irsetup.exe	30
PID 3020 wrote to memory of 2852	3020	irsetup.exe	30
PID 3020 wrote to memory of 2852	3020	irsetup.exe	30
PID 3020 wrote to memory of 2852	3020	irsetup.exe	30
PID 3020 wrote to memory of 2852	3020	irsetup.exe	30
PID 3020 wrote to memory of 2852	3020	irsetup.exe	30
PID 2852 wrote to memory of 2468	2852	BrowserInstaller.exe	31
PID 2852 wrote to memory of 2468	2852	BrowserInstaller.exe	31
PID 2852 wrote to memory of 2468	2852	BrowserInstaller.exe	31
PID 2852 wrote to memory of 2468	2852	BrowserInstaller.exe	31
PID 2852 wrote to memory of 2468	2852	BrowserInstaller.exe	31
PID 2852 wrote to memory of 2468	2852	BrowserInstaller.exe	31
PID 2852 wrote to memory of 2468	2852	BrowserInstaller.exe	31
PID 3020 wrote to memory of 2996	3020	irsetup.exe	35
PID 3020 wrote to memory of 2996	3020	irsetup.exe	35
PID 3020 wrote to memory of 2996	3020	irsetup.exe	35
PID 3020 wrote to memory of 2996	3020	irsetup.exe	35
PID 3020 wrote to memory of 2996	3020	irsetup.exe	35
PID 3020 wrote to memory of 2996	3020	irsetup.exe	35
PID 3020 wrote to memory of 2996	3020	irsetup.exe	35
PID 2996 wrote to memory of 640	2996	TLauncher.exe	36
PID 2996 wrote to memory of 640	2996	TLauncher.exe	36
PID 2996 wrote to memory of 640	2996	TLauncher.exe	36
PID 2996 wrote to memory of 640	2996	TLauncher.exe	36
PID 640 wrote to memory of 740	640	iexplore.exe	37
PID 640 wrote to memory of 740	640	iexplore.exe	37
PID 640 wrote to memory of 740	640	iexplore.exe	37
PID 640 wrote to memory of 740	640	iexplore.exe	37
PID 640 wrote to memory of 740	640	iexplore.exe	37
PID 640 wrote to memory of 740	640	iexplore.exe	37
PID 640 wrote to memory of 740	640	iexplore.exe	37
PID 884 wrote to memory of 664	884	TLauncher.exe	40
PID 884 wrote to memory of 664	884	TLauncher.exe	40
PID 884 wrote to memory of 664	884	TLauncher.exe	40
PID 884 wrote to memory of 664	884	TLauncher.exe	40
PID 664 wrote to memory of 1924	664	iexplore.exe	41
PID 664 wrote to memory of 1924	664	iexplore.exe	41
PID 664 wrote to memory of 1924	664	iexplore.exe	41
PID 664 wrote to memory of 1924	664	iexplore.exe	41
PID 664 wrote to memory of 1924	664	iexplore.exe	41
PID 664 wrote to memory of 1924	664	iexplore.exe	41
PID 664 wrote to memory of 1924	664	iexplore.exe	41
PID 664 wrote to memory of 2060	664	iexplore.exe	43
PID 664 wrote to memory of 2060	664	iexplore.exe	43
PID 664 wrote to memory of 2060	664	iexplore.exe	43
PID 2592 wrote to memory of 2192	2592	msiexec.exe	46
PID 2592 wrote to memory of 2192	2592	msiexec.exe	46
PID 2592 wrote to memory of 2192	2592	msiexec.exe	46
PID 2192 wrote to memory of 1480	2192	installer.exe	47
PID 2192 wrote to memory of 1480	2192	installer.exe	47
PID 2192 wrote to memory of 1480	2192	installer.exe	47
PID 2192 wrote to memory of 1480	2192	installer.exe	47
PID 2192 wrote to memory of 1480	2192	installer.exe	47
PID 2192 wrote to memory of 1480	2192	installer.exe	47
PID 2192 wrote to memory of 1480	2192	installer.exe	47
PID 2192 wrote to memory of 884	2192	installer.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.1.5.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.1.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.1.5.exe" "__IRCT:3" "__IRTSS:26073958" "__IRSID:S-1-5-21-1650401615-1019878084-3673944445-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1841988" "__IRSID:S-1-5-21-1650401615-1019878084-3673944445-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2468
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:740

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:664 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1924
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\jre-8u51-windows-x64.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\jre-8u51-windows-x64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2060

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files\Java\jre1.8.0_51\installer.exe
  "C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" REPAIRMODE=0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1480
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:884
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1736
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2476
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2452
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:812
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2620
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1608
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1968
- - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2856
- - C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:2496
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      PID:2672
  - - C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll

Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe

Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe

Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
8455951468878aa5c39060f5be61e4cd

SHA1
c2a584da3a71e972ba97f6444c29be5604f421fe

SHA256
145a9b81c7cbd16df5278ded846d6b37cbe76acc68b360f2600a57a30ec2a28a

SHA512
ce622069ef0241bd3a48997cb326c74fdae3a8531f8ceeca178e0cdf765e32259e44a22489a31c1e7a7944c8f3ea4c8313018f3f9d7baa8c63dbd6266c706e9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
9b1f6b70bda69a1103260c6951aa560f

SHA1
121da6f9d62998913f09dedbb4b23efdc2d509c2

SHA256
fb69fd0d9babc979c3b479a20301fb658b23ccab1b0377925423860439dda4d5

SHA512
3ab2380733ec7c1e1bdf2252cecaf4b5d50aff8b887184de127b0849016a19dd332dc9d392254f4dcca71c730f17bb9d1a57b1fe47e32adc78a1021d433448d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_279EB7E7074697CADB0A3844954F1B7D

Filesize
471B

MD5
ea1fbee74a28f6abb6cf1c2b456b3ab6

SHA1
f65669de0479de1e16fa36a2e3b39e43d08b4f71

SHA256
409fdea1287905692a49a82dbc96c344417966377fcaf94483dbcb81b343af80

SHA512
ec88f4d036a3c739d10c589446a28929fdebf3bc3030dc28a78ef489a369e3582e961c65f0d24f9d54316e0f4656c36640b3395777f8b3439e613c81a2105117

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
7b678690ca9c5ffc1cd96cf3feebb319

SHA1
c3ae9daeeb4177d89f97d78aa1718becb1e28427

SHA256
c5eb0048cc195f5b8ad7428b03dd839dc73752a3f8d1568e81535fc476a50e39

SHA512
1e6008a360f3f44aec17c0a8dbefe381ffeb895c034869c07a05649359c11ac7df614a2b6e88a365d899b3be7af65d5df02eb96213d2901ffb04fa84117866d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
84606298f12928666379c0a11ec175d5

SHA1
b514343a920b730efe98122d8832284ffb229e6b

SHA256
f295bfdc967a262cc6b0df05873d1563d96f52aa1666e29a7d74f317bb900ade

SHA512
98d39c8d6771cf7825796b283f0b2b6f73b81322f77ad8837d1faaf4a3f06b2ac8d72d6468f5271675be08278a12d1a86d792250440e6cf6ed95eac7523b9106

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
49f6c538a7043cb9c058502f72dda1c1

SHA1
4848cef84b88f0a5faae7b17184aadfb3db56276

SHA256
56ae3c71e83e629a131ec786ebd0f03fc6d689db15c523c71a76d482b5d3cdf0

SHA512
f270afba7cf20d5873c1b7e6c4ce7f0eea4cca7c9d371f70e7302c4ca41ad62408044b0dc06f217745876ae37f47df0c5aaa30053564d2b884db9c4df2c8b605

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e5756a3092c030f0e22887c2f017f8f

SHA1
634e27479efa5c6ef0533df5ab070067c8af4696

SHA256
a355c448c1dc82c7e629046fab589c86e7d56fff650d58204f7c4e4ee1d1fa27

SHA512
8e57f6246c57d8a50f003233efd200dccea82284441d24906f4440f7be34e2e4a78b706f8ed7adc5df5065748a6d881fb5f4c56732812a8c568313f873f6e652

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e11cdf215e9bc8a9458ed381c67570d6

SHA1
bf0f08f66ea5b222f61d5428e6361c33c8f2bcaf

SHA256
521e8a0077d7ad0559e0ef468179e7bb28ef9a12cedc721d56ed3aa097c81f66

SHA512
c041be6b213b1f9ca6253e59ad191db314355b6874233ae33a5cd057f5e4272d4562e43e24941822b0d098cba4412faa66fdcc9adde1ff2ed910236cd06b1a0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e64c25dab24b66a73192cdcb22286cdd

SHA1
a65c1bb9d3bd9d9113385754ca353c78b994eaf3

SHA256
3690748eebfd21de240f921ddfba48b38c92cfd85348a0c1eca16327618cadca

SHA512
d8a6ac4738889f928a4f79853983ac7f579aaea85b0c8b1481d8933689ed17968941e0732414df72469f9d7daf8d96414cffe3aaa00b3e3cc08d04b6581cb049

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c23f5fad5c2b5516cf361c9451bdb6c

SHA1
672d308be7deee835366d38757e2154d7fd82665

SHA256
b6eea04a5bf2f3b40a3e3f6270dde39db186a2a201aa0c079f04aaad428f72da

SHA512
c10c8188b63f7797cf36db42af3d6b1156325ff2a8873ba6afa0e7f00a2f5b3bc2938f59497d9c39c796d0a11f6ff1d30ba9f1c1279a56562833e5c0d3742fec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb8595bc1a0fa5b50743bcb62d5c5179

SHA1
3b55100e72524108c669f0cc9d649fd011973f75

SHA256
1f54e2e7397273107effb3777f9cc5ea9f07260c447d0204276fc72dd57db8cb

SHA512
6759af3916db7c808d79a9acdf45f17ec94eb01249e5a06b5778c9b28739a1e01e49e6eeb595979ab8644bd82696384ebfe00ff15f2d9db93911e9aec7ec70de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76609e80c2b85ca50c07b0b1fbe44241

SHA1
ec230884d1cd1310a46eccdd40584047b7c5468a

SHA256
30888e7f8457b68fe2d13ae1f31eaa9007e7ae85984fff543746d7c47fb85e5e

SHA512
ddc2e0f611fd7dccb7ae0599026b6a6b2a821b0346fd9a1de02d0d1db9ffeba393c9dfe5b640d6d8183cabd5afe2ee49f2337f70a4e71f6935f598a65dc81e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb88e03427d96f3f12aebf2915e4847e

SHA1
52633b4a7e69476b3ef7bdb99296bc145a413717

SHA256
ff4a0745e8bd4796a0f9265ba24aa11ce2cf8f9417b77b78906700c850d32b1d

SHA512
b5ee334eeebe00aeaabc50c273d7557ef2950713370cdad590a72c129aed17e080c4736b07fd71f3fe377d242ac59e773efa6c33472d5a3c9861ca411bd7b628

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0c64a75057738018265800ff7668f5b

SHA1
b98ec8b3f14ccdbf2da8652f21c2c2e1eb8f183a

SHA256
a14708ae33a8ab093e568fc242c02c80ee6f5ece1178ee09a630181dabe57be2

SHA512
277b4136446abbfee109be7b9f25dffb52c3c8d0d50cad85c78c0b02b3d6bd722bf0aeb1e84bbd551bde468adce2226f9bee03682d14c86f93d2decf6cdfb853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c501bf0f5593f8b4b9e9ee35406f9327

SHA1
cee5e2b44221ddce1301680f5727906e0b79fc3f

SHA256
fb89975dbbe828a98a640d5ad42b6d85b54e28c79ab709b58e8725759393df59

SHA512
71a46f0d904fbd03e3b2327bbfd6b6f0f3570389878402bfa2af495ce510a93010e478d9a77e8393d6af98b9f5f1c46b41e1a8a9ae4596c992f68d01201e1cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b0785bf75841b2173cc043fc7ccf3e79

SHA1
470300a38879644a3c21f79fe395f62f7ed695af

SHA256
61452e1d2791bbfd9c4295ed47faae0121b12de3ba9ef42b3e7fe732a078500e

SHA512
bae4e60576292ebe9af8c950551503e55dc256c924de6aee9aaeb90f04b947cffbfc9c8094034dd92eba9ae1b30acc31ec961c0482ef8d02ce49e373658962ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e80ca9d933ba55253ba0990ad9d4184

SHA1
d7d83018317573f0180a13be7ca1c8ab305eceb1

SHA256
163e872bd35123402c6a4bd33f835e023720999e4a1c613e96a7fb3e2185f0d0

SHA512
440c93ef308d03b1d66e26ad83090d829b4406179986a0cdbadad45f233e5fd283adaacccebf1bf34370c92b40415df2c38400693f23dad6ed90ff688c0357da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18b07d1038562fa95d99b26c9ae0e904

SHA1
51ab16a388046865dc066a76dcf313278128e6b4

SHA256
1c7b3d5137739ea65a5281684241df95236c2fa8b0b792603607eaa2b5e9053d

SHA512
de63982a44f5a2bfd30204e421055e1bb0b11c341ae0bb263000fd2360956206f7a4f30946256cf696929865de31faeba45b143017cc8a1ef88002dc899b8b13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c6d35c63d1d7975e915c31a077c0fcab

SHA1
eb7a4f5a12bf769191e582435ceafe7ab890045a

SHA256
1ce7cb1222d4250d253d587e9d2bf95b066d248fc57f3710006f7fcb47045623

SHA512
6ad0e61dfcf46fbd0907cdfe5d337aa72cf5c7e3ff070914ea00be043f73e7400292b6ea17d94e70f7a2d8a1a86d951deaea5bf9470a44e35fbb8bbccccff679

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c385e2ce4da5e8c49f0836faf02f472d

SHA1
23951a22b051fdd2f583bc222992d31b2f7eda70

SHA256
b1b636596f4d52cf0b31013499aa7ffb7c10f8964ee61c2dd1006070467c56f2

SHA512
47088b0c753d4cc49616b3eea8f2eb985838f4f4f3f81affbbcb6f67f63aacec13e9a31ca146eff904cbf69c840a0e898e2733d837f572c4b93a5793a8ba76ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39481001ec05d0e46e718883d8c21f01

SHA1
8ef31db4dc8a98c5aebf8c9ea38bd5844044bf86

SHA256
84551de39896768360c48e2475c5219feaf498a37c33bb7c0703866273d0df9b

SHA512
78a6aab8d3686a5dbadbf791f1b25bd312aae9d9374e48c9eb1cb400b946897d476113b5a750fed44e58a8b3724b7d150fea5702161dcc25378cccf473bb6372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_279EB7E7074697CADB0A3844954F1B7D

Filesize
406B

MD5
bf0ced3b9133e4cc722a4bd74d6501af

SHA1
d94589e467f08c4242f5c1abba0b2e5fcd8bd441

SHA256
1c6aba50c682332533a49d6084b9db10fdae375d8cf1ec7cf9c71916e63aff98

SHA512
04f6ff9a6c703a24cf9ccb35c986d6b370596aa3013882f3375367639585d3d14663b0089e61bc654c9ecf30dc8f60a78a4129c8969c85a038c07bf04db9527a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
cebeac8623f41e9ec2a31fabbc2f078f

SHA1
12d33953076231aedf04e9987ce2106135bc5176

SHA256
a5bdd60aed6247a1ba955165becb298c984a26b5e92d8e14ce09b47370df91a4

SHA512
3a5696753ebe49c49f7789d056a3eda5a80421f823c5163c88b73805dedcd86a839263604cb62a192050560ae63941e40159d056bdaa11af8844c430682e5e38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
341e7a56af1920385cab96c28c10f872

SHA1
37e93061ff867410eedcf8e38e1a79c37d20ac4f

SHA256
17d7d37e9f63f3585418d836b11e2adaee9aa7284ab911aec8ec550a437fd7cb

SHA512
364ce476f224c306bacb0e148d551bf217780d6ccbf37f1aff7a5d08de0d3af67f0a0f863434262143d024aec733ead06f88d1786114ed7821e2940029813851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
1c69c925a1f9b3bed20be6022e0ecc94

SHA1
e68e6e6a8201f268eab48e30d6c10dbffd577ac1

SHA256
e0f9d487d7eeacebf6255423ac4984e738abdd48bf1f5f09ac3219dd81b31488

SHA512
9548f94261d2d19185a8c5db8cdaf5c4f8dcc6505b6a74f3d0b2dd5335951f818022932cd726f6e004ceeed1c583bb629f0790d56a63e74cd0d82acc77669a34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
2870550f2944ded0e01d4e668ab22717

SHA1
9be03ff47761a7bfa0bf342ce04ed67301fb6d09

SHA256
d89d6138bf028ee60ceb8d325c6336b2e8e9c175e09aca3743f479212e88d375

SHA512
3bef5f5743d8a8c3ee221db2097420d6a8dcae32e32c6ebfe9cc8454436001be6dabb6ddb5715c36af8700a69fcc47fc7b824251b935103ff5ba00b2f1fa0943

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE

Filesize
402B

MD5
3cc2300c19b3c8afe620e5291e6d7c42

SHA1
e45bd01137f9eac053997eddb8c9bd7d101458a1

SHA256
44cd0ed1a06c5ff049ac346833aa0125a5db54648bcb5fd42189b4735b8bfac6

SHA512
d0a87e6cf42f96ce8ba186c048e9581891ffa7af4193c43d471468093fa32f27eab86fbda233dd70f586f791f7a6e1d827dbf3f39a008684a4a7ab1652c626dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi

Filesize
12.8MB

MD5
8ce9eb739d23513fa905a76b7242817a

SHA1
16c8201c7ac2514d2f2a9f0185dc5b7cc4af8be5

SHA256
bd66d306e28fc10652acfba5bf3e59b5e34564532b6432eb4a804ccae82adf66

SHA512
774b2b06ea03cd1591b9d0d9ae726c5f0dfd8f83ba19639f5a0230c098602250db3b6b2627a0a4ed8619b8afacbc11113702f9ade609d9746549bd5ba30ef430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8HPZEQOB\stylesheet[1].css

Filesize
6KB

MD5
5a9976f81fab6d879b52bf460f9ffd30

SHA1
d150e8c74449a022a4a200edf71d3231c881a25e

SHA256
abc4e8a3e337391d86731857bd8fc2511e35c9f5c17544fe477d7295df0cf569

SHA512
5913a7a04f633a852e18311b76a09725a2ffb87dd8876a5afc2e408364fdacc33b634f8e3fdd37514e5a83c8b71b2333975a79ec040f54cf9a1d9cc56bfe09b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FF5J0ZJ9\en[1].htm

Filesize
6KB

MD5
de12b6fa1d6ed32bb05f4e195e094b47

SHA1
c89605b04b09858855d31a7e156de8671cd6ba16

SHA256
395750da9537c87ccb0d7ab15a231d6d6628357b803cb717b66862924a776ac3

SHA512
8a58f0e8b38560e277340a5b424342e7b9fcabb415e14318a5a3199ffc56fc500ba89144d53d482073626ffffeaf6b5a31e4283482aac8b4d4d85406ae338ae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KS3HRGDJ\js[1].js

Filesize
226KB

MD5
bb9127762e00398e3e93afefd44783c5

SHA1
5597131baa3de6d11f8bfcd6ef16b1ee5b3e14a2

SHA256
20e000899ffb45ac24e20961ea9fe5f1aed0312066b399812bf0d1733879d153

SHA512
c281ab9d99c1104f4bbb3450e5dfcfa75e97ac8357211c6c74ead1be4352230c8946364669ca3345926e10b5e73001d5974ac09106c767da93228085e3cc6384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\J1UUM2QQ

Filesize
5B

MD5
fda44910deb1a460be4ac5d56d61d837

SHA1
f6d0c643351580307b2eaa6a7560e76965496bc7

SHA256
933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9

SHA512
57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\jre-8u51-windows-x64.exe

Filesize
3.0MB

MD5
e9d697a1da1314421b5c2ad2e8a59b74

SHA1
913ec20590745373bc124a287ef1a201ae2bfb23

SHA256
2cf4beb9c2904b1e6380df724375531ae047121a44eea43418e122bdaf29a75b

SHA512
4c3f3f926f7fb31ccf094593f1ffdc9e09eebc64b825e077d05a50204c174e3d44c019a1c6954cb0b830f6e635daf464061990c0a5e70b9e1e177caba391a5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\jre-8u51-windows-x64.exe.491z3eq.partial

Filesize
9.1MB

MD5
377420bc20ec1215943a2ccec20fc870

SHA1
2e9268153775fe783b0a56b4a5e17cae624b3e21

SHA256
d307b282b763be97b710c9fa304d4e73332c5abea541f66436fa11aae1ae9708

SHA512
bd7eddf14c6bad4feb79749c51ce87c71b98ed351750446cd05212ed7534e7e45f4534704b38fce2a7f3724e1bdfb710d684c882d936bc40506b6c7f2f22f2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6C4D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6C8F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

Filesize
339B

MD5
e03bd571cc5d6ee141d605b551c159df

SHA1
514ed140a60de87dee350eea098e6eaab48e0011

SHA256
af8531e28dbaf03f838592c535495f564c9254e981a411e01fd2ffdc22cc3bb2

SHA512
64ebae57ee5d093521d162defbd823d65a8fa3676e27dad7b0606bce34ad76ea1c88154451dc1da83a4b40cb571ba2b34377a4efb40280a73426a6bc6bbad969

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG13.PNG

Filesize
43KB

MD5
9f6d4685d41e8087270553bc4ad239f9

SHA1
1a1b5e3d7c5d4ceb2a03e460f67343ca0b42c636

SHA256
59e81ad4b4616784ecfc0ebaa2eb9ad4caff8772daa4c62eb6ef4b760e73476e

SHA512
3b536676f0d98e444b653ab95d89f46b810570c2fee0f4364a757a4959956616dbf3d3e2266ebe1a03e7ef04f2083d217c39fced6dfa69cbac6783337ccd9e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG14.PNG

Filesize
644B

MD5
66848180d72d7b981cfa68787ae29607

SHA1
d8c21f0044cf1a71f701b83a46b2247daed4c8fc

SHA256
e8db72179bdce364b1464bce89cb5a439e22e778606faa21b2d224f80eb497ff

SHA512
adf31f80b47eee0e820d62fd0afbbbcc9441c635de0a2b2618c5cee252fca7635c7d68b8d0b6300b61b7e1422d09df1ad40109c9d63c5a59b4fa30d80ac5e750

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
40KB

MD5
1b04a61a0ecce1ca96642eed7859c216

SHA1
a831ab8ab216742511d1b97162884acbb9969cf6

SHA256
0d775406380cc98df9650bf670d0d87bda0e3a7f21cb3dfc6ce81c9294b715ca

SHA512
6eafd2b5718a3d70bd99363a5866ed74b83bf4adeffdef44351a3e9152121b91a6d0cfb06625ca0b83fbcd525defe5bab26ccd9795d9a35ebac613c087e60ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
fd067308f6ecdda0ac1f8c6c3db13073

SHA1
9f5e3d184ef9decadeaad47c92f7d89fa25e6221

SHA256
e71fdeb30be88572674bf52b8caf9076c01e55a40ebd027c28849280a979a959

SHA512
fcfd0467df08958c7a4ac0603852a0433a3f2c762010c2ce7a03cfc42a8d7642c20f011131da80ea86812b49fc6ed4323c9edbfa4c7c0e5109974217bbf1f8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
45ee4bb308bde05d4a114960fae2b9b8

SHA1
4c33fc5e4543ba014133f6d98e7c15fa7c562565

SHA256
53658222455fc8320207c6d00597586462d1ddafd80a5b07eb1dfd114f17d1b6

SHA512
de441586f1e8da32e3c5afcd779e6f8a01c29ca904db3e6db04b49335753067a4d0142beb2828af33152d09458937cefb8b4be951cc57e9d12f736b76580d360

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
114KB

MD5
4a6a32076a6ec33b804682a0630d916e

SHA1
5f59244343506596b8b13145cc7b7685a85b25af

SHA256
91106348245a378a20028de836ca8c4f8b21248d6d5b115892f1d915d3f83ab5

SHA512
a0ac7f21f4d9c247915615faaaff2e164e6defb58bf015cdd3420a63238df8d3c984545179a4567d48882c4c59b483819f6bf59ca532d2449cd6deb081451fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
9KB

MD5
55d90cda21aba10293e94bd095633c6d

SHA1
52488dd633af4624c3055cb29828f30da93cd5c0

SHA256
89f78d6518d1acdae8384af28dbdbda26333116f48fb4593d88499987cdb7ada

SHA512
e7ff490b696fa1e7a9aea9be0cd0a41c9515c35e9e4774b0d6b8d80c15d593fa14712d6fc84bafaddc5ae4156442720dedcd66f5702cabbaddeb39db80c0d687

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
581B

MD5
7e6ed67d6a4b88eb0b798598cf140a08

SHA1
b8ae0a2ce5c12e965057f9f7e237a54a941a5ef4

SHA256
5938a02cabfd5e64cdf634bc4c80a7612059c8b3bc4c2eff8cc8e9ffd16021d9

SHA512
45acd961fa4f0ffe7c26bc7837a80fdc2bfb55d18a77fda668fbbf2a1a2273146b8f0d2417a558ca34e472af66a1858994bcfdcfc75a9642dbd2618a0a832cb1

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.6MB

MD5
9b310772520be9a28c18603a2f6a7bd4

SHA1
5c0d76d65c84c01d227976791cdfa4c65b61464c

SHA256
e5e21644a96f2a7a0d64ab3fb8fb5b2bb0171f19992c1ceda98c7b1eda08f0e7

SHA512
f103220472a9f33e57e3296c93ca49e478cd4af99e973d3177eadbdca67c3e9225ff052cd0f84c193197daa756547f55ff5b58b0a970f0ecca68a6a59c58b2e0

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
7.8MB

MD5
93a43a04af207bf1dbcf577d25d2f57e

SHA1
a43ab88055e9ba1db30c1fe5e4cd71c5467f0be1

SHA256
a5dd57e6cd72a4b03950cd43e5446abc673f0548f8b5af70dcdbf5c2e014ec3d

SHA512
3f32854e4b90ae3166bb2ea52ed45183073ba8d75d20e61ab6bda2ef0bbc0064656d4de52d2b5a63416cf4d539de49f75446b7e3550f73dbfb1f6f2e368ef0ce

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
8.9MB

MD5
505731086d2f448e68c025a7003efe00

SHA1
e8358cf87df55712a7b6998d1816e94b57f3b7c1

SHA256
978dfe8f0fbb57398366e2302055b58fa641258f53db6909fca2b5a1e87ff3c5

SHA512
856ad2f0caa72c15b20831c7e1d8917329907381e1e95ce470ff3592755804cc17cd507c105d49fdecbc418a2c3f2b01e1be2ce15dc981aeb7f39ce2889cb4d4

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
384KB

MD5
6d5ff981859bfbd84cca745ed59d1d3e

SHA1
d79881050ee7dd3d5a789e5bfb4c06c1eea55d1a

SHA256
b5e4010e020e8f450f071f4799b992a1cb2f69ebb59be3381f1376fd6bd83c92

SHA512
3333d2d25b236c146c1a0abedf2b1f5a0dd562f1a7cb4add63929fc757613f0829cb4c485f683603d74f3c93c83447e7ad3ec5084a2a9d7cc6e635f5e8793666

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG

Filesize
206B

MD5
7c2d2237bedbfc5c5d97e2d94158ebc2

SHA1
2d43b6949b3bc17e09b8ca114e96b16161a369a8

SHA256
6c0b9e5408929a42547b87f0acca6db4a5484e467ee1234f0dd79992a1c1c784

SHA512
4d09e86a30bffe142da412da1649c81dbb025c8c65ab19e0b43fededdca33de9ef54d2d215aaaaf22f07f2d4adb2cdf37fee4271247ccea54375fb7b2fa15d80

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG12.PNG

Filesize
41KB

MD5
4d86270282886913c795db8cd2a381b2

SHA1
64eab9bbda3658193c3398a624eea9e182149b9f

SHA256
831fc49c0eb803308a6c3d15071a185a1cce7c2bc0e2bfc4fef4a342f216cca7

SHA512
80ca27452b9a876688bb568167ee69c5df650568d1da406367536d562f99f3b7d603f631912c22aca289a891a74443dd72971a6498f859dabb15fe1fdc9a3b7f

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
45KB

MD5
bad9fa79fb5bbef1cea454473769e0a1

SHA1
4aec795850507f2ca31127d4494ab1fe88e7cbb1

SHA256
6dc072d178babb4060ff77ff76148e2eaf75e32707dee7f1496258667f1cd49d

SHA512
8157d469b231d0b51843efd5a5401edaf44aaf2d79a28011365fdd6c3f3677ce98e2866ec686ddd8a0d0986387445e91fdfc9799d0d4ea5619c7569f193dc42b

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG

Filesize
457B

MD5
dfb34059c6287b527bf92f4266ea9d98

SHA1
f084d4e3a6161d7ee5005de99723dfaec1b2dcd4

SHA256
6adf6e0e619701e456550ef004172f8316c3f5e69f835bc1dea15418ffcd459e

SHA512
f93fb7ff531eecd41b4d93dc7cbc867f8298abd2be3611fc5216c50f7dd21da60afcfc0fee25be92fed0c1279089e1221ed0a6a49c229ab2768da5800969a07a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG6.PNG

Filesize
352B

MD5
97df0bf4bc798d11c56acaaafbb097c9

SHA1
856a8b57615fa06c54725dad35484cd67bd3551f

SHA256
d9da7ad17b8a016ff897a1c1978eb7194c1f58b735ad90775769c8bde88658e4

SHA512
f410c2178bbd00418a1559f927afa966b47295fdcab77b26d634429bf7ecb780d62aa5dfca097b5692eb1f6432fe4c153e83ef89881e05f3a1b07a3d3c83698a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG9.PNG

Filesize
438B

MD5
c79040a0266403ea0e5458c0a9e59be2

SHA1
5630fef198da8a2456e7f9068a2dffccaab6905a

SHA256
c26855278bd382e34910eb4e44645de037966434ad54e774ef7b63835fc7d110

SHA512
c09a09a732695a3e87886b1bd12f72050da94e2f67851636bbfcffdb9dc375a4b8734bc8b5ef023bec435c43d2f2210f1c1c33745e5029beaae5a09482dea1e1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
6KB

MD5
8b343ad1e0dff92939e623f6db588811

SHA1
bfd6ab35a67ee7b0a06097adc75971dcb844454a

SHA256
c8ed1c8b69c3728971227bb78c03065fb2ca2d2223820142590e122d2c5d3fe8

SHA512
02ad3099e0ac4d860975f0d8a8abe7347c66efe567d8603e6b0dba143d9e1350c3288df0ded9346470046bcab7e4bbd4385fc9d25dcf566a0fdf4e43f09823a7

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
24KB

MD5
fe2f62c295d26e6e3c493439bc74a41e

SHA1
aafcde7a1ecefe8396b381283633f2b8242c7b5b

SHA256
90c8c2990267584ba435603970bca72cd867dc5d9bd9a25f03db35b86de3454d

SHA512
050aa902aec206397c3cab6260478bf7b802e59ad90b09bbf881fc4057ed166ba2fd0a6bedb5f3cf1a7d3bb1af13c3a06daf4d55546e25f9caffb6f8326e944a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2SJR5PQ2.txt

Filesize
227B

MD5
2ccf24cea310082382b5db2ab274682c

SHA1
2a263a416bdfacca4942d09408fb8313796614eb

SHA256
415cef74423efe834491194a17c75482165067e97de20ec213a52acd92474a37

SHA512
beb355a5c593e375a095d52241b34be1c2e1fe005fa72c51ce0628890cd48ff54413044eb6acaac572fc4bfdfd6f1bb8e1d9f4efd0c43115e32dc5dc21dd303f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DR05PPAJ.txt

Filesize
512B

MD5
5449d77c3d759c45eab9caa839e865fa

SHA1
e1684845aade90150f86e224ab995afea6c740f0

SHA256
b76a82b7dd7c4ef1fc113a7bb2dfdf7949b84b374ecbc12dbe1b38caef9bf229

SHA512
307d806fe8421aa669eb1d1403e8786aa66133046dc003ba2f9316f8e62c2fe5380570c649fc3f6bbe04ed764635ccab8b25359e4b13fcc0c9a0fb31ef84c267

Download Submit
C:\Windows\Installer\f77ec14.msi

Filesize
3.2MB

MD5
ff4c5570c94925e40dbc2755ac06a245

SHA1
29cdb79f8035105180d3f4ba28fa5a86fff8f3bb

SHA256
c4884fc8ab58ab7814f1c15ca2dda6d0eb847695ef8d20d470a0c910a841cdf2

SHA512
6d9a563ef5c3e26650cbadb27339b527a684dbc1677b8df62c5b273fa189997879dc3d25b8f171b6fef50f2135a1f9fd7db49cc63ec39f78e212bbfb05d1df18

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\jre-8u51-windows-x64.exe

Filesize
14.5MB

MD5
08583ea35d9928b0404442eded898b2b

SHA1
646c0878798672764051009db33bdfabb88e0fa8

SHA256
7daac0184f2e2b1473e87142a53ee9040e2aabfe436dd29e4b9b06daa2c4730d

SHA512
b7e2b84277565860ec5a1cef944a12024834a2d427b43343e0785c390109ef9a27f70a186b5d28905615971c43df4dd9c8866ca0bb7c318f370f1e52aca529cd

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\jre-8u51-windows-x64.exe

Filesize
5.4MB

MD5
97df9d39b4f912276a50fb484e409d6b

SHA1
2aae8e2e6ec7a9aea75c0e3388f0c6b2233dfd3f

SHA256
a2616cc0fd53622cda025d3a3a4a404f873d4dbc61480653d3cec73b68c54469

SHA512
29035fd14c0523ae574682f881b85fe2e0f8e50a0c399f88eae5e610aed3c24714d4c1353dc22e271f3584841b4dfe31ee6c2599a274eb91becff1cbd68bcb0e

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\jre-8u51-windows-x64.exe

Filesize
6.0MB

MD5
bf53a8e1958c65ee8c9d837cd4f48cd6

SHA1
2aa04ce66c2b82547178c20033b301efeb2d5207

SHA256
fdee438a2e80b10765d365abe08f6fa1844fa20da40ed6caa967e76a451e79de

SHA512
99f6d3c1a06ae907e1d7033e0f2d356a296533caecc62cbd9e1e8119862af14584ac71f6acf0a102d6d77e56641e26692001e23e302b5202470a413cc874197a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bba68732fb535f542f19acd46af00ddf

SHA1
501b7058ce18858a22f6ce198dfc34fff832872d

SHA256
da4577994a0653b6eccea81ecd078397f2088935d24dde5d8de30fbf178dd0e3

SHA512
36b3d68b7163b7be4a12cc9b6fed2136300c8fdc4941e00b42faffe94f40436d104788808d4fcccfb7340e3b4a4bc4740bd66dab840260461a8ecc7785fe43b6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
192KB

MD5
632913fff410c30bba62286d4a77a40c

SHA1
0e12b327bb7a6e16c58f16637466ca3777d273be

SHA256
f6d3c5335e0d5f0e080e895a1ff10f10a0a4df31bf2e9ce42d7aaa2c5c6d3b4b

SHA512
5e775b315652bbca5519351ab080bdc70ab223dca954ea86b17765ca30726ca2f9327604be1784c329d2ff4b930d3070adfa8f305ef6e81f4cb9aaf635c61849

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
2b2fb67e0f041923ce66c1d1f2d91eee

SHA1
31d1a53b1eaa37f6bf7aae060e696f3a5bb15741

SHA256
dc7cfb70877d3d264043ddda52da40d3ccb58370c202e12b3a4219432ce4091f

SHA512
b74cbec340b65419a65db28ba9f38631a56f4ce15beec267693825c2714d3a000847df0ea4c7054eac3cb76a44fc0b42be97a85de3e71cbba4bad97053330e4b

Download Submit
\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
1.4MB

MD5
d4155413c22a6d99045bce43b4549b56

SHA1
3a00b40acff4f19b9d7a5effbf18d7ee05e5222f

SHA256
25ae24bc2a59da739c69a528e268338536ed76411f5b436d6d4ca1478a72ad13

SHA512
89d047853f0dfa9caecd2241a0dbe73248516617d5987599a239a715f0a05b23aa394f547c3efc98a423def4e138dd32fd03a8d64a758110850109bbd209107d

Download Submit
\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
512KB

MD5
f2b0fca4ad87fc99e64a1403b9e5fb27

SHA1
505c52e035ad5b84c528dcb65b2449e00698ff7e

SHA256
740f40c256207e32a852b1d00b5217befca891b1b2f2c051634a2a251ae91d21

SHA512
eac9489a50007bcf1e13ff5aabfb819207525303479c3cb9bae7979526160cd975fe812c3e2d3b750270b39b62892be33d637e17fa620c6c8f0fd989b6a37931

Download Submit
memory/884-1202-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1480-1888-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1480-1889-0x00000000003D0000-0x00000000003E7000-memory.dmp

Filesize
92KB

Download
memory/1480-1892-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2060-1890-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2060-1805-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2276-415-0x00000000030B0000-0x0000000003498000-memory.dmp

Filesize
3.9MB

Download
memory/2276-6-0x00000000030B0000-0x0000000003498000-memory.dmp

Filesize
3.9MB

Download
memory/2276-15-0x00000000030B0000-0x0000000003498000-memory.dmp

Filesize
3.9MB

Download
memory/2468-439-0x0000000001080000-0x0000000001468000-memory.dmp

Filesize
3.9MB

Download
memory/2468-485-0x0000000001080000-0x0000000001468000-memory.dmp

Filesize
3.9MB

Download
memory/2672-2229-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2672-2212-0x0000000002350000-0x0000000003350000-memory.dmp

Filesize
16.0MB

Download
memory/2672-2231-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2852-428-0x0000000002DB0000-0x0000000003198000-memory.dmp

Filesize
3.9MB

Download
memory/2852-438-0x0000000002DB0000-0x0000000003198000-memory.dmp

Filesize
3.9MB

Download
memory/2852-421-0x0000000002DB0000-0x0000000003198000-memory.dmp

Filesize
3.9MB

Download
memory/2852-437-0x0000000002DB0000-0x0000000003198000-memory.dmp

Filesize
3.9MB

Download
memory/2856-2133-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2856-2132-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/2996-1155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3020-488-0x0000000000BB0000-0x0000000000F98000-memory.dmp

Filesize
3.9MB

Download
memory/3020-1154-0x0000000000BB0000-0x0000000000F98000-memory.dmp

Filesize
3.9MB

Download
memory/3020-273-0x0000000000A70000-0x0000000000A73000-memory.dmp

Filesize
12KB

Download
memory/3020-902-0x0000000000BB0000-0x0000000000F98000-memory.dmp

Filesize
3.9MB

Download
memory/3020-901-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/3020-350-0x0000000000BB0000-0x0000000000F98000-memory.dmp

Filesize
3.9MB

Download
memory/3020-271-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/3020-17-0x0000000000BB0000-0x0000000000F98000-memory.dmp

Filesize
3.9MB

Download
memory/3020-351-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/3020-375-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/3020-885-0x0000000000BB0000-0x0000000000F98000-memory.dmp

Filesize
3.9MB

Download
memory/3020-489-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/3020-490-0x0000000000BB0000-0x0000000000F98000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads