3646d735ffec7dafb931e1892092787f5d90613be85db4bad290e878717f7dcf

Analysis

max time kernel
87s
max time network
179s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.899-Installer-1.2.8.exe
Size

25.2MB
MD5

ee2dfb3cdd08a0098b69cb969b17bd6a
SHA1

8ce08f1ffff25fe5c257285c728a140d4aa0000f
SHA256

3646d735ffec7dafb931e1892092787f5d90613be85db4bad290e878717f7dcf
SHA512

685de6c8242c8897baceb6d759e946c04cde08b95a7f7d7db99e600486ecf73a609a75da56321b5a6c53c5829c7e24c24e5cfa38e7f69fe87988060fc70abc78
SSDEEP

393216:u25KZIcuiw8AWQ5+Ucvfs/dQETVlOBbpFEjLsZqV56HpkBrr6of5MJ7ZWqxPAIgr:3KZoiA+NHExiTZqqHpCrrKJBH5lFRq

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
2836	irsetup.exe
1404	BrowserInstaller.exe
1600	irsetup.exe
2028	jre-windows.exe
1624	jre-windows.exe
2924	installer.exe
1468	bspatch.exe
2188	unpack200.exe
1920	unpack200.exe
2944	unpack200.exe
2584	unpack200.exe
2532	unpack200.exe
1984	unpack200.exe
2416	unpack200.exe
1216	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
1836	TLauncher-2.899-Installer-1.2.8.exe
1836	TLauncher-2.899-Installer-1.2.8.exe
1836	TLauncher-2.899-Installer-1.2.8.exe
1836	TLauncher-2.899-Installer-1.2.8.exe
2836	irsetup.exe
2836	irsetup.exe
2836	irsetup.exe
2836	irsetup.exe
2836	irsetup.exe
2836	irsetup.exe
2836	irsetup.exe
2836	irsetup.exe
1404	BrowserInstaller.exe
1404	BrowserInstaller.exe
1404	BrowserInstaller.exe
1404	BrowserInstaller.exe
1600	irsetup.exe
1600	irsetup.exe
1600	irsetup.exe
2836	irsetup.exe
2028	jre-windows.exe
1144	Process not Found
1144	Process not Found
1704	MsiExec.exe
1704	MsiExec.exe
1704	MsiExec.exe
2572	msiexec.exe
1468	bspatch.exe
1468	bspatch.exe
1468	bspatch.exe
2924	installer.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
2188	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe
1920	unpack200.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0182-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0200-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0089-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0154-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0170-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0117-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0180-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0222-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0242-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0254-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0068-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0132-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0264-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0096-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0218-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0281-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0080-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0098-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0151-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0072-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0158-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0120-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0177-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0148-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0126-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0167-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0185-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1836-14-0x0000000003350000-0x0000000003739000-memory.dmp	upx
behavioral1/files/0x000c00000001450b-12.dat	upx
behavioral1/files/0x000c00000001450b-15.dat	upx
behavioral1/files/0x000c00000001450b-10.dat	upx
behavioral1/files/0x000c00000001450b-19.dat	upx
behavioral1/memory/2836-20-0x0000000000EB0000-0x0000000001299000-memory.dmp	upx
behavioral1/memory/2836-577-0x0000000000EB0000-0x0000000001299000-memory.dmp	upx
behavioral1/files/0x000500000001d9e5-603.dat	upx
behavioral1/memory/1600-628-0x00000000009A0000-0x0000000000D89000-memory.dmp	upx
behavioral1/memory/1600-691-0x00000000009A0000-0x0000000000D89000-memory.dmp	upx
behavioral1/memory/2836-692-0x0000000000EB0000-0x0000000001299000-memory.dmp	upx
behavioral1/memory/2836-1179-0x0000000000EB0000-0x0000000001299000-memory.dmp	upx
behavioral1/memory/2836-1197-0x0000000000EB0000-0x0000000001299000-memory.dmp	upx
behavioral1/memory/2836-1200-0x0000000000EB0000-0x0000000001299000-memory.dmp	upx
behavioral1/memory/2836-1202-0x0000000000EB0000-0x0000000001299000-memory.dmp	upx
behavioral1/memory/2836-1304-0x0000000000EB0000-0x0000000001299000-memory.dmp	upx
behavioral1/files/0x000400000001df17-1577.dat	upx
behavioral1/memory/1468-1578-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1468-1586-0x0000000000230000-0x0000000000247000-memory.dmp	upx
behavioral1/memory/1468-1590-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2836-2182-0x0000000000EB0000-0x0000000001299000-memory.dmp	upx
behavioral1/memory/2836-2466-0x0000000000EB0000-0x0000000001299000-memory.dmp	upx

Blocklisted process makes network request 1 IoCs

flow	pid	Process
26	2572	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-time-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\server\jvm.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\sunec.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\jpeg.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\nashorn.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\tzmappings	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-process-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javacpl.cpl	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\prism_sw.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\unpack.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\calendars.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_es.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-localization-l1-2-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\decora_sse.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jsoundds.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\npt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-errorhandling-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\cryptix.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\icu.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\rt.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-debug-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\bcel.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\ecc.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\management\jmxremote.access	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259482718\javaws.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-processthreads-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jp2ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\splashscreen.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\mesa3d.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\sound.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\classlist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\access-bridge-64.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\mlib_image.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\orbd.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\rmiregistry.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\THIRDPARTYLICENSEREADME.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\public_suffix_list.dat	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\server\classes.jsa	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\public_suffix.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\xerces.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\splash.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\rt.pack	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259482718\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\msvcp140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\sunmscapi.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_ja.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\j2pcsc.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\jpeg_fx.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\ffjcext.zip	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\relaxngcc.md	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259482718\javaw.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-file-l1-2-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-processenvironment-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-convert-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-private-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\JAWTAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\meta-index	installer.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f773059.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f773054.msi	msiexec.exe
File created	C:\Windows\Installer\f773057.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI350D.tmp	msiexec.exe
File created	C:\Windows\Installer\f773054.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI33C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI349F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI351D.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0133-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_133"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0164-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0255-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0131-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0183-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0100-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_100"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0053-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0088-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_88"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0234-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0242-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0153-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0191-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0201-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0257-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0281-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0057-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_57"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0096-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0123-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0233-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0108-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0192-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0122-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_122"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0255-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_64"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_20"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0103-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0139-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0197-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0182-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0199-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0194-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0063-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0053-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_53"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0152-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0186-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_186"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0210-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_210"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0076-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_60"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0216-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0258-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0161-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_161"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0193-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0221-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0162-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_04"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0134-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_38"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_71"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0178-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_178"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0131-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0103-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0048-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0099-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0155-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0194-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0047-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_47"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0111-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0142-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0154-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0053-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0177-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0280-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_280"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0094-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0189-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0200-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_200"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_36"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0052-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0259-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0249-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0061-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0165-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0152-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0156-ABCDEFFEDCBB}\InprocServer32	installer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1600	irsetup.exe
1600	irsetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1624	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1624	jre-windows.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeSecurityPrivilege	2572	msiexec.exe
Token: SeCreateTokenPrivilege	1624	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	1624	jre-windows.exe
Token: SeLockMemoryPrivilege	1624	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1624	jre-windows.exe
Token: SeMachineAccountPrivilege	1624	jre-windows.exe
Token: SeTcbPrivilege	1624	jre-windows.exe
Token: SeSecurityPrivilege	1624	jre-windows.exe
Token: SeTakeOwnershipPrivilege	1624	jre-windows.exe
Token: SeLoadDriverPrivilege	1624	jre-windows.exe
Token: SeSystemProfilePrivilege	1624	jre-windows.exe
Token: SeSystemtimePrivilege	1624	jre-windows.exe
Token: SeProfSingleProcessPrivilege	1624	jre-windows.exe
Token: SeIncBasePriorityPrivilege	1624	jre-windows.exe
Token: SeCreatePagefilePrivilege	1624	jre-windows.exe
Token: SeCreatePermanentPrivilege	1624	jre-windows.exe
Token: SeBackupPrivilege	1624	jre-windows.exe
Token: SeRestorePrivilege	1624	jre-windows.exe
Token: SeShutdownPrivilege	1624	jre-windows.exe
Token: SeDebugPrivilege	1624	jre-windows.exe
Token: SeAuditPrivilege	1624	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	1624	jre-windows.exe
Token: SeChangeNotifyPrivilege	1624	jre-windows.exe
Token: SeRemoteShutdownPrivilege	1624	jre-windows.exe
Token: SeUndockPrivilege	1624	jre-windows.exe
Token: SeSyncAgentPrivilege	1624	jre-windows.exe
Token: SeEnableDelegationPrivilege	1624	jre-windows.exe
Token: SeManageVolumePrivilege	1624	jre-windows.exe
Token: SeImpersonatePrivilege	1624	jre-windows.exe
Token: SeCreateGlobalPrivilege	1624	jre-windows.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2836	irsetup.exe
2836	irsetup.exe
2836	irsetup.exe
2836	irsetup.exe
1600	irsetup.exe
1600	irsetup.exe
1624	jre-windows.exe
1624	jre-windows.exe
1624	jre-windows.exe
1624	jre-windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2836	1836	TLauncher-2.899-Installer-1.2.8.exe	28
PID 1836 wrote to memory of 2836	1836	TLauncher-2.899-Installer-1.2.8.exe	28
PID 1836 wrote to memory of 2836	1836	TLauncher-2.899-Installer-1.2.8.exe	28
PID 1836 wrote to memory of 2836	1836	TLauncher-2.899-Installer-1.2.8.exe	28
PID 1836 wrote to memory of 2836	1836	TLauncher-2.899-Installer-1.2.8.exe	28
PID 1836 wrote to memory of 2836	1836	TLauncher-2.899-Installer-1.2.8.exe	28
PID 1836 wrote to memory of 2836	1836	TLauncher-2.899-Installer-1.2.8.exe	28
PID 2836 wrote to memory of 1404	2836	irsetup.exe	30
PID 2836 wrote to memory of 1404	2836	irsetup.exe	30
PID 2836 wrote to memory of 1404	2836	irsetup.exe	30
PID 2836 wrote to memory of 1404	2836	irsetup.exe	30
PID 2836 wrote to memory of 1404	2836	irsetup.exe	30
PID 2836 wrote to memory of 1404	2836	irsetup.exe	30
PID 2836 wrote to memory of 1404	2836	irsetup.exe	30
PID 1404 wrote to memory of 1600	1404	BrowserInstaller.exe	31
PID 1404 wrote to memory of 1600	1404	BrowserInstaller.exe	31
PID 1404 wrote to memory of 1600	1404	BrowserInstaller.exe	31
PID 1404 wrote to memory of 1600	1404	BrowserInstaller.exe	31
PID 1404 wrote to memory of 1600	1404	BrowserInstaller.exe	31
PID 1404 wrote to memory of 1600	1404	BrowserInstaller.exe	31
PID 1404 wrote to memory of 1600	1404	BrowserInstaller.exe	31
PID 2836 wrote to memory of 2028	2836	irsetup.exe	35
PID 2836 wrote to memory of 2028	2836	irsetup.exe	35
PID 2836 wrote to memory of 2028	2836	irsetup.exe	35
PID 2836 wrote to memory of 2028	2836	irsetup.exe	35
PID 2028 wrote to memory of 1624	2028	jre-windows.exe	36
PID 2028 wrote to memory of 1624	2028	jre-windows.exe	36
PID 2028 wrote to memory of 1624	2028	jre-windows.exe	36
PID 2572 wrote to memory of 1704	2572	msiexec.exe	39
PID 2572 wrote to memory of 1704	2572	msiexec.exe	39
PID 2572 wrote to memory of 1704	2572	msiexec.exe	39
PID 2572 wrote to memory of 1704	2572	msiexec.exe	39
PID 2572 wrote to memory of 1704	2572	msiexec.exe	39
PID 2572 wrote to memory of 2924	2572	msiexec.exe	40
PID 2572 wrote to memory of 2924	2572	msiexec.exe	40
PID 2572 wrote to memory of 2924	2572	msiexec.exe	40
PID 2924 wrote to memory of 1468	2924	installer.exe	41
PID 2924 wrote to memory of 1468	2924	installer.exe	41
PID 2924 wrote to memory of 1468	2924	installer.exe	41
PID 2924 wrote to memory of 1468	2924	installer.exe	41
PID 2924 wrote to memory of 1468	2924	installer.exe	41
PID 2924 wrote to memory of 1468	2924	installer.exe	41
PID 2924 wrote to memory of 1468	2924	installer.exe	41
PID 2924 wrote to memory of 2188	2924	installer.exe	43
PID 2924 wrote to memory of 2188	2924	installer.exe	43
PID 2924 wrote to memory of 2188	2924	installer.exe	43
PID 2924 wrote to memory of 1920	2924	installer.exe	45
PID 2924 wrote to memory of 1920	2924	installer.exe	45
PID 2924 wrote to memory of 1920	2924	installer.exe	45
PID 2924 wrote to memory of 2944	2924	installer.exe	47
PID 2924 wrote to memory of 2944	2924	installer.exe	47
PID 2924 wrote to memory of 2944	2924	installer.exe	47
PID 2924 wrote to memory of 2584	2924	installer.exe	49
PID 2924 wrote to memory of 2584	2924	installer.exe	49
PID 2924 wrote to memory of 2584	2924	installer.exe	49
PID 2924 wrote to memory of 2532	2924	installer.exe	51
PID 2924 wrote to memory of 2532	2924	installer.exe	51
PID 2924 wrote to memory of 2532	2924	installer.exe	51
PID 2924 wrote to memory of 1984	2924	installer.exe	53
PID 2924 wrote to memory of 1984	2924	installer.exe	53
PID 2924 wrote to memory of 1984	2924	installer.exe	53
PID 2924 wrote to memory of 2416	2924	installer.exe	55
PID 2924 wrote to memory of 2416	2924	installer.exe	55
PID 2924 wrote to memory of 2416	2924	installer.exe	55

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.2.8.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.2.8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.2.8.exe" "__IRCT:3" "__IRTSS:26447648" "__IRSID:S-1-5-21-2297530677-1229052932-2803917579-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1708464" "__IRSID:S-1-5-21-2297530677-1229052932-2803917579-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\jds259452626.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds259452626.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1624
    - - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_351\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
        5⤵
        
        PID:1244
    - - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_351\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
        5⤵
        
        PID:280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding DBAD96DD24425F54E9515E8F47710F85
  2⤵
  - Loads dropped DLL
  PID:1704
- C:\Program Files\Java\jre1.8.0_351\installer.exe
  "C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\ProgramData\Oracle\Java\installcache_x64\259471782.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1468
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2188
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1920
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    PID:2944
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2584
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    PID:2532
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:1984
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    PID:2416
- - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1216
- - C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    PID:2596
- - C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:2520
  - - C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:2632
- - C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    PID:2320
  - - C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:1832
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 3117292418BB388527FCC19ADE2E4D9F M Global\MSI0000
  2⤵
  PID:1728

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3fb9758,0x7fef3fb9768,0x7fef3fb9778
  2⤵
  PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef3fb9758,0x7fef3fb9768,0x7fef3fb9778
  2⤵
  PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef3fb9758,0x7fef3fb9768,0x7fef3fb9778
  2⤵
  PID:1532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1588
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.0.1204837399\787808963" -parentBuildID 20221007134813 -prefsHandle 1036 -prefMapHandle 1028 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb62d88a-1a01-4448-a0b3-9591adc3233b} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 1132 ead8358 gpu
  2⤵
  PID:1272
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.1.147992833\708704379" -parentBuildID 20221007134813 -prefsHandle 1296 -prefMapHandle 1292 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ba5144e-2190-419f-ab23-c7c4293ff07d} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 1308 ef47158 socket
  2⤵
  PID:3172

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:852
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="852.0.171839633\1552381542" -parentBuildID 20221007134813 -prefsHandle 1028 -prefMapHandle 1008 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99599a94-1df6-4034-917d-ac6a3d987684} 852 "\\.\pipe\gecko-crash-server-pipe.852" 1128 ead9b58 gpu
  2⤵
  PID:3112
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="852.1.1958689721\253142933" -parentBuildID 20221007134813 -prefsHandle 1292 -prefMapHandle 1288 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff5adc2c-2e99-401f-b634-cb90ded23683} 852 "\\.\pipe\gecko-crash-server-pipe.852" 1304 ef54858 socket
  2⤵
  PID:3676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2112
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.0.1812123560\1306496601" -parentBuildID 20221007134813 -prefsHandle 1080 -prefMapHandle 1072 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89b83976-6ef8-4b78-b145-58d0c47f7b0e} 920 "\\.\pipe\gecko-crash-server-pipe.920" 1200 ead7058 gpu
    3⤵
    PID:1864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="920.1.1646727256\371228584" -parentBuildID 20221007134813 -prefsHandle 1292 -prefMapHandle 1288 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {362aa143-8da6-40dc-abde-79a5c3e59d26} 920 "\\.\pipe\gecko-crash-server-pipe.920" 1304 ef46858 socket
    3⤵
    PID:3960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2308
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2308.0.1541836564\2053146620" -parentBuildID 20221007134813 -prefsHandle 1268 -prefMapHandle 1248 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16136b3a-94d7-4212-b69c-c24625b3006a} 2308 "\\.\pipe\gecko-crash-server-pipe.2308" 1344 14806358 gpu
  2⤵
  PID:640
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2308.1.2139031644\1234380039" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bbbdec0-da28-42ea-98cb-181895240174} 2308 "\\.\pipe\gecko-crash-server-pipe.2308" 1552 f2ee258 socket
  2⤵
  PID:3664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3028
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.0.1921800962\227795563" -parentBuildID 20221007134813 -prefsHandle 1052 -prefMapHandle 1044 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {911a32db-4b4c-459e-8cdb-4c0a1f57fe30} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1172 41d8058 gpu
  2⤵
  PID:272
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3028.1.1373329414\1337388510" -parentBuildID 20221007134813 -prefsHandle 1296 -prefMapHandle 1292 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a43cba1c-517f-4ec9-be0b-a9919f684abc} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" 1308 f149e58 socket
  2⤵
  PID:3988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1736
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.0.1350171571\1748316077" -parentBuildID 20221007134813 -prefsHandle 1056 -prefMapHandle 1040 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc74e9fc-ddcc-406d-a628-d21a51d89bf3} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 1132 e8d9558 gpu
  2⤵
  PID:2712
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1736.1.979331883\447847736" -parentBuildID 20221007134813 -prefsHandle 1300 -prefMapHandle 1296 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a126cc47-c155-4853-8abf-acd23cf57717} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" 1312 ed53658 socket
  2⤵
  PID:3180

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\TraceProtect.mpp
1⤵
PID:1832

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\TraceProtect.mpp
1⤵
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f773058.rbs

Filesize
925KB

MD5
e962119a47432c875146b61808fc9760

SHA1
e742ecbbd8040f855cc4afc0665753b288b78c8f

SHA256
55492a952e6ce465f970d3ca8d4c48f164fb70a62ceeb7b796cb8564cad23c7c

SHA512
736a0c2039b450b37d9da4bb785b5d3daea19767216e38f9e1cfb49619f8aaa360a38f2c33b97e20e3d5db3b506d8d83006a5cf63e46db298646aba93c69feed

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\dtplugin\npdeployJava1.dll

Filesize
50KB

MD5
539c5879fe191c448f20a79e6cb264ec

SHA1
c13343071d671c5cc8608159479da2008837a92e

SHA256
4ac836e76cabb688f2a6773a2a56ea3471c07ae47b8ae0b25512ceae1871794b

SHA512
fcd66ea6974f77773b0fd8cd31badb98328d64a57f599ac120b4fa77acf079b1301017fd17cca651f05ae01164323dcd5185cea3401f8d35ea763dd157d6ed1a

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javacpl.exe

Filesize
103KB

MD5
7a9d69862a2021508931a197cd6501ec

SHA1
a0f7d313a874552f4972784d15042b564e4067fc

SHA256
51ff63cbac78bd133333e98d91b02b652c88cd57cedd0052519051a17be77856

SHA512
5c331e6deefc8256ea203d63770484f6b485d4c3832a60ecf4a540dff3cb75a76dbde37980fe1763ca487401b68126f58f8d1a4c72ee610f5144c624c4736850

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe

Filesize
446KB

MD5
24ccb37646e1f52ce4f47164cccf2b91

SHA1
bc265e26417026286d6ed951904305086c4f693c

SHA256
adf2d659c2b2a4afff1ca58f3a742d27d767d27eabeca6a8b6ee243e9c913a39

SHA512
cb174e7a219f6ffae3715e37beb428979bc1462202729c05a25fa7b8da90e2dd6faa92c03cd9ca21567d354dce7acc1852669f4071298e953d6a286243794e32

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
64KB

MD5
4239fc8915813678e1e422fc61dcf6c2

SHA1
584de05442ec892b4223214dbd7a32b6b6cb714c

SHA256
0fabf2247fb667489b1634924728363846e2180d32bcee1bfdd0526fc594780d

SHA512
a07c6eb62b4ca435f14fc6b90bbbc386421e16587c22f2801434c3cff83e8a8f223b370fe71c8e322e7171b3c30ca6ccfe9eb5cde2344380de5d186694435e96

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk

Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259471782.tmp\baseimagefam8

Filesize
2.1MB

MD5
f03df29de7eeb68a1e684b948fe7d95e

SHA1
7f833978e8fed4245fe4fb8662491f4d8d36aa33

SHA256
bc15ce42a16fc2f4c597a7d2e27dd9f3d1a5de5cb6f8255dc30f402ed3cf3f4d

SHA512
df5b6a538c13b1032de67fcb50a3e955c1f4c681d3ee0469a7dd5cb7b1f45b65faee812ed843a7c276d319873edbe2d8198b44a3c743e3060cc0ca779f35727e

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259471782.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259471782.tmp\diff

Filesize
2.5MB

MD5
4a21a34b20420287cc06ac8c33b928da

SHA1
9e4a69f2676648347c552aa0f074d717523c7c1c

SHA256
d6af98e09b190ac19bb532179c3864f587be7bec2573680951fcdc3cd4678739

SHA512
421a30f7ed729c16e0d77a8f9ae9e71260fe8e4c535612d629d549d54ca9000dc14bf3ee1222c6558fb6d1e2f7710c9892449116da2bdc2fbb4e0d81a81cf918

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259471782.tmp\newimage

Filesize
2.8MB

MD5
9c697a2beac8852961dfc1b09603ccea

SHA1
cd685f693f5424b6e347e36ec0cd3d4f126a940b

SHA256
604fcd553bfb3379a6f081de79643df154697258ddaa46a39337d9c7c8efc5f8

SHA512
c825389c96f7a7e40b762f20ae6a2479abd91c0ac915dddcef241873f6a62db709ad7d2dc86588049406299e9d0dff72c397344022fe8a3428a17d74f436e87c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
2d683f800ebeb10dc6af42b3b320f652

SHA1
2ba435ca9621f66b60923ad778778b0a48ee19e2

SHA256
b73af2835d97527ea68460386987220a8aa55d3361e16aa26e2c4a4075d445f4

SHA512
1bce3f73fb95cbce266729d38c8b1dc0ef4913b8de8c828cff9007000a76705fcc4e661e73b022cdc3126134797ced38423e9ec5ea4421c436563470eb8f8e10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
749fe006cd08a6486c10dc165fa6e9c6

SHA1
d48d90cdb2283e6a8e7ceece44df5c2e91a1952c

SHA256
424c2efd9d777e9cb697ee6e3e7998f58faf1306529a8e4d82256de9c5f08db3

SHA512
0d5b41fef6933edea2754f46d4e1e48ac1c2c2c4c2f0114fe0d06804e7a2b8095a36830470b59371abada5f50686c36ea76b5d25e384d3f281484ed643c667dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94f008ca90101aeaf9935d62b9c77ba0

SHA1
f35b5482245636ea7947a157f4967f519da660f6

SHA256
4c791b5dc61a51197223cbda635eb28d14028c524f1f68072885c22a9a6029a9

SHA512
e238006d5a4ea7ecc7331696c2ee7c0785c9d056d582619d259687013d20a8ead76d66b6b11a43fc7e183cf9ba962baa5719beaf2fcb4e0fe19b648f99a8cc6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b08bb725573fc8c0509dcbe1fccc626

SHA1
c6afd166a5be76364db095ebbf80592491a4f594

SHA256
63af533bbeaf44bb97d68319b79e1915e6cfaa84536532ed055f2ffc68bbe329

SHA512
a3c99e99cc0ae19c43c35f430eca6ecd5ff3b652e8e50997c095ef3edd3d745b7b43bbd17d61b8502ff4a6ba98539268f488b5f45449503f870a4a71713088f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
8ac0c0eb182ce762c9418371b74ac3f3

SHA1
43bd661b8bbd61b9a17efd62f58d94462cbee255

SHA256
c48d4107a0650ebf7d59f383017d1e88ac2c474ef4b7af9f9753b074e36e6ead

SHA512
0edf55d43257c75ff1e451c28f8821179d2c40ff05952797c2e5995fde0a8be59da0df39927648d1845d104566c6f364b01beadd8f931451230a54679dd8e8c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi

Filesize
2.0MB

MD5
34ac1c3ed355334ee413ad239179f1bd

SHA1
4c839d90dad73e83032f75ecf0ba5f628261b004

SHA256
231a21abd257e6a5f531e2dc8623032cd96fd4ba574496ed90d5fcfae2dca5fa

SHA512
7dbbe21b3b5a7bbef17d6d6412813c7f73841dddacf33ce7a44cc15de4c57e2adb0c02723a4370029f9421b2e52a3be9fcfa09061eac23ae65f181467abb32a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1FB9.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
83a8f0546164c9ba1a248acedefd6e5d

SHA1
7652f353ed74015e7e78bc9f9e305a48d336b6d1

SHA256
e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9

SHA512
111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

Filesize
339B

MD5
e22fe17ca6e4480f1b7da0dae8acab55

SHA1
b157dfcea394e9adbbc1d72ef5fe494ca2c13fb2

SHA256
8c8ad2fa7361d3e124f95500d24e64803dfe195af16402c76b7ba5842e5c8c27

SHA512
a92fd24255e465275bc137314d8a00dd79153cd77350569e458d2c8614d1d91efc8b92a7c021a0f088e945a4f7b810592bd0ee903e6a43b7a28efa74985a4b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG14.PNG

Filesize
43KB

MD5
b1f9b2f7738252979896ce40fffe9fec

SHA1
bcef02e098a88b79b2eb11626c54ecac62d2328c

SHA256
93168799259d33c767ca66f5e2c54f6e4d5cb188cf0d1ea37841cae4674379d6

SHA512
128c8dac928de0018b38b5788d874693fa78311c777f489942bcba87e4d05eb50b286cc681222c448835dc05aea88e61d3a6c82ded7b53226fd9eff27a585110

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
644B

MD5
48b18938bd44c7a638964600426ee63a

SHA1
f4e3a5d601a5d4ce586c051e389a36f88d94fe57

SHA256
de289ca036de1b13df257bcac9dee853439b6398345ec792b7da33e2add61765

SHA512
36913ba60d1bef29d205a394c9eb7bc78dad45de6f5b6b980dd3473cb39f771010fdd3aed25bf2ff413e294b9f2e853eab87d888d15338810e2256085013da6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
c3350f6169fa9c22ad960e131279b19b

SHA1
382ade35d3aae84e0b64b83e7b1d619ce89cb013

SHA256
c950300fe506e912155095ea82d6fd6fcb604f6a6fa4876fc7bf42c8bd22bfce

SHA512
f2c5c61f09d37dc989354fb3c33656c29393f4fa5ab4c59236f75951e0bb4da45e46f4b42531ed32e348177f56db5bb7913bd45b473bb8940b1988ab2a4f3dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
513eec59fe453b3491cda67bce0b9ab3

SHA1
10559943fe70b253f94cbed61e4b1fc5444816f6

SHA256
6f9f0e27946dee1fe1c1398c29cbd970498e4ae7640bed11c43ea2398e0ac7af

SHA512
4d047c823249888b97cff88156f3f32da3fb7256b422c16e5b7359eb6e1aced2b832bd5506d0883e06fddd701dcae47aa8ee454a2d275b5433445931fb280a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG

Filesize
438B

MD5
23b6a1fd8c81ac715d1d0918acc742a5

SHA1
1badfeea3107007619701ea47d92fe5e0e38b37f

SHA256
4a67bb23a959b8ead007ac0449a35be94f3ffed20e5a41ff9b4d8c68be835b61

SHA512
bb7d9a1ac3bf3203727e31dc32d5215c693967c8d18e8586aeaa07c4212226824c1aeed2c63e330ac7f8e52cb3e8cbd2f4443f995288ba1da580774272dce4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
896KB

MD5
7997fee78f8725fa9e01693457ab0868

SHA1
ce6164920c5e165389b0e4c865f01446aaf0b377

SHA256
23a86885219b753480cb9eb019e492e5fac5e63ec81b26ba1993f9df9fb458ac

SHA512
f9089793cca9ed6309fca2f39aa434546e9c9b0b6fbb1b0b482fd4598efcc4385771cc3663fb8f7f5ca1e479106000de27649e0eb92a618caee0fd870e914395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
640KB

MD5
768376b69407ad3a9b94a06f539e16a0

SHA1
866adf4ba7323243038ce20f74d8dafada1986e2

SHA256
4be184a4440f1033333568a21e2f6725c4a08bfe6041fc3f5ca3c5b20d00dad3

SHA512
6bba5cd25a4a97f91dacae435a3ad48fe6c47fa826194e9d0bd59e4839a321b0228c571dbfccff294b40521e6dd7cc76c3d271a3cbf9e538f24eb59dc87ce818

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
136KB

MD5
1ffd93751bc3400074dc0affa49ddfaf

SHA1
81be618514bdb88161333386f326cfcac2075517

SHA256
e65cc17886b8632c1ff12ff8a97128d3ca379a6b9ad2c0300788f43958c458be

SHA512
b2aefcf3a2f3e4da57c3507f7b419d229985cee88c782232dd90a96a6e9dbe46c18a7a58c7c4d1a3fe4b8b4b187f884fa09ac9e9a70d179e941704d7cbfddb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259452626.tmp\jre-windows.exe

Filesize
16.9MB

MD5
b4953811d280b77b10709e9d43ef76b2

SHA1
1617a06ec389bb4b1c3f6d21af0df152f3883c5f

SHA256
95b50671213693ccf0faa2b7b084c7fa592d48a9c3cdabb716b12c97b1bbfc90

SHA512
79bfbee81af99456ad6e1d888144fad4bff9c6c1060df701c1e8bc7e4491eee819054785d6ed768beffc9c265a2c807e3c3a1db4ec78e890d4639f128c6e156c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259452626.tmp\jre-windows.exe

Filesize
7.0MB

MD5
884740bc82659956db365b7df260a61d

SHA1
fe9140e23440707afe5f7bb5d991b28b699b6a5f

SHA256
ad3b4e3be22ad51ed8727abdfe3fa17bfceae124737389c1d8a9dec169eb32c9

SHA512
5412bb0e9fa94f6df23d4e34d3ea4e8d3a296d798bb633d3a1d98b23dc2d0804c99e07f6ea37aef9b7629339e913effce407564372488d661b76ac1fb9e7b728

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
22.7MB

MD5
c77b0ab37095d0636f2b99b8eb58592a

SHA1
4fba125d01b157d1d71a2dee2faf2eeb56a94881

SHA256
62049e098ddfaf81f9f9f51495e4a357e1b6a57824118f427e6b63abd9d0437b

SHA512
5de8115da3c8197a5906363985310e271ab9c3c697b19b818fc94ab3de74a52b4a32a90a397fb373000ceb18fcec5781b7c5a886ab84eda2644f1e1369fe1c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
282b1a2a49ebf936f54235e2763db6e6

SHA1
cca417141bc90d7ef7dc0860c27e1df0226b8336

SHA256
5c18d0353e8c785d9161e44f8593c29579ea4ece5e9ccfa72f0f2458fb6e453a

SHA512
9219f125ddb0dbb73be0025c399bb28194e9b832f2ac12fb87f53ff42a99870142ec7ce9243ebee153fa7baed127ae724edb643625b306648148b858114c998b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
111fc83f96355dfe3054e3bbbd7c7e37

SHA1
7a880e11ffcc5066eafd3586403460ca6bab5d4f

SHA256
f50765c984340bbf6159ba1908f047e2e1eb75eac04d8939065051cec1e8befd

SHA512
c334402c49b17a91a9023996455910d9d140749d83dd5ef5a04c1fe64df3d7fa3af1ca0b9ac245acfdeac7083c8384c4fd98255b9c43e3e60f7d08a162d41d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
d21f4e0137d3e6244ca15e88a7799208

SHA1
c4ae0cc3bb37ade7e44ebc12edd713450c670f17

SHA256
123ea2dde9c6603a8b96dab44ab6a80de2c5cc1b5d8de03ed68c1bbedfeaa16e

SHA512
76de05c00d1ea861971f6cf4aa3dae80f107bd81ed07902a1260939637f256cceba7659da7b49dc1654a50bf7279c5b2098bcb3323897ae0ced2d468ee6ee53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
20KB

MD5
9bff36735c95c3aaf7ee5dd48a885271

SHA1
8f668e1bcb935a48ff5420f0f5f68d219c2aa139

SHA256
83b9fcb43bcb568c7f7e940dcb4027707ed71b25a7765c418a60fb4a9341bac8

SHA512
22902c15bf35eb217d3fe8c1a03d5b5bebcdc4010ac272e0248c20e72de22c05957119a09d9ce36a2a95f01457cb24d55309c885350b8a63b6af99519f2cec9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
40KB

MD5
ce2fb42eb42cfce71f6d2c1ab3f79fc3

SHA1
5a14d685e54a5eeb66c1a43421b48c0ad676f6ea

SHA256
a19e17ff660bfc684819c3c8f602acffed2cdb21035f905eac8606a845ca9867

SHA512
cd6b5e2b9c35c4035505e63170b077f594949e5e982cd7df020a3f96fb0dec3b9cf0dfd095fe248e8bcbb7814dee9cc2d4074b0f9027f0d2d9272cf52ee7e99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
741B

MD5
a56d934f96a1ae88f1e465bab7c71dd0

SHA1
503d130c1d045a80f8c2e0c7306cda4598a8bb3d

SHA256
0207f4da9c6cf226912b7fd8e7f399bbbc6f7a69fc96f64e36f22dcde3cb624c

SHA512
908051c193c8104ce5dc5c4d1882850928e3b383460d2a433d56b33e05f82ed273ae089b381ec35e4a7ed835ec6fbd35fd18c68cbe4786ef792d2aa5e1695e72

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
8.9MB

MD5
505731086d2f448e68c025a7003efe00

SHA1
e8358cf87df55712a7b6998d1816e94b57f3b7c1

SHA256
978dfe8f0fbb57398366e2302055b58fa641258f53db6909fca2b5a1e87ff3c5

SHA512
856ad2f0caa72c15b20831c7e1d8917329907381e1e95ce470ff3592755804cc17cd507c105d49fdecbc418a2c3f2b01e1be2ce15dc981aeb7f39ce2889cb4d4

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG

Filesize
206B

MD5
631fcec6a0abd830459787d30453e469

SHA1
e114b22eb6c44f08094d1b80cd55c92b93208191

SHA256
d79b284f2f5bd491b1b6c23809498efeecf5b486d5aadb2b2dc3e3db05abbfae

SHA512
07dd4c1b53c52d3714373ac42893e92d91d304c018728efe154b549e62162e9a2edfd8ec2391c12b56e0d3c562a5c474a6e0c3713a74b0d32603b81f9ac864bd

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG13.PNG

Filesize
41KB

MD5
eb2e2e728e68b40763ee0f34b351d7c3

SHA1
510ea6f0ff613b2044451f51aa8fb03cc2ae8f6e

SHA256
fb2d5a945792cf43417087d7b656e581d2a4ae1775ddde7fc0c722ac9e2d7c80

SHA512
8e36b37dd59d363cf75570d2cebb63f2827de226290ac2b1f84a024c52adb4f9bc4f84e81c1aa6c1ebfd04b10a66973ae9403bd5903cc9d26b7e08751cd1eaa9

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
45KB

MD5
e196338878ae4b2396a5696ddd0aff93

SHA1
a0590a65249d1f8edbc48da1e6c0659e824f24a1

SHA256
ca68a66496fd8e7c8ec062447e8729f8e00ceeca76ea659f9e69b36ea14f84bb

SHA512
0708ad48f421749cce2128657833a368158fe88d4690af6e3252cef283028c1296e83096ebd78539cca1ff3164f655b7726c4f3e2937a55b256cb0eed121f4aa

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG

Filesize
457B

MD5
7858ee71a3257dfd96efcecf4fdc9e00

SHA1
f4eaf5313d47ceb7f62635de6345e89f17394544

SHA256
7d7c24f8b357e9a520901bd061b23f124a9dcc10cc17f510a8e930985cc9ccbd

SHA512
65b590bddfc12089fcf04c271769e789652adac594ada826db0e0b8224d1d002fcb6fcb6cafea689623fdd6ba861ff09ef2fc321fd48b8125827a668756d949e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG6.PNG

Filesize
352B

MD5
937eef3759887be37c17302802cd5afb

SHA1
5c3491dddb2fd26d386ccf12d6d4e775fb628c76

SHA256
c4aaead6ccca1176eea34bbccb04248a8e419420cb9b48f7acf284686d32cc29

SHA512
1711d2afd67081b7d16d9b719b100df16fdfdd964be3454d25535d5177135dd78bbc34f32873612ea95ba5e84a0d92bac0d1ac99dc2f89f5414c5614538337d7

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
27KB

MD5
ab574940a2bc11ada17f99c8ade50cb8

SHA1
13c7088f9363936483a34e65fb28873bb133e0b6

SHA256
49d31597d042e98841374517693cd892847ba7be69a65136eb278d617e428cc4

SHA512
2ba17a5ef7c6e4bc909682a47b03568c2d474f1537730ffb911ea75387afce408675ac0c54932aeb1b8d204612ffb8de9726a7e657adb1fe4b3efc58abd269dc

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
6KB

MD5
8b343ad1e0dff92939e623f6db588811

SHA1
bfd6ab35a67ee7b0a06097adc75971dcb844454a

SHA256
c8ed1c8b69c3728971227bb78c03065fb2ca2d2223820142590e122d2c5d3fe8

SHA512
02ad3099e0ac4d860975f0d8a8abe7347c66efe567d8603e6b0dba143d9e1350c3288df0ded9346470046bcab7e4bbd4385fc9d25dcf566a0fdf4e43f09823a7

Download Submit
C:\Windows\Installer\f773054.msi

Filesize
2.5MB

MD5
17b7348b058c6386b36488818cf8e165

SHA1
59295ee86a47389200e56aea3eccd2dccca0eb29

SHA256
29c8f1883e429e4fb1183f0373083b1143c5232db8676a397a620a69b07de13a

SHA512
e5a3816600306be16c7b3858fc9816ed5e6fb3aa7260d2abdf692ccd2510bfe1e0c6e315f7f49b58ea4b92b9a6e19d7ac6cf54840021fd4ef1e19617f76bdc83

Download Submit
C:\Windows\Installer\f773059.msi

Filesize
64KB

MD5
4b13e617430820cdbf389e6cf065fc2d

SHA1
65fd55f519145b028e5042a5bc8a818a6c61eb15

SHA256
b7a5eba116ca4e88fb7d4236fa49b4ad5acaf353b92e440f0f2de4f1023d5fde

SHA512
38777508fefcf5411501529ebdcdc2a11b83bfeddfe66a6489db6c3b7f6d1ebc7108f18639c36579a3de566e0fc2dab788d7e37b010c96f7adeb999077220009

Download Submit
\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
320KB

MD5
084394cc690950539eb74a663a8750df

SHA1
9e7ca6287de905bc729b7c4f8b215e470a2c250b

SHA256
f1cc58bcbba1df0e65aa89800938879fbe0454e019b1220f5ea9b9f4204b805e

SHA512
b171275ef87f2b14f85b54cabc80e60c5ce3e452d547cf4b6977cd94bdff96de59c77b3c301a9e30acfac5ce76e64441a45fbc9a0031d0fc04d1d7d78c6377c3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
e5f7c43fb82f9c84c8f50333131a2233

SHA1
8904a5e83cffc7bd5bdee337c7b578d4a900ccd4

SHA256
20101668c5ac7ba059ab95eaea4305c73e63eb73811ce5eb930af53fb9fe0d50

SHA512
7c598069dbd4e880c9a945fec2852feaf3a072493ce80d6a0c7c31d228c888c21b2c25347b9a862478facaf51ef584dcbc7caf7cd391f3cad24ba49c6728dc8c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
c90d898e76cc93d5abb0f9b25eae6c24

SHA1
06a2303d3d07a0243be22fd8aed7e585ab44ef40

SHA256
f5e4f21aac8dc06c19769f99c673725335a348376aab441a33f584e9cdf1cbc8

SHA512
d8ae57bc056e32bc65987aa2883c5ca5cc4f97933c2364028634375835b8c1e0e8a1c99076728000c646e64f8779358c990e8a0b9903ee8780351a92f82debec

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.2MB

MD5
a266e0ae1001da0023f9664afbcaee99

SHA1
f943c180e5221a5943039c21b21f394dd99cbe14

SHA256
819b9a02a788445ad6c4d8f38e05abe911e289e71e4d2c2e37923c9f66f576cf

SHA512
525b8473b17732ba94942df63b0e43b26ee0157b137a1a39f52034b04ce686097e92ec8d9ea422acf02edc4385863c0179a6af73af01dfcfc1cb6d7c9dad1e7c

Download Submit
\Users\Admin\AppData\Local\Temp\jds259452626.tmp\jre-windows.exe

Filesize
21.2MB

MD5
638f4c12d6d6353ac9117c05f58c9e6b

SHA1
653711789a838db56c440ec63d9bfdbe3565053a

SHA256
fae35eb3139b141309fd1021e28a5d79c85340904c566e125e6e15da57da669a

SHA512
6fb52adba4da5e73bb365886eeb983e52c3ec13f4a4f20327c7dc9061ef353c656b4a6bfeaa186d1b840d45123c8bcf5cc4c55b8f5dc79729102b507cece6832

Download Submit
\Users\Admin\AppData\Local\Temp\jds259452626.tmp\jre-windows.exe

Filesize
19.2MB

MD5
647b2744b4dba5cc0536f7daa3a0b6a3

SHA1
d57b8c0020311712a7d4d6367c2d25709bb14d44

SHA256
85d8ada861c0f26cd9cf66f74d925cad3beeecdd39df7c8eb2eaf0117ef97dbc

SHA512
468bf97c241ec9bb55ba281ca719e971804b58607c5dc4d940c81bcaf3e175f389fd4b1607aade81000d0ca79cb04fa8f00a151b8e20df51ce4c45065fae714e

Download Submit
\Users\Admin\AppData\Local\Temp\jds259452626.tmp\jre-windows.exe

Filesize
14.4MB

MD5
2acd785bb807ef92a17a514d3bc020cb

SHA1
57d0723d987437d6bed6ef240874dc1030a3d9b3

SHA256
329630b3845931d64933144776261dc60e289bd8dd1a0525f25d2752eeb36fc6

SHA512
2c0ab7080c6c75c41b9f7da2a950887723d92dd8002c4817b87623ef0c450664da78b4136e0d1c2ea8ddb43afb6bf3ca0087069cd01f1b2a6fbde7087d9e1da8

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
17.1MB

MD5
bef6d3f83ef20fa8d7a4311d03487597

SHA1
b3e6bfbe7e9d252b8e5fe0cea90c193cb70e5a14

SHA256
b882cfb4d08712a73d8b37192d01d9afa3571282109aaf58ac5d38db104bd59a

SHA512
ac5da8a72c221ff180654e86a6d047693807502b02ae310a38abc43538bdd55b853ea3e89716d525be6786cc3d960e56b3e20c6805abc60059fff456a57aff5b

Download Submit
\Windows\Installer\MSI33C3.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
memory/280-2500-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1216-1945-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1216-1944-0x00000000025B0000-0x00000000035B0000-memory.dmp

Filesize
16.0MB

Download
memory/1244-2475-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1244-2488-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1244-2476-0x00000000026A0000-0x00000000036A0000-memory.dmp

Filesize
16.0MB

Download
memory/1404-614-0x0000000003310000-0x00000000036F9000-memory.dmp

Filesize
3.9MB

Download
memory/1404-626-0x0000000003310000-0x00000000036F9000-memory.dmp

Filesize
3.9MB

Download
memory/1404-623-0x0000000003310000-0x00000000036F9000-memory.dmp

Filesize
3.9MB

Download
memory/1468-1578-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1468-1586-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1468-1590-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1468-1583-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1468-1582-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1600-628-0x00000000009A0000-0x0000000000D89000-memory.dmp

Filesize
3.9MB

Download
memory/1600-691-0x00000000009A0000-0x0000000000D89000-memory.dmp

Filesize
3.9MB

Download
memory/1624-2364-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download
memory/1832-2288-0x00000000028A0000-0x00000000038A0000-memory.dmp

Filesize
16.0MB

Download
memory/1832-2287-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1832-2275-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1832-2401-0x00000000028A0000-0x00000000038A0000-memory.dmp

Filesize
16.0MB

Download
memory/1832-2272-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1832-2258-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1832-2290-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/1832-2298-0x00000000028A0000-0x00000000038A0000-memory.dmp

Filesize
16.0MB

Download
memory/1832-2254-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1832-2243-0x00000000028A0000-0x00000000038A0000-memory.dmp

Filesize
16.0MB

Download
memory/1836-14-0x0000000003350000-0x0000000003739000-memory.dmp

Filesize
3.9MB

Download
memory/1836-18-0x0000000003350000-0x0000000003739000-memory.dmp

Filesize
3.9MB

Download
memory/2632-2237-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2632-2177-0x00000000026F0000-0x00000000036F0000-memory.dmp

Filesize
16.0MB

Download
memory/2632-2190-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2632-2203-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2632-2208-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2632-2212-0x00000000026F0000-0x00000000036F0000-memory.dmp

Filesize
16.0MB

Download
memory/2632-2234-0x00000000026F0000-0x00000000036F0000-memory.dmp

Filesize
16.0MB

Download
memory/2632-2236-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/2632-2238-0x00000000026F0000-0x00000000036F0000-memory.dmp

Filesize
16.0MB

Download
memory/2836-20-0x0000000000EB0000-0x0000000001299000-memory.dmp

Filesize
3.9MB

Download
memory/2836-1304-0x0000000000EB0000-0x0000000001299000-memory.dmp

Filesize
3.9MB

Download
memory/2836-2182-0x0000000000EB0000-0x0000000001299000-memory.dmp

Filesize
3.9MB

Download
memory/2836-582-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/2836-577-0x0000000000EB0000-0x0000000001299000-memory.dmp

Filesize
3.9MB

Download
memory/2836-1588-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2836-474-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2836-475-0x0000000000270000-0x0000000000273000-memory.dmp

Filesize
12KB

Download
memory/2836-1351-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2836-578-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2836-692-0x0000000000EB0000-0x0000000001299000-memory.dmp

Filesize
3.9MB

Download
memory/2836-1202-0x0000000000EB0000-0x0000000001299000-memory.dmp

Filesize
3.9MB

Download
memory/2836-1200-0x0000000000EB0000-0x0000000001299000-memory.dmp

Filesize
3.9MB

Download
memory/2836-2466-0x0000000000EB0000-0x0000000001299000-memory.dmp

Filesize
3.9MB

Download
memory/2836-2467-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2836-1198-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2836-1199-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/2836-1197-0x0000000000EB0000-0x0000000001299000-memory.dmp

Filesize
3.9MB

Download
memory/2836-1179-0x0000000000EB0000-0x0000000001299000-memory.dmp

Filesize
3.9MB

Download