Analysis
-
max time kernel
236s -
max time network
312s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-03-2024 19:09
Static task
static1
Behavioral task
behavioral1
Sample
TLauncher-2.899-Installer-1.3.0.exe
Resource
win7-20240221-en
General
-
Target
TLauncher-2.899-Installer-1.3.0.exe
-
Size
25.3MB
-
MD5
efb88e15ad187cca46654a280f1c85e1
-
SHA1
a300e65dddfd452da9659e5f71723e071eddc2d7
-
SHA256
94398fce9db54df24c4e146de37d4857aa6d375aaa907cb17b79cfb42db2cfad
-
SHA512
5809e4d58a67fc59fbb40f714e050ee7643fc1661dc57f931a08a66299d78f4c1b71b13fbfe8c7f216b682c2c55ca9723a7335032f18221f1008629a994344f1
-
SSDEEP
786432:bKRVDfAhv+YHExiTZqqHpCrrKJBH5lFRq:bKrDuv+6ExiTZ0PKJBZlC
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
pid Process 2508 irsetup.exe 2816 BrowserInstaller.exe 2320 irsetup.exe 1576 jre-windows.exe 2536 jre-windows.exe 1852 installer.exe 1600 bspatch.exe 1600 unpack200.exe 2936 unpack200.exe 976 unpack200.exe 992 unpack200.exe 852 unpack200.exe 1288 unpack200.exe 1612 unpack200.exe 2992 javaw.exe -
Loads dropped DLL 64 IoCs
pid Process 2840 TLauncher-2.899-Installer-1.3.0.exe 2840 TLauncher-2.899-Installer-1.3.0.exe 2840 TLauncher-2.899-Installer-1.3.0.exe 2840 TLauncher-2.899-Installer-1.3.0.exe 2508 irsetup.exe 2508 irsetup.exe 2508 irsetup.exe 2508 irsetup.exe 2508 irsetup.exe 2508 irsetup.exe 2508 irsetup.exe 2508 irsetup.exe 2816 BrowserInstaller.exe 2816 BrowserInstaller.exe 2816 BrowserInstaller.exe 2816 BrowserInstaller.exe 2320 irsetup.exe 2320 irsetup.exe 2320 irsetup.exe 2508 irsetup.exe 1576 jre-windows.exe 1216 Process not Found 1216 Process not Found 1608 MsiExec.exe 1608 MsiExec.exe 1608 MsiExec.exe 628 msiexec.exe 1600 bspatch.exe 1600 bspatch.exe 1600 bspatch.exe 1852 installer.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 1600 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe 2936 unpack200.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0145-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0157-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBB}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBC}\InprocServer32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0109-ABCDEFFEDCBA}\InprocServer32 installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0197-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0166-ABCDEFFEDCBA}\InprocServer32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0204-ABCDEFFEDCBB}\InprocServer32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0167-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0167-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0065-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0112-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0182-ABCDEFFEDCBC}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0089-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0161-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0070-ABCDEFFEDCBA}\InprocServer32 installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0161-ABCDEFFEDCBC}\InprocServer32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0229-ABCDEFFEDCBA}\InprocServer32 installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0096-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0148-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0161-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBC}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0139-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0211-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBB}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0079-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0177-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0220-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBC}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0090-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0132-ABCDEFFEDCBB}\InprocServer32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBC}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0137-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBC}\InprocServer32 installer.exe -
resource yara_rule behavioral1/files/0x002f000000016d37-3.dat upx behavioral1/memory/2840-6-0x0000000002D40000-0x0000000003129000-memory.dmp upx behavioral1/memory/2508-544-0x0000000000A80000-0x0000000000E69000-memory.dmp upx behavioral1/memory/2508-624-0x0000000000A80000-0x0000000000E69000-memory.dmp upx behavioral1/memory/2508-626-0x0000000000A80000-0x0000000000E69000-memory.dmp upx behavioral1/files/0x000b00000001dc26-669.dat upx behavioral1/memory/2320-696-0x0000000001310000-0x00000000016F9000-memory.dmp upx behavioral1/files/0x000b00000001dc26-697.dat upx behavioral1/memory/2508-705-0x0000000000A80000-0x0000000000E69000-memory.dmp upx behavioral1/memory/2320-865-0x0000000001310000-0x00000000016F9000-memory.dmp upx behavioral1/memory/2320-976-0x0000000001310000-0x00000000016F9000-memory.dmp upx behavioral1/memory/2508-1291-0x0000000000A80000-0x0000000000E69000-memory.dmp upx behavioral1/memory/2508-1310-0x0000000000A80000-0x0000000000E69000-memory.dmp upx behavioral1/memory/2508-1312-0x0000000000A80000-0x0000000000E69000-memory.dmp upx behavioral1/memory/2508-1315-0x0000000000A80000-0x0000000000E69000-memory.dmp upx behavioral1/files/0x000400000001e8a8-1713.dat upx behavioral1/memory/1600-1714-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/1600-1729-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/1600-1732-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/1600-1735-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/2508-2302-0x0000000000A80000-0x0000000000E69000-memory.dmp upx -
Blocklisted process makes network request 2 IoCs
flow pid Process 31 628 msiexec.exe 32 628 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs 6 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} installer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} installer.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_zh_HK.properties installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\ext\nashorn.jar installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\awt.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\mlib_image.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\legal\javafx\webkit.md installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\orbd.exe installer.exe File created C:\Program Files\Java\jre1.8.0_351\legal\jdk\jpeg.md installer.exe File created C:\Program Files\Java\jre1.8.0_351\legal\jdk\pkcs11cryptotoken.md installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\cursors.properties installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\management\jmxremote.access installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\j2pkcs11.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\jli.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\javaws.pack installer.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259654850\java.exe installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\ext\localedata.jar unpack200.exe File created C:\Program Files\Java\jre1.8.0_351\bin\glib-lite.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\rmiregistry.exe installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\classlist installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\javafx.properties installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\management\management.properties installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\jfxmedia.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\w2k_lsa_auth.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\legal\javafx\directshow.md installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\verify.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\legal\jdk\xalan.md installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaBrightDemiBold.ttf installer.exe File created C:\Program Files\Java\jre1.8.0_351\Welcome.html installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-heap-l1-1-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\msvcp140_2.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\jawt.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\ssv.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\dt_socket.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\eula.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\legal\jdk\dom.md installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\fontconfig.bfc installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\security\policy\unlimited\US_export_policy.jar installer.exe File created C:\Program Files\Java\jre1.8.0_351\LICENSE installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-console-l1-2-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-multibyte-l1-1-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\jsse.pack installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\j2pcsc.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\ktab.exe installer.exe File created C:\Program Files\Java\jre1.8.0_351\legal\jdk\santuario.md installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-console-l1-1-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-errorhandling-l1-1-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-libraryloader-l1-1-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-math-l1-1-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\meta-index installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\ext\meta-index installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_MoveDrop32x32.gif installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\security\policy\limited\US_export_policy.jar installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\jdwp.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_ja.properties installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_pt_BR.properties installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_CopyNoDrop32x32.gif installer.exe File created C:\Program Files\Java\jre1.8.0_351\COPYRIGHT installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-time-l1-1-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\accessibility.properties installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\net.properties installer.exe File created C:\Program Files\Java\jre1.8.0_351\installer.exe msiexec.exe File created C:\Program Files\Java\jre1.8.0_351\bin\deploy.dll installer.exe File created C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages.properties installer.exe File created C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-rtlsupport-l1-1-0.dll installer.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\f78a77b.msi msiexec.exe File opened for modification C:\Windows\Installer\f78a776.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICAE6.tmp msiexec.exe File created C:\Windows\Installer\f78a779.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIEFD4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF091.tmp msiexec.exe File created C:\Windows\Installer\f78a776.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIF062.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin" installer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0" installer.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main irsetup.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main jre-windows.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} installer.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0189-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_189" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBA}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_27" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0192-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0095-ABCDEFFEDCBB} installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0128-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0145-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0175-ABCDEFFEDCBB}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0087-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0061-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0137-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_137" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0181-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0217-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0180-ABCDEFFEDCBB} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0118-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0139-ABCDEFFEDCBC}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0053-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_53" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBC}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0117-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_117" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0089-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0167-ABCDEFFEDCBA}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.0_04" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0057-ABCDEFFEDCBA}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBB} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0210-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_32" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0104-ABCDEFFEDCBC}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0202-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0221-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_26" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0067-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0207-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0075-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0073-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0189-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBB}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_76" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBA}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBB}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0114-ABCDEFFEDCBA}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0071-ABCDEFFEDCBA}\InprocServer32 installer.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0177-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBC}\InprocServer32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0118-ABCDEFFEDCBC}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0150-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0093-ABCDEFFEDCBA}\InprocServer32 installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBA} installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_31" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0173-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_22" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0091-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0111-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB} installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0203-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0135-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0190-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBB}\InprocServer32 installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0052-ABCDEFFEDCBC} installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0138-ABCDEFFEDCBB} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0183-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0069-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_69" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0134-ABCDEFFEDCBC}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0102-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0164-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_164" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_55" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBB}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0163-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0089-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0102-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0218-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0136-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_136" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0173-ABCDEFFEDCBA}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_26" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_07" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_43" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0148-ABCDEFFEDCBA}\InprocServer32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0183-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0152-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBB}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_127" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC} installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBB} installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0205-ABCDEFFEDCBB} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0094-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0157-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 irsetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde irsetup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2320 irsetup.exe 2320 irsetup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2536 jre-windows.exe Token: SeIncreaseQuotaPrivilege 2536 jre-windows.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeSecurityPrivilege 628 msiexec.exe Token: SeCreateTokenPrivilege 2536 jre-windows.exe Token: SeAssignPrimaryTokenPrivilege 2536 jre-windows.exe Token: SeLockMemoryPrivilege 2536 jre-windows.exe Token: SeIncreaseQuotaPrivilege 2536 jre-windows.exe Token: SeMachineAccountPrivilege 2536 jre-windows.exe Token: SeTcbPrivilege 2536 jre-windows.exe Token: SeSecurityPrivilege 2536 jre-windows.exe Token: SeTakeOwnershipPrivilege 2536 jre-windows.exe Token: SeLoadDriverPrivilege 2536 jre-windows.exe Token: SeSystemProfilePrivilege 2536 jre-windows.exe Token: SeSystemtimePrivilege 2536 jre-windows.exe Token: SeProfSingleProcessPrivilege 2536 jre-windows.exe Token: SeIncBasePriorityPrivilege 2536 jre-windows.exe Token: SeCreatePagefilePrivilege 2536 jre-windows.exe Token: SeCreatePermanentPrivilege 2536 jre-windows.exe Token: SeBackupPrivilege 2536 jre-windows.exe Token: SeRestorePrivilege 2536 jre-windows.exe Token: SeShutdownPrivilege 2536 jre-windows.exe Token: SeDebugPrivilege 2536 jre-windows.exe Token: SeAuditPrivilege 2536 jre-windows.exe Token: SeSystemEnvironmentPrivilege 2536 jre-windows.exe Token: SeChangeNotifyPrivilege 2536 jre-windows.exe Token: SeRemoteShutdownPrivilege 2536 jre-windows.exe Token: SeUndockPrivilege 2536 jre-windows.exe Token: SeSyncAgentPrivilege 2536 jre-windows.exe Token: SeEnableDelegationPrivilege 2536 jre-windows.exe Token: SeManageVolumePrivilege 2536 jre-windows.exe Token: SeImpersonatePrivilege 2536 jre-windows.exe Token: SeCreateGlobalPrivilege 2536 jre-windows.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe Token: SeRestorePrivilege 628 msiexec.exe Token: SeTakeOwnershipPrivilege 628 msiexec.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2508 irsetup.exe 2508 irsetup.exe 2508 irsetup.exe 2508 irsetup.exe 2320 irsetup.exe 2320 irsetup.exe 2536 jre-windows.exe 2536 jre-windows.exe 2536 jre-windows.exe 2536 jre-windows.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2508 2840 TLauncher-2.899-Installer-1.3.0.exe 27 PID 2840 wrote to memory of 2508 2840 TLauncher-2.899-Installer-1.3.0.exe 27 PID 2840 wrote to memory of 2508 2840 TLauncher-2.899-Installer-1.3.0.exe 27 PID 2840 wrote to memory of 2508 2840 TLauncher-2.899-Installer-1.3.0.exe 27 PID 2840 wrote to memory of 2508 2840 TLauncher-2.899-Installer-1.3.0.exe 27 PID 2840 wrote to memory of 2508 2840 TLauncher-2.899-Installer-1.3.0.exe 27 PID 2840 wrote to memory of 2508 2840 TLauncher-2.899-Installer-1.3.0.exe 27 PID 2508 wrote to memory of 2816 2508 irsetup.exe 32 PID 2508 wrote to memory of 2816 2508 irsetup.exe 32 PID 2508 wrote to memory of 2816 2508 irsetup.exe 32 PID 2508 wrote to memory of 2816 2508 irsetup.exe 32 PID 2508 wrote to memory of 2816 2508 irsetup.exe 32 PID 2508 wrote to memory of 2816 2508 irsetup.exe 32 PID 2508 wrote to memory of 2816 2508 irsetup.exe 32 PID 2816 wrote to memory of 2320 2816 BrowserInstaller.exe 33 PID 2816 wrote to memory of 2320 2816 BrowserInstaller.exe 33 PID 2816 wrote to memory of 2320 2816 BrowserInstaller.exe 33 PID 2816 wrote to memory of 2320 2816 BrowserInstaller.exe 33 PID 2816 wrote to memory of 2320 2816 BrowserInstaller.exe 33 PID 2816 wrote to memory of 2320 2816 BrowserInstaller.exe 33 PID 2816 wrote to memory of 2320 2816 BrowserInstaller.exe 33 PID 2508 wrote to memory of 1576 2508 irsetup.exe 36 PID 2508 wrote to memory of 1576 2508 irsetup.exe 36 PID 2508 wrote to memory of 1576 2508 irsetup.exe 36 PID 2508 wrote to memory of 1576 2508 irsetup.exe 36 PID 1576 wrote to memory of 2536 1576 jre-windows.exe 37 PID 1576 wrote to memory of 2536 1576 jre-windows.exe 37 PID 1576 wrote to memory of 2536 1576 jre-windows.exe 37 PID 628 wrote to memory of 1608 628 msiexec.exe 40 PID 628 wrote to memory of 1608 628 msiexec.exe 40 PID 628 wrote to memory of 1608 628 msiexec.exe 40 PID 628 wrote to memory of 1608 628 msiexec.exe 40 PID 628 wrote to memory of 1608 628 msiexec.exe 40 PID 628 wrote to memory of 1852 628 msiexec.exe 41 PID 628 wrote to memory of 1852 628 msiexec.exe 41 PID 628 wrote to memory of 1852 628 msiexec.exe 41 PID 1852 wrote to memory of 1600 1852 installer.exe 42 PID 1852 wrote to memory of 1600 1852 installer.exe 42 PID 1852 wrote to memory of 1600 1852 installer.exe 42 PID 1852 wrote to memory of 1600 1852 installer.exe 42 PID 1852 wrote to memory of 1600 1852 installer.exe 42 PID 1852 wrote to memory of 1600 1852 installer.exe 42 PID 1852 wrote to memory of 1600 1852 installer.exe 42 PID 1852 wrote to memory of 1600 1852 installer.exe 44 PID 1852 wrote to memory of 1600 1852 installer.exe 44 PID 1852 wrote to memory of 1600 1852 installer.exe 44 PID 1852 wrote to memory of 2936 1852 installer.exe 46 PID 1852 wrote to memory of 2936 1852 installer.exe 46 PID 1852 wrote to memory of 2936 1852 installer.exe 46 PID 1852 wrote to memory of 976 1852 installer.exe 48 PID 1852 wrote to memory of 976 1852 installer.exe 48 PID 1852 wrote to memory of 976 1852 installer.exe 48 PID 1852 wrote to memory of 992 1852 installer.exe 50 PID 1852 wrote to memory of 992 1852 installer.exe 50 PID 1852 wrote to memory of 992 1852 installer.exe 50 PID 1852 wrote to memory of 852 1852 installer.exe 52 PID 1852 wrote to memory of 852 1852 installer.exe 52 PID 1852 wrote to memory of 852 1852 installer.exe 52 PID 1852 wrote to memory of 1288 1852 installer.exe 54 PID 1852 wrote to memory of 1288 1852 installer.exe 54 PID 1852 wrote to memory of 1288 1852 installer.exe 54 PID 1852 wrote to memory of 1612 1852 installer.exe 56 PID 1852 wrote to memory of 1612 1852 installer.exe 56 PID 1852 wrote to memory of 1612 1852 installer.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.0.exe"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.0.exe" "__IRCT:3" "__IRTSS:26550388" "__IRSID:S-1-5-21-3787592910-3720486031-2929222812-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe"C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1708464" "__IRSID:S-1-5-21-3787592910-3720486031-2929222812-1000"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2320
-
-
-
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\jds259516352.tmp\jre-windows.exe"C:\Users\Admin\AppData\Local\Temp\jds259516352.tmp\jre-windows.exe" "STATIC=1"4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2536
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding A7DF6E24DD86B6D915F3434DC4D47D172⤵
- Loads dropped DLL
PID:1608
-
-
C:\Program Files\Java\jre1.8.0_351\installer.exe"C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\ProgramData\Oracle\Java\installcache_x64\259586412.tmp\bspatch.exe"bspatch.exe" baseimagefam8 newimage diff3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600
-
-
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600
-
-
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936
-
-
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"3⤵
- Executes dropped EXE
PID:976
-
-
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"3⤵
- Executes dropped EXE
PID:992
-
-
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"3⤵
- Executes dropped EXE
PID:852
-
-
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"3⤵
- Executes dropped EXE
PID:1288
-
-
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1612
-
-
C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking3⤵
- Executes dropped EXE
PID:2992
-
-
C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe"C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup3⤵PID:2080
-
-
C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe"C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent3⤵PID:3040
-
C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe"C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==4⤵PID:1600
-
-
-
C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe"C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -shortcut -silent3⤵PID:2272
-
C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe"C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==4⤵PID:2496
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5ff91ac355dc6b1df63795886125bccf8
SHA190979fc6ea3a89031598d2146bf5cdbbb6db6b77
SHA25614b30467cfea0071dffc658dd31b8a25b7b4e79608933f171911c2cba6aa9a0a
SHA51277aa8c7930730004bdb8d49a82712e1042db978102f6eca0d38317b6fd98ef03e52279130eadc7a0da1148e759db6589f7f8334d4c2eccfb2613e8f19542e197
-
Filesize
103KB
MD57a9d69862a2021508931a197cd6501ec
SHA1a0f7d313a874552f4972784d15042b564e4067fc
SHA25651ff63cbac78bd133333e98d91b02b652c88cd57cedd0052519051a17be77856
SHA5125c331e6deefc8256ea203d63770484f6b485d4c3832a60ecf4a540dff3cb75a76dbde37980fe1763ca487401b68126f58f8d1a4c72ee610f5144c624c4736850
-
Filesize
446KB
MD524ccb37646e1f52ce4f47164cccf2b91
SHA1bc265e26417026286d6ed951904305086c4f693c
SHA256adf2d659c2b2a4afff1ca58f3a742d27d767d27eabeca6a8b6ee243e9c913a39
SHA512cb174e7a219f6ffae3715e37beb428979bc1462202729c05a25fa7b8da90e2dd6faa92c03cd9ca21567d354dce7acc1852669f4071298e953d6a286243794e32
-
Filesize
216KB
MD5691f68efcd902bfdfb60b556a3e11c2c
SHA1c279fa09293185bddfd73d1170b6a73bd266cf07
SHA256471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70
SHA512a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f
-
Filesize
6.2MB
MD510c9954aaaf5de3ca7bff1e2a82a2463
SHA133390dbfc66f99d60c6ef274581547ce193a1c81
SHA2567f8dc83094363f248d6d4d719c3651dc40fc0b458f1ade2d7d413227e3ff7375
SHA5124686a75f78401b7847820b9064755639c58f5fde8bdb060d010dd894343ee2f39e0ffb00507ed0e304bb18a416ab8de42b1e5cf5b59295d9369388aa8e296c7f
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk
Filesize197B
MD5b5e1de7d05841796c6d96dfe5b8b338c
SHA1c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547
SHA256062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d
SHA512963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d
-
Filesize
182B
MD57fadb9e200dbbd992058cefa41212796
SHA1e2525d7ba66bb07bc1cd5ba93f88c54e7e2042b4
SHA256b05abacd15117b1ffcd2a288308f50c0542214d264b852eddfa9025307ac401b
SHA51294b7bf1f1f5cea2a74f8c326113dd25652cb14e5fa356ac83d16b6ac5a5cac26c9d2b20259f5c2cf8ebc1e022490511e2996335a5d8dd7f5b64dce429fb6dfb1
-
Filesize
178B
MD53b1c6b5701ef2829986a6bdc3f6fbf94
SHA11a2fe685aba9430625cba281d1a8f7ba9d392af0
SHA2566a2cdce88637830202e1031bc8c11f083103a6bbb8c1ce16fb805671a46633c8
SHA512f3391d790bb6acb1c25b82253b19c334e7cd73648e9821b7050fefbd5b0bc4b48a0cedd97e425a83c788f9b798337d33dee2e989771604c4f886da46d2debea0
-
Filesize
4.1MB
MD56e4409f0a875beb5b632e6c15b4ee50f
SHA12a9c4810bcac1a5d9a569bf8ef123bb29ed16b4a
SHA256d95d6e7a464f7b3a58118083a15e13c6f84ddc06e3f652c80c7f79f93ef8dad8
SHA512eb712671be52a76fac89c5dff3d364598b28f14a2209056bc604e302ad2c029b44d18b00f935746e5ff367682667d1dcf85ad32759cb76e0e8932b871ad54254
-
Filesize
34KB
MD52e7543a4deec9620c101771ca9b45d85
SHA1fa33f3098c511a1192111f0b29a09064a7568029
SHA25632a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA5128a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d
-
Filesize
4.9MB
MD571fbd78a33033179960714b41c456516
SHA1010bc0cd4569efe67d6aa993ead56309579d524c
SHA256a56645fef2871183bc054f267d88ca588f13b6289d049d007a1c4317d49e160e
SHA5127537941d66d53268e374c31623dce549f25afda391ad1692ac6a4437e33f86bd0405ef266a717509e77c38c46afbc028d5e45e036490febdebffd2834a3e7663
-
Filesize
18.9MB
MD58c6252fe19e5f2ca21b6b10228a26c9a
SHA1dddd2919c759bcd38fe80a9d9872df1e22aa12a9
SHA25641264b386667f1daa411a2c1355e54d7569c25cb63a2d04efb82a4f4185ffd1a
SHA5127ca62dcbf2753796fbdc58db8538d0dee6e0836153b25434ea6558bba03a63440ded7710d45fe1da6e3e44f204cd52643b462db7deb057dfa3e653097d8173b9
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize471B
MD55ba404c189d972ba6db5d02971a340dc
SHA1dc8f124cf9d88e03bc73952e667ac879112d0f8c
SHA2562e6d8768e3945744623b19911eae6821af42e82d399603337b5964aa3148018b
SHA512fd77fb0f09c07c3982e5da7bc658cb54cfb43c4abbc7e3f6a88e8c2caf9c34528d53dbea72c090afcc000c6ee60816d35fa56d4fb85a82cfa683f8fe0650687d
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a2fc8bb4b8a7f940ea0c84519a598fb9
SHA10f28320a26bf9bc4791c47016221705533c3cbbe
SHA2561c48a9a9d860bac82e59ad59055c34f9dc2ba0e6436b7caa9035b96741c50af6
SHA512991acb8dfd35c537e37bcae3b83107bc43a709a878935e3c4efb026666380e22ed119a09c3fe81cea65d3e92daffa1526d015e2e562ea2f571ddc6923ac765c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b0827277475b8f3f11ab57f15f917d39
SHA111b2504eb0587dda47c88e88004bd6bdcade6824
SHA256ee0c9e4debfbfc2fcd30dc35d6c4b3539a934fb571e47cf453d7bd3a34d41283
SHA512957557c6b820e59f0a9ff59496c5e7ca727c880d499bf867ac166265eb460bae83417e85b57c68aac0aedf7cb33f01de6faac61b6d695a06d77a949ba34075eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51c4a3708a735a70f319cc0f7d43f3d13
SHA17f40b008ff8df5b3a07d1fbf233226027f78b86e
SHA2563ec183f2911721a53cf7121aa8680e6cfcfafc5f77809256ce454c41942f2257
SHA51219c319645148acce9d9755b278c55a7cace1d63daa8b38156dab44ee53a11408152bfa90901c2c959c78b26fa42e82d376cbb96a63d2d479aeb8f8349d3ef979
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize400B
MD5f9cb40f6cf02c9d2f9defa5cdff56e79
SHA1e33281927f9fe1af7b08bf92a26cfe0b46e40d49
SHA2564288009ee4068db05904e1ef1847be546613135622d05ffd6b4936aaf7207c18
SHA5127217c097f36ca3a93b615ffdcc64df0990baba129cb3c573c7d796a89b8267d8afa88760611e2a65cc340dd1b087b23170415c0d4d541e75cebc4fc3561cfba1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5b419434b9ff755c4fcec7d06d0b50998
SHA1d9cf2c94364f55593b8d9eae6aa0d16540cf8f08
SHA2567e123137cf9b042f304354e66340e0b5926f0fb1a6f420ef5170301f94a778dc
SHA512d2526f9ea53eaac26414f8c7663680fcfd7171885cf1177de00a20ad27dd77022b7c172b179685562cc00a24e01acd074620516ff875c56a81166c7d7e6b1534
-
Filesize
20.1MB
MD5cec99f3376af4b6a666678d11c49e421
SHA143e8ab7b2bb4cd14de521cc402326d538be0e03d
SHA2563a2b5310498f6fa0829baf5be7e1d76fb3620775e334db43544694f70eaa9660
SHA5122b9a3787c7a6689abd74fe3c6f5236c7a73f72b18453332f3e4610fd780b1a5eb4830fb908f76ff5c3539971a452b4273fa0c29c48990730900e1e2e29c3cf27
-
Filesize
1.2MB
MD56aa56e18c101429a213915e3b614c989
SHA19d0554b650e303abf27e8844ee1c2372fa12d940
SHA256b583872e45ed867bcc022192d3aeb20b1672a3887c1c1a30abd207a6821dff51
SHA5124548e824692246915f51398c3f87ff405bf0d52ab868b350b3419233b3d79c019fe5591c35b35a8269f8271b5a24f0339c8aa1e92de7a7264d83a649f9a5d0fe
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
116KB
MD5e043a9cb014d641a56f50f9d9ac9a1b9
SHA161dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA2569dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA5124ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f
-
Filesize
1.6MB
MD583a8f0546164c9ba1a248acedefd6e5d
SHA17652f353ed74015e7e78bc9f9e305a48d336b6d1
SHA256e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9
SHA512111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d
-
Filesize
339B
MD5c3870cd57703a3783fb0afa14a65a266
SHA1e7e5fbc203c7510129abfceaad40cb095ded2108
SHA2561fa4c2e78a571a6c30f56b1dcee60a05fb9bb9b2d2f4f65c8f033bd7be27fceb
SHA512614a3c639fd95c4fb1c99a0d316e79786a09e56649fe91b3ccc4bcf483601d849b1d9160e91daa1cacc44960ee77f20f35a5a1db910ac41cf45b9629967a5066
-
Filesize
43KB
MD5dfc3632c62d3d3b14e03ef2737ba7379
SHA1765238d544c9cee22b43f8287bc7412a443c77be
SHA2567bf41d29e7e9ac293fd518b8def9839e0db91bbfce12568ddeb03f4531195c08
SHA512509a2ef50452336b6b303adcde1ee5c973daf1d941fb1b3fd68ac3ca6f4df4a0027a4355d58d398802979fd6552b444a423cc566ff04761b33fffb8af2f54139
-
Filesize
644B
MD55f5d0a5abf8f0d7674aa44c4bd748ffa
SHA1f72a0d9411d703d7b3aa6a605f94ea308b7e5c8b
SHA256d7cc9d9e78eb9568fa9cc1133c36fa0b516ac6cc9b83b234661fe571bfd1e3eb
SHA5128fb5c56d7723756bfa223894bed3edcd6dc11273de1716f780609375dc1f2285d1e1ebd23a591087a14d95fbc29d010cf3fc90880327c00ccb0d8f5863db0444
-
Filesize
280B
MD5c0422d3794a7b3b2854238bf958f9c7c
SHA17089386978349165e4d64a5a1c8e0d0c746e5469
SHA256736c60a29a830d6045c0c7f385391c5811350c734f63038763c5b15abc723673
SHA5124001327a465d62c4378dd01f0a32949ae2d6d637ade047fa2e89996f7dff312a3f3b0443959e1e0683c4907e0494619efb0a65b5d6563d3cbb67a13d0ab83fff
-
Filesize
281B
MD565133671c1a7fe317609cbef1a9cc888
SHA192624c6d565d210bd2c7d6a033a5f9bc6e66237f
SHA2561066cc1dc45d58fbe4336f183e52d53e486e2184f389aa2bb1b134e71496f050
SHA51263fdf32b4f444f8a9dad84cacf07a2c0084d6940c04d5c451a831893c291435679aacaadbab6e0dfb1c88ec4d65dc65c3f9a4344140183bc2c1f320c5a2320be
-
Filesize
136KB
MD51ffd93751bc3400074dc0affa49ddfaf
SHA181be618514bdb88161333386f326cfcac2075517
SHA256e65cc17886b8632c1ff12ff8a97128d3ca379a6b9ad2c0300788f43958c458be
SHA512b2aefcf3a2f3e4da57c3507f7b419d229985cee88c782232dd90a96a6e9dbe46c18a7a58c7c4d1a3fe4b8b4b187f884fa09ac9e9a70d179e941704d7cbfddb30
-
Filesize
64KB
MD5d8950cf797975922c9791f08c6426633
SHA13284b4c557cae4040a3fc87564d44bc49d9a4289
SHA25672d989c93e508dbe4357fd50184e5024f454a332ba401ee446d6167dfc4cd762
SHA512098ca009e9c837c83aa30550160980d7a7ffd1e6bf7ed801e45137da7b8b9d284a90e646dc3baad61a3d484dac8ded91f0d0409a2f59fef50261c5d0f6fcdb46
-
Filesize
17.5MB
MD5a2a4bb657da6aac10dd388659bfb4fc5
SHA1ae144a8966ed0ed50a5f274006867e1de3f2f0f9
SHA2562a37e96aea270535040697a80194dee5ca5736df32a908b486988a9bab45c3a4
SHA5129d2ccecdd2bd3e4a167a840245b9195fee6a1fc1ca89eb34b65e1418581a09c389dbd9f6d315d6530148f6802361f1e6eda123ffa8ded743cc9e990c9b164f44
-
Filesize
22.4MB
MD533c4977d85c8dcf69442081d06fb732e
SHA15174c2eca1a34fa0fcc023bba148a9a2afa792be
SHA256846df27f31b2db3123c8d505dfea1aa800ab43545ecd200d3f3924c9e3e688ba
SHA51255aa62f2f66ed151205c3a86274a36cbd53d3f908e82bc707eb784a2702f4ffb0e02e9987655b5608af266a9c00bde17c3a6de56866b1e8071deccec48d9a29c
-
Filesize
19.3MB
MD547f8d37cd230d62634990fa94b8b440e
SHA130b104d7a35a18d42554bb173cab867b52de7cf8
SHA2564de3309693072b25b17855b076b24e39f9c9b2dc16b679783bb260daff2e98bc
SHA512fbbfc3e80ec25d030eb8388ea965d4ec7d3bc9774582e8afb4d2619c481cb40b064357f4a67adedc23d8207507abb02ff3965e9c81d324427b02b0e40fee8849
-
Filesize
1KB
MD596f6354a7f97e6714e254a85a3627ecd
SHA156608e8977152d82045024333dab7c1576c12579
SHA25688e2e7198563e7fd5d5011b91b1de20200b595a909f8edaef5ef41dca7389bf8
SHA5122cc035a3a26a671645f21257dbc8abc529b1b9a525a95d2506a32cc7d9f11481c52664146f519c0620c963cc75b03917adbac774eaaba47391bc8fa770d8b974
-
Filesize
5KB
MD5d530ae3da34e70eae056dc7c45b5f132
SHA1c29c79e457a6780c4c67d50187ad2df3482c4431
SHA256bba1eb7938604e98494c5a580e9da202a41be41e41812eb3308f905cc83dcbe3
SHA512c21b57d2937684f3fa79d80b30f501d1bca37601a3184dcb6f993ec138206069e4ba3d63d26fd74ac0e371277d1f77a0293532b444dfc952983ca20dd705b02b
-
Filesize
20KB
MD51191ed02a2085d20011cdacc22b07dba
SHA1639483e5c0acad86967484b47f8bae58279d13f3
SHA2560b57ddaec7017846b78a6bec2d1844a38d10e9739b15bf0ef372954b8efbc68e
SHA512b24f89303cde774945bc481cf0ac975bf1bc076307d20ae811b5c78bdbc5f2bfd542dd33c632a76f9a411b3f0e210eae43a2a4ed19148903a3bfb828ceb8f121
-
Filesize
41KB
MD5f5b433aef9535f3b9fe54651887efba3
SHA1f6cfcb88d80d0b6aa9e081bcb0cc8703a3ad30fb
SHA25632320958dc6de89ac0563d03b5f8b613f62433f89197c95ad58f71245cacc4ce
SHA5128f4d13b1a76d15503ed495df8c2dea5e09e8eb61b260a2414f2cef17cbb95837b0bbace08c438ef10a4d875b7cf42c6031bb6b88bff45e020684d5f09b4b4755
-
Filesize
741B
MD57a0c4c34862ffaf3f62ebab39f555614
SHA16663f866e2d804f0a02022db0ac00952e7236158
SHA2568a73caa23eb40ad7d75f753c8f92b98baadc9fdc519214d8f1415ae56add76a4
SHA5120d40b81eb2eb686ad9a5eacf92cf5e770261f565de584ac89da3eab6d1c2cb5e801e21006955befa280951860c3cb86d10817fd18c066e71f2fd6ca6f14ebb7d
-
Filesize
8.9MB
MD5505731086d2f448e68c025a7003efe00
SHA1e8358cf87df55712a7b6998d1816e94b57f3b7c1
SHA256978dfe8f0fbb57398366e2302055b58fa641258f53db6909fca2b5a1e87ff3c5
SHA512856ad2f0caa72c15b20831c7e1d8917329907381e1e95ce470ff3592755804cc17cd507c105d49fdecbc418a2c3f2b01e1be2ce15dc981aeb7f39ce2889cb4d4
-
Filesize
206B
MD578f8183a80ab1a4f25f5997c235cd7c8
SHA1deb8c99d899ecfa4efc33b9c3b51600ebff92798
SHA256cecdddf1c36fd264d372ef97b6ea73fea099484c13d5e4c6d1200b0c74e546ed
SHA51252a3c32cd42c8ea4cfcc5ec7aa0653b2996d524b582b5eb3fd468d7754bfa2d58a1f2aea3b694fe995313b8137ae8538cafd847057e209cef217fbfdf3c76240
-
Filesize
41KB
MD5a3c4ae811d2fa9a49e0081d0657401ac
SHA180a37e3db58ab0cb111e4f73d22daf7b66f83c9d
SHA256955b4701c026d9bc077e242f6e81bc3a4fdc7d9288d410cad488a1ff1da584f8
SHA51220a24a654c89246ef85f2689d0df52499538281a0e8e62232040a1c10eaf334c2102b9168b1b27e69ee09f275e3fab28a726a21be2324aece81e0a2dd2b0facf
-
Filesize
45KB
MD561259c178336d2d0df941869af5fa001
SHA1efc5a733111724e90f6a24d57fc39c70b9652f8a
SHA256e9ef4dc525fba0d291ee1d233a1ff61df2d7464f6458f714b553fe5892947825
SHA5127509c337117654f84af5c5ab0295f19ecaef76b8e2651dd2b4e8175c62b3f7eea3ae96c19059b3fb1328a207841c1403a5aa09036ad1416b384a5394b8f66237
-
Filesize
457B
MD52eaa03b3d05e09c040193d52b5f9fa7e
SHA1ebd0a5758d41783fbe365038df0063a0ad44d2bf
SHA256124ab194768918687dbb80fc732e2e8dca48860e9e9a12e86ce51c0b68e84b92
SHA5124b8beeddddd134f45bbc6fea4aaee63abfa7317e6d5745875bc19045770f733e8099543ffef64a8805c7866b66ff2e622cd14b66ed0aa5780f3a277968b34afd
-
Filesize
352B
MD559da5e03ed3a326d437dfe3128f9ca04
SHA167998879a8a84e2db577fce1ac57a505a3518f40
SHA256be34aa30a9f05adcf441d85e3c1b88aa963b7932e039cb84b192cd8f05f3791b
SHA51255f8d45972c72edf888e318ae845caf689b3d4a4932dfe1a4e886794aeb6014c235708e31099d4ce841c8182410886e24264907bfdfff4bf348855f6fc5cee41
-
Filesize
438B
MD53610053c3126eecf97d35af666abcc91
SHA13f38627ceddc20755b6bd147de98d707cf2fd62b
SHA2564fdc019ab21fbff569d0399dc32c6508d22dc6f6d56e1add9c149d3777d45aaf
SHA5126ff597d0c9d1ae4ca0d3ccf3bc6efb9fbd2cec9c7c8adb2ebb6fd139c0784f86de342d022d788b5b3c47676dcfb718a917e5c35fc5fa46da7217daa2bf0708bc
-
Filesize
28KB
MD5b3fac6c68f8de26fc4743fde2521088a
SHA1e3a44eb78418d5209a0b51072290c2580b38847f
SHA25614d5c67d6d1fc3d6a798160e03b4c940c065f9256bbebafc8e075a331c1cfbe8
SHA512146ea87b42c903b156dca0a10e28a0e23a238499aa3ecf1c752488efd3e339f939b553fcc5c5fc12008e91b3cacec91bf622a9dc9218c88f7aebce6521baa7dd
-
Filesize
6KB
MD58b343ad1e0dff92939e623f6db588811
SHA1bfd6ab35a67ee7b0a06097adc75971dcb844454a
SHA256c8ed1c8b69c3728971227bb78c03065fb2ca2d2223820142590e122d2c5d3fe8
SHA51202ad3099e0ac4d860975f0d8a8abe7347c66efe567d8603e6b0dba143d9e1350c3288df0ded9346470046bcab7e4bbd4385fc9d25dcf566a0fdf4e43f09823a7
-
Filesize
757KB
MD562cfeb86f117ad91b8bb52f1dda6f473
SHA1c753b488938b3e08f7f47df209359c7b78764448
SHA256f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e
SHA512c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e
-
Filesize
640KB
MD50a58c10dd1562e72d59be26613fc577e
SHA12fbc5cbc306f571077d969f6b988318e4f31bc1c
SHA25625940905cfe374afb3cfde80eaf1b7bafec7c1d84a5982a375aa2fa0273b8623
SHA51284fac8a1ca04ca439f5ebbe43c5adadeec242b204ef09fdee4be827c86bbc50a343443d417645e25800d8eecf92f667b9c3c8a3a2101d5680c4b52b9d6b6d359
-
Filesize
7.1MB
MD5143254f153221f1ca9d88e4ca2dada45
SHA17d137b10a23a41d4ee3dedaea2b50202a8a8a191
SHA25630bc0c83c87fcec85c6031a0dcceb49a5763a996f6d08479c8622f11cb1a832e
SHA5126f83842303976a511b463ce3c58064529a31c83bc304cb94bec27b4c3bd6a189c0b4a2ee2ad5a5b3b8f5b42bd9642bef857797c3fe346bab34f95eb9508604b9
-
Filesize
5.7MB
MD5db20bc1f6a43c8e2b7af7b4b54f45d20
SHA125d0c9d4bbabacbecb1efd32cad49b1a72cbd9ad
SHA256c2f3e82954060b022b501d22251c88d2416a30f6fa04709d9ad1b8e0f83292ee
SHA51233d8e837fb3306e899b1edd287bb77cd399121e19589e9f462ba6222309f7da5c9f34e629af482870aed0c7f7152978386da0c14c2db65c38f049a3ada0d13be
-
Filesize
1.1MB
MD55d3e499a7f97efab465c6489c0b25077
SHA19a1c90015582c4017604ca2fe95311c421b0ffc2
SHA25691229ce3ba95916e2b90dc3066e462bc307880401ad251df3c80faebb38e7f73
SHA512dc0efecb1c6b2b8e96bb036a703c6bf24033cef206dbcd4c2f5528edcdc14897a03538ab9177b261dab3c454c34a10187f4f5eec7bfd7a5b50f7ff540de8a945
-
Filesize
1.6MB
MD59545b40744356c2ab097a16a61511694
SHA176760249d816080df0e288bba22bea395c10faa7
SHA256c6ee2e70cbdee95c4b494e27af070c866c551617c44f684243cf4ae37d7475bd
SHA512417b26219ec9cd0d2d5c06432252dd77d22e2fc8cf46c0894d4471c03d4a24307e21d59cc364ca7590e3a364493e03dff5204b4bd823cf1395cd0dbf681182b5
-
Filesize
1.7MB
MD5dabd469bae99f6f2ada08cd2dd3139c3
SHA16714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b
SHA25689acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606
SHA5129c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915
-
Filesize
97KB
MD5da1d0cd400e0b6ad6415fd4d90f69666
SHA1de9083d2902906cacf57259cf581b1466400b799
SHA2567a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a
-
Filesize
1.2MB
MD576e59ad8dd4f52e71dd4796a92d4ff73
SHA19da42ecaa2054f2a98356cef44a0795bdac850c7
SHA2561215eb3e1d98dcf3babc03d1263c726cf4108868e97257d7098886111975f3b6
SHA512ccb99085ed4800f082d04e4d4e5c74ec99109759c598439bb483c6f62d0a77e545d6441c132b7d7b48c1d7a683849c9320142c7f13ab964687e97777b0cb14b9
-
Filesize
325KB
MD5c333af59fa9f0b12d1cd9f6bba111e3a
SHA166ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0
SHA256fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34
SHA5122f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4
-
Filesize
1.2MB
MD5a266e0ae1001da0023f9664afbcaee99
SHA1f943c180e5221a5943039c21b21f394dd99cbe14
SHA256819b9a02a788445ad6c4d8f38e05abe911e289e71e4d2c2e37923c9f66f576cf
SHA512525b8473b17732ba94942df63b0e43b26ee0157b137a1a39f52034b04ce686097e92ec8d9ea422acf02edc4385863c0179a6af73af01dfcfc1cb6d7c9dad1e7c
-
Filesize
20.9MB
MD5a12517970543fd0f691173329f6c7272
SHA19c25d97e7c558a7cc7e1a24a284eb147a7da34a2
SHA256b5539490cb9338345cf1710ce1016e03eae37d435666141587e95b6f4fef2c64
SHA512736b09961465c63940a7ee2a10e8a6ac28632b79216d2d62253388f07bea598d25a31cda1289a1843679ac92b65affadf83e329dd5c537fe245cd65fc5d3b748
-
Filesize
6.5MB
MD50889479d7bf2ce8173042390d232cd2a
SHA134b53a69c73b99fa41f2789b8249cbcfe16f7341
SHA2568078e254c5d3613a553acabb7270e960f6b2129346fd0ee5594fe3da26f0f54b
SHA51242e704fee658077a30345748522eb261b31d0283a94879456b95c2a1b751a18605980a9ecb6defb0f390aae56b4240d5a99277f92251353adff4528367a51b56
-
Filesize
4.8MB
MD5ebe4ad46f8983fc5932a75db1288b6af
SHA10f39da000c9fc686c8aace351e2af39ad223721b
SHA25668033a4a232e75d264a52888ed7f7ca0804c18fe875a88a0d8717857da421c1b
SHA51236d3ab43fbd914b6af93d9c06350fdd77e166a1c5eae73e70e10b620051084ecea9ca44d94f216a957a61b6790c9b5d843e3e35e2b6773a126ad05e484a4cd76
-
Filesize
17.6MB
MD5f85d7aeeb7c32836225d60a118b3c37e
SHA1b2169d5c1aa9d1264236f10568812bcc5e571e8b
SHA256aa1d025c8011450cee4eb31df67fd6edf692e7283e4f562a255e2fd071768863
SHA51247615e5410984d6bd3a9ab1442da9ebe561427751c9f8f9df7bada16d32f9bf752cc4437d7b6fb490dd1dd80b38e0918473cbc537362f312aa31398edddaad78