Malware Analysis Report

2025-01-18 21:21

Sample ID 240323-ewxpxsdd89
Target TLauncher-2.899-Installer-1.3.1.exe
SHA256 3640227b80b8742c811f8ef399ccf1018d21224920e76239136d569db12a6244
Tags
adware discovery persistence stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3640227b80b8742c811f8ef399ccf1018d21224920e76239136d569db12a6244

Threat Level: Likely malicious

The file TLauncher-2.899-Installer-1.3.1.exe was found to be: Likely malicious.

Malicious Activity Summary

adware discovery persistence stealer upx

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Registers COM server for autorun

UPX packed file

Checks computer location settings

Blocklisted process makes network request

Enumerates connected drives

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 04:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 04:18

Reported

2024-03-23 04:25

Platform

win7-20240221-en

Max time kernel

446s

Max time network

373s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe N/A
N/A N/A C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe N/A
N/A N/A C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_51\installer.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0051-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBC}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0051-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0011-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBC}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0008-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBB}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre1.8.0_51\COPYRIGHT C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\jpeg.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\hprof.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\java-rmi.exe C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\deploy\ffjcext.zip C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\deploy\splash.gif C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\flavormap.properties C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\fxplugins.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\server\jvm.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\security\blacklist C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\instrument.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\policytool.exe C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\ext\access-bridge-64.jar C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\rt.pack C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\mlib_image.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\plugin2\npjp2.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\amd64\jvm.cfg C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_fr.properties C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\awt.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\calendars.properties C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\ext\sunmscapi.jar C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyNoDrop32x32.gif C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\net.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\psfont.properties.ja C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\java.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\t2k.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\cmm\PYCC.pf C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\security\local_policy.jar C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\jce.jar C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\jdwp.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkNoDrop32x32.gif C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\jawt.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\kinit.exe C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\j2pkcs11.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\ext\nashorn.jar C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\JAWTAccessBridge-64.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\THIRDPARTYLICENSEREADME.txt C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\decora_sse.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\kcms.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\nio.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\pack200.exe C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\net.properties C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\jli.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\prism_sw.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\jfr.jar C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\jfxmedia.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\npt.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\w2k_lsa_auth.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\wsdetect.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\ext\sunpkcs11.jar C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightDemiItalic.ttf C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaSansRegular.ttf C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\README.txt C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\deployJava1.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\jp2iexp.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\jsdt.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\accessibility.properties C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\content-types.properties C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightItalic.ttf C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\lib\tzmappings C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_51\bin\javafx_iio.dll C:\Program Files\Java\jre1.8.0_51\installer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f77dfa5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77dfa5.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77dfa8.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEFB6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77dfaa.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\msiexec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\msiexec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_54" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0034-ABCDEFFEDCBB} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2681408150F\Version = "134218238" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBC} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBB} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBC} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBB}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBB} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBB} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0012-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0030-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_30" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_16" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBB} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBA} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_30" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBA} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBB} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBA} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBB}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBA} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0048-ABCDEFFEDCBC} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBB} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBC}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0019-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_51\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB} C:\Program Files\Java\jre1.8.0_51\installer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1940 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1940 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1940 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1940 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1940 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1940 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2504 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 2504 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 2504 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 2504 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 2504 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 2504 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 2504 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 2196 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 2196 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 2196 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 2196 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 2196 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 2196 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 2196 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 2504 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 2504 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 2504 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 2504 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 1116 wrote to memory of 2036 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre1.8.0_51\installer.exe
PID 1116 wrote to memory of 2036 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre1.8.0_51\installer.exe
PID 1116 wrote to memory of 2036 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre1.8.0_51\installer.exe
PID 2036 wrote to memory of 2236 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
PID 2036 wrote to memory of 2236 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
PID 2036 wrote to memory of 2236 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
PID 2036 wrote to memory of 2236 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
PID 2036 wrote to memory of 2236 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
PID 2036 wrote to memory of 2236 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
PID 2036 wrote to memory of 2236 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
PID 2036 wrote to memory of 2088 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 2088 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 2088 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1720 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1720 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1720 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1148 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1148 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1148 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 2348 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 2348 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 2348 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 952 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 952 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 952 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1656 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1656 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1656 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 2888 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 2888 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 2888 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1036 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1036 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1036 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
PID 2036 wrote to memory of 1608 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
PID 2036 wrote to memory of 1608 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
PID 2036 wrote to memory of 1608 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
PID 2036 wrote to memory of 2796 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
PID 2036 wrote to memory of 2796 N/A C:\Program Files\Java\jre1.8.0_51\installer.exe C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe" "__IRCT:3" "__IRTSS:26611457" "__IRSID:S-1-5-21-1658372521-4246568289-2509113762-1000"

C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1708464" "__IRSID:S-1-5-21-1658372521-4246568289-2509113762-1000"

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files\Java\jre1.8.0_51\installer.exe

"C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" STATIC=1 REPAIRMODE=0

C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe

"bspatch.exe" baseimagefam8 newimage diff

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe

"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl2.tlauncher.org udp
US 104.20.64.88:443 dl2.tlauncher.org tcp
US 8.8.8.8:53 tlauncher.org udp
US 104.20.65.88:443 tlauncher.org tcp
US 8.8.8.8:53 javadl.oracle.com udp
GB 104.103.251.196:80 javadl.oracle.com tcp
US 8.8.8.8:53 advancedrepository.com udp
DE 46.4.112.215:80 advancedrepository.com tcp
DE 46.4.112.215:443 advancedrepository.com tcp
US 8.8.8.8:53 javadl-esd-secure.oracle.com udp
GB 104.84.88.195:443 javadl-esd-secure.oracle.com tcp
US 8.8.8.8:53 rps-svcs.sun.com udp
GB 104.77.160.202:80 rps-svcs.sun.com tcp
US 8.8.8.8:53 javadl.oracle.com udp
GB 104.103.251.196:80 javadl.oracle.com tcp
GB 104.103.251.196:443 javadl.oracle.com tcp
GB 104.103.251.196:80 javadl.oracle.com tcp
GB 104.103.251.196:443 javadl.oracle.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 sdlc-esd.oracle.com udp
GB 23.44.232.84:443 sdlc-esd.oracle.com tcp

Files

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 a019b5697f8336ebc95e55e738dd65ba
SHA1 a91bbac4de57faccbdf04338006a8f136e2103f3
SHA256 abd8a1242e302f0b7067d5bed8fc89ad16136d12e27284911740305708824a69
SHA512 50bc39c25c1299ad3e30a9cea89557f55dc2fb31e03c14e02dd80945d9d006477d3a5a59cab6089b397d04d236ea1e96810d29ae9a3585c56969ad206258d255

memory/1940-5-0x0000000002C40000-0x0000000003029000-memory.dmp

memory/1940-15-0x0000000002C40000-0x0000000003029000-memory.dmp

memory/2504-17-0x0000000000F50000-0x0000000001339000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 c333af59fa9f0b12d1cd9f6bba111e3a
SHA1 66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0
SHA256 fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34
SHA512 2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

MD5 e043a9cb014d641a56f50f9d9ac9a1b9
SHA1 61dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA256 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA512 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

memory/2504-577-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2504-579-0x0000000000540000-0x0000000000543000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 dabd469bae99f6f2ada08cd2dd3139c3
SHA1 6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b
SHA256 89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606
SHA512 9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar6B1A.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

MD5 83a8f0546164c9ba1a248acedefd6e5d
SHA1 7652f353ed74015e7e78bc9f9e305a48d336b6d1
SHA256 e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9
SHA512 111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d

memory/2504-651-0x0000000000F50000-0x0000000001339000-memory.dmp

memory/2504-653-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

MD5 61926338beed8fc9248d30b518a30ca5
SHA1 a8c58b3c54e8022c11e2131b44b79de9a71b8075
SHA256 8e6ecb01714f54d7df658b6e7c959d3ca76344d1e555fd29ceb503589c002ebd
SHA512 d915d4da356c6e86e6e7321f60424738799f833136d5e74f1e3b9b39b484a5edc8f6c5375a66b0bb11027a43ec85c29eeb7478722bd0927d8d89fbe6a5ade28e

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

MD5 b9f65a764f4b6e7200d4e8196404506e
SHA1 ff234ad4d6bdefbd327afe797a8d4ad49bc8a6db
SHA256 0edf34b391e628c512c92875c2bef18e4ff6089c684510f7a9899a3ee74e7c03
SHA512 f7f5c039a2afb770dc5c69a25e1b14b1aaab193d3e068cf5122d5b2e852549f7315fee033e08dd6f03fabbca2201d11b40c82a3405052799a11475f14ce77b9f

memory/1940-683-0x0000000002C40000-0x0000000003029000-memory.dmp

memory/2504-687-0x0000000000F50000-0x0000000001339000-memory.dmp

memory/2504-688-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 a266e0ae1001da0023f9664afbcaee99
SHA1 f943c180e5221a5943039c21b21f394dd99cbe14
SHA256 819b9a02a788445ad6c4d8f38e05abe911e289e71e4d2c2e37923c9f66f576cf
SHA512 525b8473b17732ba94942df63b0e43b26ee0157b137a1a39f52034b04ce686097e92ec8d9ea422acf02edc4385863c0179a6af73af01dfcfc1cb6d7c9dad1e7c

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

MD5 91d4b32e546bb567a485368f4f3e9e36
SHA1 1a3c0d14148e89d63133680585a1cc8acf350a30
SHA256 c36b84cd9535d41d0b83314016b94cdfdf240bd561ea6a7364d80c7d1d0a408f
SHA512 60448d51a6963ffe78a27396fbea0bf0b24e7e6fc6b1b20f918162611e715cb3e66aa598d5300701ea5861e6c1157d3dab490fffc250fc848d9b4bc25fd41390

memory/2196-728-0x0000000002C60000-0x0000000003049000-memory.dmp

memory/2196-729-0x0000000002C60000-0x0000000003049000-memory.dmp

memory/2196-730-0x0000000002C60000-0x0000000003049000-memory.dmp

memory/2504-731-0x0000000000F50000-0x0000000001339000-memory.dmp

memory/2504-734-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2544-736-0x0000000000300000-0x00000000006E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

MD5 da8cd32154d43dadf7fa3de296fa5e1c
SHA1 e3606080a4011e8b216000478aaf97d0d6486d9c
SHA256 96dfa8386139487d2196f19ec97319056a7a08c48d92b58e41ee3254863dd8d7
SHA512 9a24e7cc3e6afc8426f5c115bfdc19cd6243d30a2b91f300f8acf846c9d335c7e828859ee3d5937f5b63028f97cf8fa47b5a6109bddc2b30cfd33ae27806b05f

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

MD5 1ffd93751bc3400074dc0affa49ddfaf
SHA1 81be618514bdb88161333386f326cfcac2075517
SHA256 e65cc17886b8632c1ff12ff8a97128d3ca379a6b9ad2c0300788f43958c458be
SHA512 b2aefcf3a2f3e4da57c3507f7b419d229985cee88c782232dd90a96a6e9dbe46c18a7a58c7c4d1a3fe4b8b4b187f884fa09ac9e9a70d179e941704d7cbfddb30

\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

MD5 6adcf385aabc0796cf2409dc3986c33d
SHA1 7392fbeccdd12d84754131c02e82214591390ea2
SHA256 c27ae0eef8ecc03099dc7f54f1efc7fdad8d7b7b4c3f7b9b4e34472be7905435
SHA512 8ac29e0d5955d212da0226c305c4b0ff15e01701f3a60e1daa997ce0bbdf2bc6757f99971b78243ca87e4e3a5636eb52f4050211f9a0580a904a5cbfe84e2dd1

\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

MD5 13c44352a171fc8a85c3e67167dd917d
SHA1 6e4f64bc781519f77d9a8268cc6a83e55f75332a
SHA256 53cd377b1249e7070a36fec16f33d08feecf422a9cd9a365dcedf0f6e02a1f5e
SHA512 ff5a8280c6ea28ce771409bc7a8dfb3513692be88a9b967d2c83fc66a7343f87b03c93d0c71b318a3c66680424f648b6facc21a0d5b6ffc2b8ba1b01366ffe95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4dc955b0f08c49300064d5c970c6807a
SHA1 ebf220b04d4c65612532479bc288548b64b5481a
SHA256 5b2ca00d00fe486440117e9a503bcd56373f5caec142a2f6c86d7699ef60eacf
SHA512 0ec5a6f684422e19a17036fe19e78b0c36cda2ff5b767078dcdd37bc289197251d6ce0fcba92df24df61921fead48cc221e7e39af0d5e0497983afcf8bfbe47d

memory/2544-808-0x0000000000300000-0x00000000006E9000-memory.dmp

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

MD5 505731086d2f448e68c025a7003efe00
SHA1 e8358cf87df55712a7b6998d1816e94b57f3b7c1
SHA256 978dfe8f0fbb57398366e2302055b58fa641258f53db6909fca2b5a1e87ff3c5
SHA512 856ad2f0caa72c15b20831c7e1d8917329907381e1e95ce470ff3592755804cc17cd507c105d49fdecbc418a2c3f2b01e1be2ce15dc981aeb7f39ce2889cb4d4

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

MD5 65e111ba091f9b3b647fd1a2b062d5b8
SHA1 a4dc7a6bf1caf771fffe6b5318e9b76387f0d38b
SHA256 d3e8b9a0664270772e04b7fdc584d7d7a5349c93ca5310e2efa9ce269b0baf55
SHA512 5d1afb4ca830655bb6d25dc35f71a45984bd70d5c4e83d25636001e79f6b62094de3da96192f22da1a1acc3b9024145eb7ce3f313b016cdd7c999c3f15549c8e

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

MD5 c6186135729878354e56e2430b872621
SHA1 a75d9bd5d067554c20f56b26691b8d2dffd61e55
SHA256 ca14f4876462ae0f578da25803b9a846a7a714f120a7a0c3dc8882540372ea39
SHA512 4f7204200ad7ff0b6af06a2b3bd384296916a5672bd05d8525889a6ef9c0dcc29703ac593f2d09f148a27de7245c2cd73a8be68e356826f912340a36f40ce655

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG

MD5 8a4ce1161d44ecea320716669f88593a
SHA1 bde372ab6ef73c56400a5ceb376ab3fa273b4707
SHA256 db36f7bf1c4e9a7139b1aac61f70c7be12e064d91ac28a0cd9ba335d20a2fee0
SHA512 f513561a1893e9a19d533c2087b7763e6ebca166a96e978dae455b0161a1dd5a70c78418c713c6c1a8079ba51202d6f71942ffbd8f35be8515a4c758ef8e098f

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG6.PNG

MD5 7a2cb1e4ee71ce8b9b048668d8936bd2
SHA1 f883e96d42b23b92b73cdc7dd9dbc2c5a1108e21
SHA256 fcac8ed93580a5e9357ac9aa80db42083883ff05cccbfc2d50d20d559cb7eefe
SHA512 2395016fdb3fe37280c55e0dc98e7d530bd255f66e1b4a39d59c12dc31bd4b50bfd73db000715b3ebb1ebd25baabd77a8957f22278e3ae4c1cf3f02c1670b311

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG

MD5 03c6cb38498ec6f14ade1da1fb3d930b
SHA1 c5080c076980ba26c8cbab8cfc3c800557531fbe
SHA256 774e54dfa0927eb1e45dfe7ac402d0aec09762fa464345c39a5d30a0eae15b53
SHA512 00a20b947161b83c0da283c6cd7cc4488703a4896d934b68a077e05fbb6c615ee57d2ba02a2bc369b3c8971dd95ebee97db77d638c3fceb5ff0e4853d9db8fdf

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG13.PNG

MD5 32066ee1873138d793665bacb3feab57
SHA1 733f970cbb84834b88c9a473e43b86e9e95cff77
SHA256 a1477a375e8a0406abf35c286ee40db346c048ab8f5521898cab2405ca49e22a
SHA512 53d1682a22c316c722225a3a450afe5812d8783eef0d1c19414a64cc5b73a99869be2b3ab577384bc9a9592917a50fff5b8307ee7176872de193c5c92d7c45b2

memory/2504-1320-0x0000000000F50000-0x0000000001339000-memory.dmp

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

MD5 30f5fa3e81f00879affba3cc637e5c23
SHA1 e5fd1d7ea6bb6389eeb7e3a7168c3d162528fb08
SHA256 cd213a47202a799cabb03f2f35ee4c2505cb67c77ad17d5b02fefc80df888f1b
SHA512 29f5003fe43a910632b7356c56394df02522db9ec102d70acebf51d8d9d2e6341147dca1f697d9ddb7228ac456f0b9e2662332fb67cf5aa4b733e716fa6e5584

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG

MD5 cc47ee5385941413ca12f4173bca8ca9
SHA1 a28fd8d77de0466b9f2d70031362b52605f84b2d
SHA256 1ed1029571b04aa1bbad5860744713494dddfb99e2fe3009f867f17c1e20341a
SHA512 04249555f49f955c6aa3a9e042cf311978009de56e0f0e8255fb6db980c0f646efc0edf8cdd4b46c64285f2d376186551dbe62dad960e2bb7962a6bc64a286a6

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG14.PNG

MD5 f37fe60fb4928d4cb0c64f6bd751c83d
SHA1 9ffc8cb569971d805b616885998cfad5d70a0753
SHA256 0ee4462ddd19a6948cdc3da1bee0c65a95226af7aa731285eca6eaf1d026598b
SHA512 669eb01d3a82437857c40bb57780b57b188e51ac2604df8b21e6fddc5f4d44bce21684da2a80f8cc315922e9fb32831f24e5e7f8fefdcf2ceb3c15e932e17ac5

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

MD5 ac9af310baecedffe9c067e87d850cfe
SHA1 d8e1e627d154f48d0d49e4a61b32a7f2738a88d7
SHA256 fda8437e44e3dc9e4e5972ea8d6597742fff683f984943cffe410ed43881caad
SHA512 8c49637672b96eb0445db86b697bb4b60afdd904451c7891ffb62f63a67e38ba57140b5259875a64d4dcce5c5ff2ad2d43d8eefd46183658b434058ce681f1f3

memory/2504-1352-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

memory/2504-1357-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2504-1356-0x0000000000F50000-0x0000000001339000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a60e4f6385edaace58c24d32b0ad6064
SHA1 93f06193281c9e38cb31f09944c17acf4ad69ebd
SHA256 46ec071bdb262e740122c62c1da5203b673c38416c5d0853ac00daa54f934e30
SHA512 c93ac11cf0eee561d113254abccbf9942370a70fb473b44a62de136f08e81318d778aa5376da7bdfc98067b9c22b12f955685e587745ef5d7a6bace44b0e08e4

memory/2504-1393-0x0000000000F50000-0x0000000001339000-memory.dmp

memory/2504-1400-0x0000000000F50000-0x0000000001339000-memory.dmp

\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 39f63205b7b9e6cf9753a64a7ebc915f
SHA1 2d15e50cb39dd67aaf8410b46985a8d5270cb5fd
SHA256 6a606f7531e90f1d02fd756bd0b00a2a5003ac85fdd5e6a90fd57b677d36b056
SHA512 ad9bdf0ede449aa3dc388f6025378c7a2eb889a53967dec774084e1ecef2f11e9f14af957abbacd30c312d728a77c7c27a4bbb667ca99c16283ccc531e1a85eb

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 d78258a9d6a1680a9963420fbf38232e
SHA1 c12d3ec94761d440c34cd6db43194c7a9c6b1ba7
SHA256 fe5b8cd0e24deeb836286e39dd8e2052fe28847db95ddf828cf5118a6ec5ed65
SHA512 08a2f80ae7b2f2ce9eab74b79fe37d825385fea05d2253c6932edd47faeffde776c4cb6faac6095b6dad17652864d0ae5dfa6a9dfb9032cb0a60d7ca1764ea04

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 b2bff5903ec511527c4b55d6187b25bb
SHA1 07e050173158d96e8579ce5ee118fd4c0e21b087
SHA256 1520fd7944c27d73e8753fb622e0222ca05379d33afe311c561a68a81628f6ae
SHA512 5444a66a7a05745eb1c9cc3f06c79621920942c64447501716516a18b515933054dba954eef0361f81e0c7f7fad65caef737eae1e4ba9529ceec042ccee7cc35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44c44eb5590214bb42f77a35e4ba544b
SHA1 02eaa1f12e2bc1791d707caaea1de453c9952580
SHA256 ecaa7f3e6c7229b8affc7706946efdce977919644c58373e5a0436fea51f1ed3
SHA512 53c70f942e4c047087012a6bd5fa5abb7b64cb951f9d2944ee8b7af461a2b29b5fdd79cbdb78bdd3c347b9c945a04ab9f60270f33145ba80098da9a81659caf9

memory/2504-1475-0x0000000000F50000-0x0000000001339000-memory.dmp

\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 10fc26a16aede86caeaf2b7681738839
SHA1 076273223c945032b5949710b1fa90650dee81d4
SHA256 788d72f68d81a1815ad696ae517c5d366d912b26324a57c8b7e6db29067b5752
SHA512 86cbe04b5ef71bddadf28fafa3e5b489ab2bf394407eb7f88a4ab1b7797320b43876a731ef0d8892bef1b64729fda4ab2a3019f31573165713a24ae6efccf154

memory/1820-1478-0x00000000002D0000-0x00000000002D1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi

MD5 4c220418a3826a6a315b0adf73155cc5
SHA1 f0f9100b2f2c421ab20abeb4ffc8a15b346bc2b0
SHA256 7c59c5877c1fbdf76eac83af5e0b8895ec4b1089979720b3a6bb942713547bba
SHA512 f16536ed312b4951b7b3ec922105ba041d65d5343044fdf9b68d8d06b8d9fe27786dd5e4cb76154781857a7c2274339dac26cf67a211deeb82ccd85603ffc707

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef48d90c9ac2b8b54d984f38791a89a0
SHA1 b994257c6816ba772f3c172081dbeaa70b4dab92
SHA256 0eba87834e0947ef69cb670d4ef1c1e662dda49c0c2d70c80d4f82d63f117b0f
SHA512 f73aee6ff201ef9b8146639bef6fc619dc95acf6c785f7789824b878c967e0c6c39486cae0c55e9c701576bff502ae6df37b155cd18f1ba6466a148f77715f93

C:\Windows\Installer\f77dfa5.msi

MD5 bedec65493d69014f95da078e2a85c53
SHA1 23398161d0ba411fa93f812316737793b0045f3f
SHA256 3392bbc8ad09129f2ef7d9d82bd1a05ce2cba87e675fe7563758b2361214f639
SHA512 926b9967d253c6c421c88c19a7e46a9d94b96b1adaf924785a8c0f7f324d6b97fd01dc35dc4bdf3c0ccedd246a39e361343469abbaf17bb3eb86b1aa39f982d7

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 a67e40760f6756f59c4754236c13cff3
SHA1 cd76ad33c3356b546487a94aaed88322ac32b2b5
SHA256 c3f27749326c3f2ece815a3fe0385177a4bdff503cb7ab4bd043dbaaa860ed0b
SHA512 dc81bc33fbe43fab1f73f4c1014a1360fab41b4deffd8923e8ce5919d779b06db0e48f6e7750c528b7b9a0ee156a2ac4e279074e7e9c24c2bf79fc9cb32f811b

C:\Program Files\Java\jre1.8.0_51\installer.exe

MD5 af6be0818866bee9da7be5106547e90b
SHA1 bf5d307646b82782464a22b2ecc7f8e0ad28dd6c
SHA256 b2127a351ea17b8ad1722a5f05e8d7c0b09f09fc1e6ced32c11536a57cd27bed
SHA512 bfed4d9d43da09afb0b110e47ea8b360d81da6d59e17380725578145756001c192bb9011e6521075b1256703339c53c2127d1542daa762dede3b1de8428f40de

\Program Files\Java\jre1.8.0_51\installer.exe

MD5 e91145d5f8185a50bbffa7ad77c9d12c
SHA1 168d5da0152c0a8656101ba40c323225f7df4e80
SHA256 d65b8743fea3f2d69b173a70c3a2d1c15d2886baa24fa5dbfc40eebef09fd5f7
SHA512 e789800b9139aa244d1b9d16f7746ad05e9c2765d85af2e70cdef7f791aa858992ca957c544b6d2ccb7d4ba096c1376fb3da3eedcb1ba46ca019afa843052531

C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

memory/2236-1609-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2236-1613-0x0000000000230000-0x0000000000247000-memory.dmp

memory/2236-1614-0x0000000000230000-0x0000000000247000-memory.dmp

memory/2236-1616-0x0000000000230000-0x0000000000247000-memory.dmp

C:\ProgramData\Oracle\Java\installcache_x64\diff

MD5 c195a4b1b77c176cdfa4d154d9361be2
SHA1 311773219c5b7cd2f955b24856fc1306857d7fc8
SHA256 84b5307295e47cb47b4641c4bc53d2ea90ba35de6ba3cb5d03cc51d44d0808c4
SHA512 cbb14d467616ff7bb554ec3ca180d5efec794a714cf73fa48cfca266498acc26f7fba5c1acdf4cb433fb249ed37e2b15a19fbd3a33dc55b655be2c68ff6caf34

C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8

MD5 aa6dc06d30f8c2ce042c030b1718f8f7
SHA1 48fb703447cdec7ab2f3d67e3816804c9e527a79
SHA256 8c8a24507a072dd718b61230e33cbdea736d7afbcf1c31fe1971cade4a8022f6
SHA512 667fad1ef5bdb1793adcded75c6263ba761633702085230f4ab1aa8adef0277bc19082cb51de478a5bcca6632a4b5bc56060dcf7205acfc680f8b4df8ae8e955

memory/1820-1619-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2504-1620-0x0000000000F50000-0x0000000001339000-memory.dmp

memory/2236-1622-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2236-1624-0x0000000000400000-0x0000000000417000-memory.dmp

C:\ProgramData\Oracle\Java\installcache_x64\newimage

MD5 e440ba526ad50ca393f30d19769415c8
SHA1 1cc21efebfeb8f677cf0716addb8ce3f31c32123
SHA256 3e611d45248ef7e6b47d7dfb26260ec55629ce6976948ba172bdb84a59c3e1e4
SHA512 5375b6916a34bad1168734614d147e57705ae463e6d2cd1abd6dbb9affefd7564326778e94a9b01425f1b86f3fe1437e9684d87074c4c4f060e01a3d226893f6

memory/2504-1788-0x0000000000F50000-0x0000000001339000-memory.dmp

\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 6a2b5875ebb43101b3fd3e43b2da319d
SHA1 f0cf146a2bd6b8121b3304f54786498904f25f70
SHA256 02e59d92976905adee8a4b239b9cec9a188dfce70010aaa7e3c599f2d48cee8e
SHA512 bf3f9b52808f39927a7ecb59a57f4de1e6b6e5f9f965648be39bfe590b9192e3aef648f32f1815c114a1f5cd41fe61cfc72f3d9b028d940e1c9a453a85aea229

\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 e961d20cc32462c02e486687f0636df6
SHA1 271b24efa6fe9804ad0c83ebaa154d43cebd9369
SHA256 607a95f3a93f47bd7c7ca468d0cb1e3283dfcc5e42426362a942abf32091768c
SHA512 3c6947b60f5a3ef8b61013546398a894ee40aaaf6a391574c4f4ac01d97d2866a82794f02bd429386805824c428ce6498618cb16f3fafc8d162a113eadad731a

\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 e717a91c19d18630ae2ac8ad132c89bf
SHA1 db3f016641dc03177d44e82e7a96f87eca437b30
SHA256 b1bc8fbbb987ea9bcffba5725bc125fcd200723a3be94c71dbdebae41ba95f48
SHA512 3c2c97faf9c02d1d90f03e634eaff45b83f3388acd6dca7b29465b9fb28b4bdbe659a1f935a597559b696a6a83c0abe7b07f0e8f2f966247611f2a5b601e4f1a

\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 c13b51a9755da0afe08af2c3532f45b0
SHA1 48582935af441a5e27e53cd9c02f171c4744e980
SHA256 6b473639d265edf4635dce0ec4854590a4dd0dd75abc2e17ad417b98214f02d2
SHA512 b838554375e6b8335c063940adc47853ee8a2efd6828e0f7d56a11caea44439b12476731f7ab8290da5d18a52433f54a409b5fb671549f1bfe19a7917c737a1b

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

MD5 5b071854133d3eb6848a301a2a75c9b2
SHA1 ffa1045c55b039760aa2632a227012bb359d764f
SHA256 cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf
SHA512 f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack

MD5 6387aad30e70e4caf1b86ff18ef4592b
SHA1 c4d89cf60df61f205c22462d4fa3dc88eb4d1bc5
SHA256 b97bf0b9154065978bae86d3ea40bbabdb9668ffcd30e74d88e1cec1c158b894
SHA512 191e302df7969dda55bd2c5758bc11a37f0cc6def4d12a487db8d5eee9ab467a6dd682a9b06c0f3ed11b7a57df97c4d4ca253d73f6d557e4c5d28f996f77d635

\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll

MD5 df3ca8d16bded6a54977b30e66864d33
SHA1 b7b9349b33230c5b80886f5c1f0a42848661c883
SHA256 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack

MD5 474c1ec7c22b6b89a8509808e58ecac7
SHA1 2254b3fbb463db4be1a6cb5712f2040caa3991ae
SHA256 7162b6f246b38950c40e74b25e8028ffba4ed38105b6b0024ef90b753646c4bc
SHA512 e5f047e04450cde9ad32884f4886d1ecc8d1445ee24899dcb9f45c1f3ebcb3a9a61ead306459e51440a9e030145da7e81df4f599eb9d1c439d411c78b97b0611

\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll

MD5 e15df60d880adeffed91066255efec6b
SHA1 2cf20c7fe8199be2e0cb0705fcd5d438da2c2a6a
SHA256 5d7b085a438093e051039797fb043f5dcea0d87c121c349d2559654e1df197c2
SHA512 41c3885075d812faf11dadbe6e1754b556d76d3d2a30cbcaf5c0b19334a33fdc2b676c911e81a12b826771e6fea90f738b2e2716da81c69c89d98746ad2e6ad7

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 ce9ae96630939807fd053f786397edd4
SHA1 84982982647f4914aa3ac36f86f1e5e819594b70
SHA256 dfb01b6e80e0d3d3f32d7c7aade08062b8676672191e78376a964288b7b88f99
SHA512 0a8be393c27b18a6a3c186d1097d2b831685c3becbd4121b33d3c56240ccbee0a7470d6763f4c56e4ad8f2a22cde93ece962c90bf731835d9d9509a68364370e

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

MD5 3e4e5b0242c861e49fe4553c622dfe95
SHA1 fe8e3bced8c5894126db8ed8bc7715bc62bf37ae
SHA256 983ebafeeaa0000829a488183d354fa18759dcf4b273747e52fbe0fa13774798
SHA512 c24a0147fc16794cf11fc31dd3c331cb9cd46e6d438d7ade12ee5c66d06537f8d764a3cb2fdfd867ecbfbd1443b05585b62390539a5e34d639b590d9e762cdc3

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

MD5 4e8d8b3a2ad7471042403b06fac07343
SHA1 af1c782d636c070b4d57cb56b283ff3df1205f46
SHA256 afc30bf47ef343d78414baea01b85c521417eb43807222e2b6119a10a51f5f0f
SHA512 50e9398adcbdf185af1639fb98a144501bc4c90299ac3815f295c5a9abed1ee180e32808f5788d03489b7a1f6715d41fcac7644cacd35ce03074d61d8ccbbd55

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 18f17df006647ab2fff44b5f3c435bc2
SHA1 6d2772509a691bd6f26c354081078a4273888b57
SHA256 93cb83e7a8c4b50486a2946a3a679992a65e6bac8ccf9198f6638a518a44ef19
SHA512 bc9798624c98ee0425790a347f95fd20e0bd8b9e78b2b73a72679b8b616fa0140096b71fad3ad16407181d744dc4c623aabd12433a944a0247e0dbfde8196fa0

memory/2504-1886-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1608-1889-0x0000000000110000-0x0000000000111000-memory.dmp

memory/1608-1890-0x0000000002480000-0x0000000003480000-memory.dmp

C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe

MD5 f49218872d803801934638f44274000d
SHA1 871d70960ff7db8c6d11fad68d0a325d7fc540f1
SHA256 bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528
SHA512 94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe

MD5 5ed6faed0b5fe8a02bb78c93c422f948
SHA1 823ed6c635bd7851ccef43cbe23518267327ae9a
SHA256 60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5
SHA512 5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll

MD5 cb63e262f0850bd8c3e282d6cd5493db
SHA1 aca74def7a2cd033f18fc938ceb2feef2de8cb8c
SHA256 b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012
SHA512 8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

memory/2504-1966-0x0000000000F50000-0x0000000001339000-memory.dmp

memory/2500-1978-0x00000000025E0000-0x00000000035E0000-memory.dmp

memory/2500-1979-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2504-1991-0x0000000000F50000-0x0000000001339000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

MD5 5ff4b16e3307f9d26365a7a7d0a2eab2
SHA1 12313e733265bef8c35b4ef2ac5680a1b2001c79
SHA256 716e46811b96d7bffac7f444891df169cba34d836bef6c59002376491d4d9c47
SHA512 b9955d611d50772f06c9ad9c4b1bb83ae305875b58aefc3fb04b870d4f61c05f8e2b65067dc79288b1ed45d1fb7a36e70d3edff4678b391f6fbfb4d3478e61d5

memory/2504-2003-0x0000000000F50000-0x0000000001339000-memory.dmp

memory/784-2006-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1872-2016-0x00000000025A0000-0x00000000035A0000-memory.dmp

memory/1872-2018-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2504-2019-0x0000000000F50000-0x0000000001339000-memory.dmp

memory/2504-2020-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe

MD5 7b23b0aab68e65b93bb6477f05999574
SHA1 920752e4c22e1165e6df27f69599483187edfbb3
SHA256 32546ecf1236769d2d777331f90282fb97589bec75da11c8e727d61d3d4c988a
SHA512 e3395303e53edce3dfa8fe11b7338c77795595a17dac17818e4bc8b77feee4900d541201d6762aa8f46565730e24a5423684049d40bbd074186ef7223c96b604

memory/816-2022-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1872-2027-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2244-2041-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2244-2052-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2244-2114-0x0000000000150000-0x000000000015A000-memory.dmp

memory/1872-2136-0x0000000000260000-0x000000000026A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 04:18

Reported

2024-03-23 04:21

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.899-Installer-1.3.1.exe" "__IRCT:3" "__IRTSS:26611457" "__IRSID:S-1-5-21-3808065738-1666277613-1125846146-1000"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 dl2.tlauncher.org udp
US 104.20.64.88:443 dl2.tlauncher.org tcp
US 8.8.8.8:53 88.64.20.104.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 a019b5697f8336ebc95e55e738dd65ba
SHA1 a91bbac4de57faccbdf04338006a8f136e2103f3
SHA256 abd8a1242e302f0b7067d5bed8fc89ad16136d12e27284911740305708824a69
SHA512 50bc39c25c1299ad3e30a9cea89557f55dc2fb31e03c14e02dd80945d9d006477d3a5a59cab6089b397d04d236ea1e96810d29ae9a3585c56969ad206258d255

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 95867bfa602884771bf1f08382efe52d
SHA1 5fac5524e69cbd43db5052370008dd49af98de0f
SHA256 e966feca822d343502d00f931699c928c9bd0681fe0d758775e45e9a26ef532f
SHA512 72e225d2b255222c4c938c4b50330ce88b7222d546cc8d9b9af8eeb632263682585b012db8925dd1ad462f31960dd54b0b162af755f6db244ca06bea5a069601

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 9f387c4232a887bfc27dfd7e3125d96d
SHA1 e2d85e4e698162a35ed95f39980de217d4ec8711
SHA256 76fbfd252af1067fa7f50c5fc582a2526c3aa67c609181b525d861e146e796ec
SHA512 a831219dff5107d53ca11809d11c10ae540ba28fb1811d43e5973553f3b0930e0b83b2950cd5d518557b3b427eb8c0904cd4586fb5ac46fae977cea7f282b2b4

memory/1492-12-0x0000000000550000-0x0000000000939000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 c333af59fa9f0b12d1cd9f6bba111e3a
SHA1 66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0
SHA256 fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34
SHA512 2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

MD5 e043a9cb014d641a56f50f9d9ac9a1b9
SHA1 61dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA256 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA512 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

memory/1492-572-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1492-573-0x0000000005A60000-0x0000000005A63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 157e04e48b1d818d101c5e38503edf50
SHA1 ccdb96ee93f7868335d490d5b97e2a9a9d9e3fba
SHA256 142bb4fc3826c541df986269b992119abe0ce567ace0f5881ac2b2a02f87304c
SHA512 ae9d7e7af9db9f83426f964928571866eaae77eb61ebd5a2c0a51bdaf0cc174bb3bc89a062344997ae049b5981b5f5bdd0da31aa7d30f4068dc61e8606e708bd

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 d86c68d04c152806928ce8f2e7003930
SHA1 48866ba4d21a913777ba27970201c98c1e2389cf
SHA256 1cfa4be0e6b15c754798b40cf505ca07cde9dc98b503e1cb346b4ca3d165c0ea
SHA512 cf5ee5edb8b4400ea64efcb387ab0a20e3c769d426eb12c0a4dbbc467f0f3ec590c193b9e5d04e761952d5016657744bcd69383d371c2ffbf7bd73ada2a76aee

memory/1492-580-0x0000000000550000-0x0000000000939000-memory.dmp

memory/1492-581-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

MD5 83a8f0546164c9ba1a248acedefd6e5d
SHA1 7652f353ed74015e7e78bc9f9e305a48d336b6d1
SHA256 e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9
SHA512 111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d

memory/1492-592-0x0000000000550000-0x0000000000939000-memory.dmp

memory/1492-593-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1492-594-0x0000000000550000-0x0000000000939000-memory.dmp

memory/1492-616-0x0000000010000000-0x0000000010051000-memory.dmp