9aaa326da7ca2d0d7015742e3ffe5bce7df63cae147166e52f094a1c20897856

Analysis

max time kernel
260s
max time network
265s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.3.5.exe
Size

23.0MB
MD5

1a2ce8f6f111d438d4467a84d8c74351
SHA1

6f2b6d316eb820ae6875b84df9615e412ae0773a
SHA256

9aaa326da7ca2d0d7015742e3ffe5bce7df63cae147166e52f094a1c20897856
SHA512

8f276c77a73f4035513d463be939e056a67cfcfb28df078b7e63a3f524a5c66d02128ac6a267e84226dfc2916ae74d0f945a12f7326fa89fa97070329d828193
SSDEEP

393216:y25KVUfIscQ5+LTc2rr6of5MJ7ZWqxPAIgtMIMlFRqUX0OT2Hx8HcAobUAKN+:jKVaIsN+LtrrKJBH5lFRq0RD1obUAK0

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

java.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation java.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	java.exe

Executes dropped EXE 17 IoCs

Processes:

irsetup.exeBrowserInstaller.exeirsetup.exejre-windows.exejre-windows.exeinstaller.exejavaw.exessvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exejavaw.exejavaw.exeTLauncher.exejavaw.exejava.exe

pid	process
2144	irsetup.exe
760	BrowserInstaller.exe
2928	irsetup.exe
1496	jre-windows.exe
1412	jre-windows.exe
2128	installer.exe
908	javaw.exe
2532	ssvagent.exe
304	javaws.exe
2740	jp2launcher.exe
300	javaws.exe
832	jp2launcher.exe
2084	javaw.exe
1488	javaw.exe
2044	TLauncher.exe
448	javaw.exe
2444	java.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-Installer-1.3.5.exeirsetup.exeBrowserInstaller.exeirsetup.exejre-windows.exeMsiExec.exemsiexec.exeinstaller.exejavaw.exe

pid	process
1712	TLauncher-Installer-1.3.5.exe
1712	TLauncher-Installer-1.3.5.exe
1712	TLauncher-Installer-1.3.5.exe
1712	TLauncher-Installer-1.3.5.exe
2144	irsetup.exe
2144	irsetup.exe
2144	irsetup.exe
2144	irsetup.exe
2144	irsetup.exe
2144	irsetup.exe
2144	irsetup.exe
2144	irsetup.exe
760	BrowserInstaller.exe
760	BrowserInstaller.exe
760	BrowserInstaller.exe
760	BrowserInstaller.exe
2928	irsetup.exe
2928	irsetup.exe
2928	irsetup.exe
2144	irsetup.exe
1496	jre-windows.exe
1084
880	MsiExec.exe
880	MsiExec.exe
880	MsiExec.exe
880	MsiExec.exe
880	MsiExec.exe
880	MsiExec.exe
880	MsiExec.exe
880	MsiExec.exe
880	MsiExec.exe
880	MsiExec.exe
880	MsiExec.exe
1708	msiexec.exe
2128	installer.exe
2128	installer.exe
2128	installer.exe
852
852
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
908	javaw.exe
2128	installer.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3884 icacls.exe

pid	process
3884	icacls.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

ssvagent.exeinstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0385-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0072-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0324-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0240-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0325-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0212-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0299-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0213-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0314-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0086-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0242-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0291-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0301-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0224-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0211-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0349-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0172-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0106-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0060-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0312-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0357-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0243-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0113-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0358-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0370-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0090-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0213-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0101-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0122-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0211-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0111-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0071-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0300-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0062-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0167-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0381-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/2144-18-0x0000000000150000-0x0000000000539000-memory.dmp	upx
behavioral1/memory/2144-699-0x0000000000150000-0x0000000000539000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/2928-750-0x0000000000830000-0x0000000000C19000-memory.dmp	upx
behavioral1/memory/2928-813-0x0000000000830000-0x0000000000C19000-memory.dmp	upx
behavioral1/memory/2144-833-0x0000000000150000-0x0000000000539000-memory.dmp	upx
behavioral1/memory/2144-1372-0x0000000000150000-0x0000000000539000-memory.dmp	upx
behavioral1/memory/2144-1530-0x0000000000150000-0x0000000000539000-memory.dmp	upx
behavioral1/memory/2144-2271-0x0000000000150000-0x0000000000539000-memory.dmp	upx
behavioral1/memory/2144-2458-0x0000000000150000-0x0000000000539000-memory.dmp	upx
behavioral1/memory/2144-2463-0x0000000000150000-0x0000000000539000-memory.dmp	upx
behavioral1/memory/2144-2619-0x0000000000150000-0x0000000000539000-memory.dmp	upx
behavioral1/memory/2144-3270-0x0000000000150000-0x0000000000539000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

26 1708 msiexec.exe
27 1708 msiexec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
26	1708	msiexec.exe
27	1708	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeinstaller.exejavaw.exe

description	ioc	process
File created	C:\Program Files\Java\jre-1.8\release	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259436370\java.exe	installer.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa	javaw.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\sRGB.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\jsse.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssv.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259436370\javaws.exe	installer.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\glass.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	msiexec.exe

Drops file in Windows directory 28 IoCs

Processes:

msiexec.exedxdiag.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI64B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA131.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDABB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f769727.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe
File opened for modification	C:\Windows\Installer\MSI9E6F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0B4.tmp	msiexec.exe
File created	C:\Windows\Installer\f769727.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B1F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6438.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F5B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f769724.ipi	msiexec.exe
File created	C:\Windows\Installer\f76972a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f769721.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9BCC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CE6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D64.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EED.tmp	msiexec.exe
File created	C:\Windows\Installer\f769724.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI638B.tmp	msiexec.exe
File created	C:\Windows\Installer\f76972c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9DE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76972a.ipi	msiexec.exe
File created	C:\Windows\Installer\f769726.msi	msiexec.exe
File created	C:\Windows\Installer\f769721.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1DE.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exejava.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

Processes:

jre-windows.exeinstaller.exeirsetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0141-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0249-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0383-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_383"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0206-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0278-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0134-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0398-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0086-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0300-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0287-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_74"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0139-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0201-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_201"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0401-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0339-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0134-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0291-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0242-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0390-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_390"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0172-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0218-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0276-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0231-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0371-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0301-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0192-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0067-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_67"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0162-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0192-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0238-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_238"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0043-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0169-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_169"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0340-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0217-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0214-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0144-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0408-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_59"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0106-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_106"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0384-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0226-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_226"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0153-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0140-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0278-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe

Modifies registry class 64 IoCs

Processes:

ssvagent.exeinstaller.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBA}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0221-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0114-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0256-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_34"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0190-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_71"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0285-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0079-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0209-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_209"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0087-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_87"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0072-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0230-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0005-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_05"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0105-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_23"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0055-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0096-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_96"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0182-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0111-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0126-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0394-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0142-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0395-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jnlps\URL Protocol	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_21"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0211-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0109-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0149-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_149"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0207-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0392-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0367-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0098-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0216-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0287-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0140-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0271-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0057-ABCDEFFEDCBC}	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0047-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0110-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_110"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0270-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0249-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_249"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0080-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_80"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0164-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0143-ABCDEFFEDCBC}	ssvagent.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

irsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

irsetup.exemsiexec.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exedxdiag.exe

pid	process
2928	irsetup.exe
2928	irsetup.exe
1708	msiexec.exe
1708	msiexec.exe
304	javaws.exe
2740	jp2launcher.exe
300	javaws.exe
832	jp2launcher.exe
1708	msiexec.exe
1708	msiexec.exe
1416	dxdiag.exe
1416	dxdiag.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

jre-windows.exe

pid process

1412 jre-windows.exe

pid	process
1412	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1412	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1412	jre-windows.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeSecurityPrivilege	1708	msiexec.exe
Token: SeCreateTokenPrivilege	1412	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	1412	jre-windows.exe
Token: SeLockMemoryPrivilege	1412	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1412	jre-windows.exe
Token: SeMachineAccountPrivilege	1412	jre-windows.exe
Token: SeTcbPrivilege	1412	jre-windows.exe
Token: SeSecurityPrivilege	1412	jre-windows.exe
Token: SeTakeOwnershipPrivilege	1412	jre-windows.exe
Token: SeLoadDriverPrivilege	1412	jre-windows.exe
Token: SeSystemProfilePrivilege	1412	jre-windows.exe
Token: SeSystemtimePrivilege	1412	jre-windows.exe
Token: SeProfSingleProcessPrivilege	1412	jre-windows.exe
Token: SeIncBasePriorityPrivilege	1412	jre-windows.exe
Token: SeCreatePagefilePrivilege	1412	jre-windows.exe
Token: SeCreatePermanentPrivilege	1412	jre-windows.exe
Token: SeBackupPrivilege	1412	jre-windows.exe
Token: SeRestorePrivilege	1412	jre-windows.exe
Token: SeShutdownPrivilege	1412	jre-windows.exe
Token: SeDebugPrivilege	1412	jre-windows.exe
Token: SeAuditPrivilege	1412	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	1412	jre-windows.exe
Token: SeChangeNotifyPrivilege	1412	jre-windows.exe
Token: SeRemoteShutdownPrivilege	1412	jre-windows.exe
Token: SeUndockPrivilege	1412	jre-windows.exe
Token: SeSyncAgentPrivilege	1412	jre-windows.exe
Token: SeEnableDelegationPrivilege	1412	jre-windows.exe
Token: SeManageVolumePrivilege	1412	jre-windows.exe
Token: SeImpersonatePrivilege	1412	jre-windows.exe
Token: SeCreateGlobalPrivilege	1412	jre-windows.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

irsetup.exe

pid process

2144 irsetup.exe
2144 irsetup.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

irsetup.exeirsetup.exejre-windows.exejp2launcher.exejp2launcher.exejavaw.exejava.exedxdiag.exe

pid	process
2144	irsetup.exe
2144	irsetup.exe
2144	irsetup.exe
2144	irsetup.exe
2928	irsetup.exe
2928	irsetup.exe
1412	jre-windows.exe
1412	jre-windows.exe
1412	jre-windows.exe
1412	jre-windows.exe
2740	jp2launcher.exe
832	jp2launcher.exe
448	javaw.exe
448	javaw.exe
2444	java.exe
2444	java.exe
1416	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-Installer-1.3.5.exeirsetup.exeBrowserInstaller.exejre-windows.exemsiexec.exeinstaller.exejavaws.exejavaws.exe

description	pid	process	target process
PID 1712 wrote to memory of 2144	1712	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1712 wrote to memory of 2144	1712	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1712 wrote to memory of 2144	1712	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1712 wrote to memory of 2144	1712	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1712 wrote to memory of 2144	1712	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1712 wrote to memory of 2144	1712	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1712 wrote to memory of 2144	1712	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 2144 wrote to memory of 760	2144	irsetup.exe	BrowserInstaller.exe
PID 2144 wrote to memory of 760	2144	irsetup.exe	BrowserInstaller.exe
PID 2144 wrote to memory of 760	2144	irsetup.exe	BrowserInstaller.exe
PID 2144 wrote to memory of 760	2144	irsetup.exe	BrowserInstaller.exe
PID 2144 wrote to memory of 760	2144	irsetup.exe	BrowserInstaller.exe
PID 2144 wrote to memory of 760	2144	irsetup.exe	BrowserInstaller.exe
PID 2144 wrote to memory of 760	2144	irsetup.exe	BrowserInstaller.exe
PID 760 wrote to memory of 2928	760	BrowserInstaller.exe	irsetup.exe
PID 760 wrote to memory of 2928	760	BrowserInstaller.exe	irsetup.exe
PID 760 wrote to memory of 2928	760	BrowserInstaller.exe	irsetup.exe
PID 760 wrote to memory of 2928	760	BrowserInstaller.exe	irsetup.exe
PID 760 wrote to memory of 2928	760	BrowserInstaller.exe	irsetup.exe
PID 760 wrote to memory of 2928	760	BrowserInstaller.exe	irsetup.exe
PID 760 wrote to memory of 2928	760	BrowserInstaller.exe	irsetup.exe
PID 2144 wrote to memory of 1496	2144	irsetup.exe	jre-windows.exe
PID 2144 wrote to memory of 1496	2144	irsetup.exe	jre-windows.exe
PID 2144 wrote to memory of 1496	2144	irsetup.exe	jre-windows.exe
PID 2144 wrote to memory of 1496	2144	irsetup.exe	jre-windows.exe
PID 1496 wrote to memory of 1412	1496	jre-windows.exe	jre-windows.exe
PID 1496 wrote to memory of 1412	1496	jre-windows.exe	jre-windows.exe
PID 1496 wrote to memory of 1412	1496	jre-windows.exe	jre-windows.exe
PID 1708 wrote to memory of 880	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 880	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 880	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 880	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 880	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2128	1708	msiexec.exe	installer.exe
PID 1708 wrote to memory of 2128	1708	msiexec.exe	installer.exe
PID 1708 wrote to memory of 2128	1708	msiexec.exe	installer.exe
PID 2128 wrote to memory of 908	2128	installer.exe	javaw.exe
PID 2128 wrote to memory of 908	2128	installer.exe	javaw.exe
PID 2128 wrote to memory of 908	2128	installer.exe	javaw.exe
PID 2128 wrote to memory of 304	2128	installer.exe	javaws.exe
PID 2128 wrote to memory of 304	2128	installer.exe	javaws.exe
PID 2128 wrote to memory of 304	2128	installer.exe	javaws.exe
PID 304 wrote to memory of 2740	304	javaws.exe	jp2launcher.exe
PID 304 wrote to memory of 2740	304	javaws.exe	jp2launcher.exe
PID 304 wrote to memory of 2740	304	javaws.exe	jp2launcher.exe
PID 2128 wrote to memory of 300	2128	installer.exe	javaws.exe
PID 2128 wrote to memory of 300	2128	installer.exe	javaws.exe
PID 2128 wrote to memory of 300	2128	installer.exe	javaws.exe
PID 300 wrote to memory of 832	300	javaws.exe	jp2launcher.exe
PID 300 wrote to memory of 832	300	javaws.exe	jp2launcher.exe
PID 300 wrote to memory of 832	300	javaws.exe	jp2launcher.exe
PID 1708 wrote to memory of 1672	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 1672	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 1672	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 1672	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 1672	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2612	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2612	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2612	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2612	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2612	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2612	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2612	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2616	1708	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.5.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.5.exe" "__IRCT:3" "__IRTSS:24068259" "__IRSID:S-1-5-21-3452737119-3959686427-228443150-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1708464" "__IRSID:S-1-5-21-3452737119-3959686427-228443150-1000"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2928

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\jds259424296.tmp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jds259424296.tmp\jre-windows.exe" "STATIC=1"
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Program Files\Java\jre-1.8\bin\javaw.exe
-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
5⤵
- Executes dropped EXE
PID:2084

C:\Program Files\Java\jre-1.8\bin\javaw.exe
-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
5⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
3⤵
- Executes dropped EXE
PID:2044

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:448

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
5⤵
- Modifies file permissions
PID:3884

C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\bin\java.exe
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\bin\java.exe -Xmx1024m -Dfile.encoding=UTF8 -Djava.net.preferIPv4Stack=true --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED --add-opens=java.desktop/java.awt=ALL-UNNAMED --add-opens=java.desktop/sun.awt.image=ALL-UNNAMED --add-opens=java.desktop/sun.java2d=ALL-UNNAMED --add-opens=java.desktop/java.awt.color=ALL-UNNAMED --add-opens=java.desktop/java.awt.image=ALL-UNNAMED --add-opens=java.desktop/com.apple.eawt=ALL-UNNAMED --add-opens=java.base/java.util.regex=ALL-UNNAMED --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.desktop/java.beans=ALL-UNNAMED --add-opens=javafx.web/com.sun.webkit.network=ALL-UNNAMED -cp C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\aopalliance-1.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\checker-qual-3.12.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-codec-1.9.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-compress-1.23.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-io-2.11.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-lang3-3.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-logging-1.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-logging-api-1.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-vfs2-2.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\desktop-common-util-1.11.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\DiscordIPC-0.5.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\dnsjava-2.1.8.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\error_prone_annotations-2.18.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\failureaccess-1.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\fluent-hc-4.5.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\gson-2.8.8.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\guava-31.0.1-jre.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\guice-7.0.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\guice-assistedinject-7.0.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\hamcrest-core-1.3.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\http-download-1.11.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\httpclient-4.5.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\httpcore-4.4.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\j2objc-annotations-1.3.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jakarta.inject-api-2.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-base-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-base-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-controls-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-controls-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-graphics-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-graphics-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-media-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-media-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-swing-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-swing-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-web-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-web-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javax.annotation-api-1.3.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jaxb-api-2.3.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jaxb-core-2.3.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jaxb-impl-2.3.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jcl-over-slf4j-1.7.25.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jopt-simple-5.0.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\json-20230227.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jsr305-3.0.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\junit-4.13.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\junixsocket-common-2.6.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\junixsocket-native-common-2.6.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\junrar-0.7.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\log4j-1.2.17.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\logback-classic-1.2.10.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\logback-core-1.2.10.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\lombok-1.18.30.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\maven-scm-api-1.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\maven-scm-provider-svn-commons-1.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\maven-scm-provider-svnexe-1.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\MinecraftServerPing-1.0.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\mockserver-netty-no-dependencies-5.14.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\modpack-dto-2.2914.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\picture-bundle-3.72.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\plexus-utils-1.5.6.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\regexp-1.3.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\skin-server-API-1.3.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\slf4j-api-1.7.25.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\statistics-dto-1.73.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\tlauncher-resource-1.6.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\url-cache-1.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\xz-1.9.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\original-TLauncher-2.921.jar; org.tlauncher.tlauncher.rmo.TLauncher -starterConfig=C:\Users\Admin\AppData\Roaming\.tlauncher\starter\starter.json -requireUpdate=false -currentAppVersion=2.921
5⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Windows\system32\cmd.exe
cmd.exe /C chcp 437 & wmic CPU get NAME
6⤵
PID:2552

C:\Windows\system32\chcp.com
chcp 437
7⤵
PID:2536

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
7⤵
PID:2324

C:\Windows\system32\cmd.exe
cmd.exe /C chcp 437 & set processor
6⤵
PID:2720

C:\Windows\system32\chcp.com
chcp 437
7⤵
PID:2084

C:\Windows\system32\cmd.exe
cmd.exe /C chcp 437 & dxdiag /whql:off /t C:\Users\Admin\AppData\Roaming\.minecraft\logs\tlauncher\dxdiag.txt
6⤵
PID:2312

C:\Windows\system32\chcp.com
chcp 437
7⤵
PID:2320

C:\Windows\system32\dxdiag.exe
dxdiag /whql:off /t C:\Users\Admin\AppData\Roaming\.minecraft\logs\tlauncher\dxdiag.txt
7⤵
PID:2484

C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\SysWOW64\dxdiag.exe" /whql:off /t C:\Users\Admin\AppData\Roaming\.minecraft\logs\tlauncher\dxdiag.txt
8⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1416

C:\Windows\system32\cmd.exe
cmd.exe /C chcp 437 & wmic qfe get HotFixID
6⤵
PID:1496

C:\Windows\system32\chcp.com
chcp 437
7⤵
PID:296

C:\Windows\System32\Wbem\WMIC.exe
wmic qfe get HotFixID
7⤵
PID:1748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 71A874F1A3A05924F5C0B10E1827D917
2⤵
- Loads dropped DLL
PID:880

C:\Program Files\Java\jre-1.8\installer.exe
"C:\Program Files\Java\jre-1.8\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre-1.8\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={71024AE4-039E-4CA4-87B4-2F64180401F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:908

C:\Program Files\Java\jre-1.8\bin\ssvagent.exe
"C:\Program Files\Java\jre-1.8\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:2532

C:\Program Files\Java\jre-1.8\bin\javaws.exe
"C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:304

C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Program Files\Java\jre-1.8\bin\javaws.exe
"C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:300

C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:832

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 1CDFDE8C20B79F460F15B6FCAD054DE5 M Global\MSI0000
2⤵
PID:1672

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F824F957A4342750380C5E478586B217
2⤵
PID:2612

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DBD981AD13A5F4E9639186227C29A8FE M Global\MSI0000
2⤵
PID:2616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x550
1⤵
PID:2664

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f769725.rbs
Filesize
962KB

MD5
f0cf08c20b87bab39e2d964f65f11f54

SHA1
92715bb127351b291ce9adb37ea8766e320c84ac

SHA256
117eb07ba99d38bd239f96a71dbf9ab5a6eb0ec53c512048f99cb08623c45b71

SHA512
4adf4007ac39d249bd110958bbd60c9e9e682fa3ab8f3b3771080184d0ed9932269ae0d9317fa5bcf9b87025eb2d254036ec8c6cf7e77201d9d4228103dbcd0d

Download Submit
C:\Config.Msi\f76972b.rbs
Filesize
7KB

MD5
77a6fe182e10a4a3d7445803c76c9463

SHA1
f96396295b7985484d92a5329f4cdec39c71131a

SHA256
ba838b712441d68f7e1ca9bdfcfd4c84d79d5a92e8c23fbbe18e07f49ff0f6d0

SHA512
33281af0c5d49dfd2d22d9ae53245f1541bd137eaa492223193bf702e296b1541b1785dbabf0328d0e68b3604496cd1005ef85ced533193443d7d260dfa5e249

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url
Filesize
177B

MD5
6684bd30905590fb5053b97bfce355bc

SHA1
41f6b2b3d719bc36743037ae2896c3d5674e8af7

SHA256
aa4868d35b6b3390752a5e34ab8e5cba90217e920b8fb8a0f8e46edc1cc95a20

SHA512
1748ab352ba2af943a9cd60724c4c34b46f3c1e6112df0c373fa9ba8cb956eb548049a0ac0f4dccff6b5f243ff2d6d210661f0c77b9e1e3d241a404b86d54644

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url
Filesize
173B

MD5
625bd85c8b8661c2d42626fc892ee663

SHA1
86c29abb8b229f2d982df62119a23976a15996d9

SHA256
63c2e3467e162e24664b3de62d8eeb6a290a8ffcdf315d90e6ca14248bc0a13a

SHA512
07708de888204e698f72d8a8778ed504e0fe4d159191efb48b815852e3997b50a27ba0bc8d9586c6fb4844166f38f5f9026a89bbbc3627e78121373982656f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
de89ac8bdade03160bb40c74e76ec7d1

SHA1
39fc8033533711c0852c72378d823d86a4813d4f

SHA256
2995000e5fa6a13830a94d3afe96c1f0453e4bd7a8ee6182ac1db67ecbb0d727

SHA512
2bb2dd473aa3e364148cc7f1e48ebe4b7f578d0d54699e8c602d74a115c5adeffb74f0b7529d977b023ee6064f0e0c6e963cb96a8c4ec1c92f92698b1be70f88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
680037ce0a648c5904182771e8b7b0e4

SHA1
6ed23bb9ff1a719c623737e14dc12152f3d4969a

SHA256
131564045cd14bcf091da780b0f836d0e9ce21b01524881517df78f60de25a3c

SHA512
aeb42fba0695ed2d31d28815462a500ef51488e784bbae83320e10f94ec3e9e95301a57a1a85893e7484c391fbf437b31176be112afb0ec0e4a00f05b8363f95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9c4b0c8e80093d83e45e79fb6c2e937b

SHA1
dafd727317fc9a378864de5610e12bd9deb98136

SHA256
244529e517281fc946ca9d2f07dd01f1d34f37923e1bd690d828d4c674f6fe30

SHA512
df879d537adb8d1b90e70c0acbcaca6a0dc94ec4e2b6a042008d7e685b6ee0e778329370bc3d374f009bbefe78280aecbaca53851c38b1b996ce77f6846e69c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
12ec53e443873483443f230e89120597

SHA1
5565462a27bf183a8f840b0f2a45df5705f5db9c

SHA256
e6ed095e5873bb64facecaecb6a6db405f0e673fb8dae26bbf70ba6d4f3b3944

SHA512
6a15c95a8f2395aa86572f9601b6f894ac5734e31b726dd70aa4f20d480d29eda4d7dcf6100a99bf3875412b0baac58cff956791ce0d5dea92fb4e08de9c25dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
9776ac9517d4830dcee3a6c91e93939e

SHA1
a3ad006a3706b8ccaf6b73c2028bb7c57d69ce44

SHA256
48f0c6a4e2461dd2beaf5bac29547b4582fe6bf6c3847c9683d12c853991173d

SHA512
6717f95bd30274ea78089f1657a5ec11711697029f9d2d603289dbad67fcde8584e4b6ff2cff03419f574dc7fa0911f7630d29887875da6cb3d8c212d688d129

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_401_x64\jre1.8.0_40164.msi
Filesize
60.9MB

MD5
4b80c230492aedab6757f904167b4e17

SHA1
ca169fc089c12341ac8a023e98e5f7d58a1d5d90

SHA256
0d961da2bc9f0fe029c31beb616d5069b718abd7f494f28a86fc6ace8e4718ea

SHA512
fcfbaa9c987bda1143f2596aca5bb3c04eebbb8ff7cacb9f855ef66d4c1b433a0a07c9694dcaff56f481df0234e8cc833e0c4b66aa52c2541db5fc562a741aca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JB8Q1DZR\host[1]
Filesize
1KB

MD5
a752a4469ac0d91dd2cb1b766ba157de

SHA1
724ae6b6d6063306cc53b6ad07be6f88eaffbab3

SHA256
1e67043252582aea0e042f5a7be4a849b7cd01b133a489c3b2e67c10ade086f3

SHA512
abc2899705a23f15862acf3d407b700bb91c545722c02c7429745ab7f722507285c62614dcb87ea846f88fc0779345cb2e22dc3ad5f8113f6907821505be2c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JB8Q1DZR\layout[1]
Filesize
2KB

MD5
cc86b13a186fa96dfc6480a8024d2275

SHA1
d892a7f06dc12a0f2996cc094e0730fe14caf51a

SHA256
fab91ced243da62ec1d938503fa989462374df470be38707fbf59f73715af058

SHA512
0e3e4c9755aa8377e00fc9998faab0cd839dfa9f88ce4f4a46d8b5aaf7a33e59e26dbf55e9e7d1f8ef325d43302c68c44216adb565913d30818c159a182120fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JB8Q1DZR\masthead_left[1]
Filesize
4KB

MD5
b663555027df2f807752987f002e52e7

SHA1
aef83d89f9c712a1cbf6f1cd98869822b73d08a6

SHA256
0ce32c034dfb7a635a7f6e8152666def16d860b6c631369013a0f34af9d17879

SHA512
b104ed3327fed172501c5aa990357b44e3b31bb75373fb8a4ea6470ee6a72e345c9dc4bcf46a1983c81adb567979e6e8e6517d943eb204c3f7fac559cd17c451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\l10n[1]
Filesize
4KB

MD5
1fd5111b757493a27e697d57b351bb56

SHA1
9ca81a74fa5c960f4e8b3ad8a0e1ec9f55237711

SHA256
85bbec802e8624e7081abeae4f30bd98d9a9df6574bd01fe5251047e8fdaf59f

SHA512
80f532e4671d685fa8360ef47a09efcb3342bcfcf929170275465f9800bfbfffc35728a1ba496d4c04a1fdefb2776af02262c3774f83fea289585a5296d560b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\masthead_fill[1]
Filesize
1KB

MD5
91a7b390315635f033459904671c196d

SHA1
b996e96492a01e1b26eb62c17212e19f22b865f3

SHA256
155d2a08198237a22ed23dbb6babbd87a0d4f96ffdc73e0119ab14e5dd3b7e00

SHA512
b3c8b6f86ecf45408ac6b6387ee2c1545115ba79771714c4dd4bbe98f41f7034eae0257ec43c880c2ee88c44e8fc48c775c5bb4fd48666a9a27a8f8ac6bcfdcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UA1HZF3D\common[1]
Filesize
1KB

MD5
f5bb484d82e7842a602337e34d11a8f6

SHA1
09ea1dee4b7c969771e97991c8f5826de637716f

SHA256
219108bfef63f97562c4532681b03675c9e698c5ae495205853dbcbfd93faf1a

SHA512
a23cc05b94842e1f3a53c2ea8a0b78061649e0a97fcd51c8673b2bcb6de80162c841e9fdde212d3dfd453933df2362dcb237fe629f802bafaa144e33ca78b978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\rtutils[1]
Filesize
244B

MD5
c0a4cebb2c15be8262bf11de37606e07

SHA1
cafc2ccb797df31eecd3ae7abd396567de8e736d

SHA256
7da9aa32aa10b69f34b9d3602a3b8a15eb7c03957512714392f12458726ac5f1

SHA512
cc68f4bc22601430a77258c1d7e18d6366b6bf8f707d31933698b2008092ba5348c33fa8b03e18c4c707abf20ce3cbcb755226dc6489d2b19833809c98a11c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\runtime[1]
Filesize
42KB

MD5
5d4657b90d2e41960ebe061c1fd494b8

SHA1
71eca85088ccbd042cb861c98bccb4c7dec9d09d

SHA256
93a647b1f2cadcbdb0fe9c46b82b2b4baf7685167de05933811549145c584ee0

SHA512
237738c0a6cb25efe29effc9c3637245e3e2397207ed51e67bae5a1b54749f88e090de524f7868d964debbb29a920a68205ccbd2dfceed4a1f3cd72d08b16fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF18326684525169536129.tmp
Filesize
424KB

MD5
4c41e856744eb797e9936359a6509287

SHA1
0959e6f4dd535eb6fae388b6b9ac179dcf3afd76

SHA256
83ff53f599acefc11f5cf63fd0516d4db72aacf7f0125a5f79c9ff222cbf9dd7

SHA512
07ae284caa316315da74246c960198a7d549acf86f96cec550f41109fcd870a69ccac9818361657fb859e89d2bdc8398c7731c80d274d99a768102022a5f6e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF6745788179123550127.tmp
Filesize
477KB

MD5
ec5d243a9958b3858b5a71fb9a690da7

SHA1
d80b02c91addef2ef58136d1a7df0189f453388c

SHA256
a4ece920f221b78d43b550d615c5934db162b64a331ffa663a85199e74ef2e6b

SHA512
479512c6076249a63a822d307b3d8c65d44d19abfadc597f0293fedf2c4fbac2ba6f60ca98d2c1dbb638ad09f3eb1419b6ef391fb098c7d1b62237bce9d79931

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF6802402722508201589.tmp
Filesize
132KB

MD5
afa7a91dadd77b23634a0fdf18c148f3

SHA1
6cbb57ba2355cf442e06899898ff5af55867103e

SHA256
9287925cae90ac480804094ff0876832065e2db116470da1f524d79ed9c18b70

SHA512
84d123b67505522c256f4ff79c3822eabe2d63036023896e9854298ff39e050bef7894f6320ccf950592015760354683c4dbd19aa203d433a04a5d6bb28e8115

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF7177581495281613696.tmp
Filesize
141KB

MD5
54a91b0619ccf9373d525109268219dc

SHA1
1d1d41fcadc571decb6444211b7993b99ce926e2

SHA256
b2efabca5ea4bc56eea829713706b5cd0788b82aca153bd4adde9b1573933b4f

SHA512
7f79ff3b42a672371814f42814aa5646328b1a314691d30ce09ffdc7a322adcb1af66625274f7fac024ca2f22a42b625001735711c430faef6e077e1f1d24887

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF8189910945506013698.tmp
Filesize
156KB

MD5
607fc518b9f6506e5ef66c2839c69149

SHA1
55be7d31240add9837da746369bf0bb5c52e0f6f

SHA256
7149f8f1d8b0386ab74427c78d660e211c572ffd901897f86475319d28248083

SHA512
05785828204fab7789aac12c10fa4d77673ac89741e6749424f863d69f13ac6731ff215eb80eee84820ad0461f754e863c9cb8045beb25efde5179a2c5ccb1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar25F0.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe
Filesize
1.6MB

MD5
83a8f0546164c9ba1a248acedefd6e5d

SHA1
7652f353ed74015e7e78bc9f9e305a48d336b6d1

SHA256
e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9

SHA512
111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP
Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG14.PNG
Filesize
43KB

MD5
7d26a524b09feacb9db695415e1a66b2

SHA1
724f925c2663b623a9755bf722b3f297c8ff605a

SHA256
867072872533f9000508dafdd49f5b83e03de7b611b454290e062034a423dc74

SHA512
6adae2bb7c7e390f5e50df048fb3417c31b025c4d32abcb97ef8206ae3f0769997650cdba178bbad8c34f07a4e613666388e4b9bc465549b47a8f01f0dec4a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG
Filesize
644B

MD5
859d53eb6f971993774da3bccee533a4

SHA1
c51f8e6a9cbd749b77edfeb324ef18ffdfc8e4fc

SHA256
768c5aa62161f6ddcab82911e727bf7d902c8d3d24d7c62726542b32ae70f3e7

SHA512
5e2f6cd3ffd37a02b5d198046e422bd7c19acca91675a6c38f58d0a985dcc640aedbdab969df9afbc8be6367df071d8e77663c42d5529d9c798602e6c97d246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG17.PNG
Filesize
40KB

MD5
69862e8a82c503fbc5cea0c9e8a33876

SHA1
a69deda06d6224750bf1ab941bf934bf5250fe4b

SHA256
8fc3a97777dec1ab22f74f069354cab4880731b873452694921cac9814059858

SHA512
db86fbd4e1692de8a2dc6816d34e28b12badaed81ad07a7ce4fc225a212fee63eccd1f51c5ebdf7485ee8c0db716f9ac649cd2a4aae92218372582e7ab3d3951

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP
Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP
Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG
Filesize
438B

MD5
b7b32e3aeb677124b236d776ef443489

SHA1
3249a596e03148836131988b8ca9392f677a7470

SHA256
f60847a54bde74835d80bb41bc3c57ad211ca30d69c2eb48ef7bffc7c6b44d0c

SHA512
f9044d9da82099a0747b3de0382db0999a9f80cbfe894ed9c4961498c41c5db9055c32d699424b6c5835230a2d74df491151beb90f0ff959b580164b2defab2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
Filesize
136KB

MD5
1ffd93751bc3400074dc0affa49ddfaf

SHA1
81be618514bdb88161333386f326cfcac2075517

SHA256
e65cc17886b8632c1ff12ff8a97128d3ca379a6b9ad2c0300788f43958c458be

SHA512
b2aefcf3a2f3e4da57c3507f7b419d229985cee88c782232dd90a96a6e9dbe46c18a7a58c7c4d1a3fe4b8b4b187f884fa09ac9e9a70d179e941704d7cbfddb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
3KB

MD5
289707ea9b793c215f2b9c608f45ff6f

SHA1
6c1a21a23838e94e2d0008c7653d9f08d4448bfe

SHA256
3692103c88623fe00ade983f81233c4af17c75f8ba3b606d90c5036426514e96

SHA512
20a1d7d3b02479cf9ab7b75f9847ca5dfe79265b7f56825df1378bb2d787056cb034718af15949d5e2f766886c38a708b21c296e8d6176fc5ccd234c24ebb688

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
4KB

MD5
34c05cebbc4781e03f3075f17de425f6

SHA1
415d90e498728fd524a2a038c7cbfcfe0bf9c0a3

SHA256
65e5bf03e0e1e950ce3a498e16f64537331221d958849d1718eb6c380976bbc0

SHA512
21e4621dc5299b79e8a6de66eed201c95bfeb21569e367d978874fd5ac746dcb57bc1a3e91cbff70292450433b6025098ac0a322393260506287720ad5d148e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
24KB

MD5
25f8bd1c181876a8f8ce91852df33559

SHA1
f3a2a8c4765e392f6dee396b41b060b4002c3655

SHA256
b6a3551d29cb302ca945cd0892f93014b780f1c5ec3c4d5f2b6cce301b34b496

SHA512
f1db94610ff9358e0ff4f4de634f8a4fc904517b478b0834e94eb97d08c16c47e63ed13e99896ce86eae92a1660b7d12514662b8a25b18e53258c323e7cb34cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
Filesize
741B

MD5
f5daf011b1368b2f0eb882f187cc8682

SHA1
4c04befe10dd872e3c28f7de752ffb942ed90241

SHA256
00d7d8552bb98a4d6ad4fe4a259853200daeeb53887631d912a75ed7d7f856f2

SHA512
c106dabcb1ed89d0d9397c1464926c7e75f72e9f9018c63e71c953141b8793ce6d2d21156a0b3f821948c35d514d50fe8a591abdfebe0987b544ebf07d10615c

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
9.1MB

MD5
fa9848f3cff6d80b5704c6d2ccb10c2b

SHA1
714c93f3fc2b915efae0cac6028d317711d59264

SHA256
63ff7897d3a90de887c1baebb2ef7b87e596f1749e07322090786c902bdd8d16

SHA512
9078f5e3583a2b2cd43f63f023908f652a4c6eb647b1bd8988d33e8f2f1d34d44192ce50b795ffd9764d94a343bdc2ecdb94483ceef79739a92ff8d6a0f9a41b

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TlauncherProfiles.json
Filesize
433B

MD5
4ae941467cabca3425fdc0c70f462bf6

SHA1
a68bd21ca9686e9d7b9aca6435772c4ea249c444

SHA256
e118c638fb81ac5d9fa71dc08a932f3e9ce599489380b263d1e1b52a10166e8d

SHA512
6a3d467fac6f6b09884dd400dac0b529c8af86f4b585d3b37d7d184579f05861d9512d6961f7baea9228bf42093208a5ea89b4444d99609f637b94ff3c61d833

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\conf\logging.properties
Filesize
2KB

MD5
0f00ec3e7a7767a4efeae1875fb5f3d4

SHA1
167808418571e9209b952188ddab2f4e62920e68

SHA256
b62d2733ab99556b108a1951d894c5a8d76b1ac7a00c02c388f9eb9be046c56f

SHA512
e869f4a3b821a9933796dc9a56ee00483493369dfbfe07b3b1d895cb8318c6821cd44134eb37513f15b830c25861b596646824ed56672d08b678fefe6a4c7504

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\conf\net.properties
Filesize
6KB

MD5
385443b7e4a37bc277c018cd1d336d49

SHA1
b2c0dfb00bf699e817bdd49b14bc24b8d3282c65

SHA256
5bc726671936e0af4fdf6bed67d9e3a20a92c30b0ba23673d0314baa5e3ffb08

SHA512
260afc7671a1dc0c443564f1d10386f0b241bb53c76df68d8d03f1d0b1ceaf3f68847ab3477732c876c2b01c812ef7521744befe88e312f3aa63164b608b67a1

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\conf\security\policy\README.txt
Filesize
2KB

MD5
3d47d94bc4f19d18bcc8b23f51d013af

SHA1
a97cd312d6a2a9c8c780c15e5af51a2f4f97c2cb

SHA256
6da0747334b0fea7592fd92614b2bbc8b126535e129b1fee483774d914e98eb5

SHA512
68a031264cf9442526307364ca74b336af55564c233c2f514cac48e910022767562f8ff6a64bb9cfcbf0fb5e755289273382c9246418a4b9207fc7761d03c64e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\conf\security\policy\limited\default_US_export.policy.tlauncherdownload
Filesize
146B

MD5
1a08ffdf0bc871296c8d698fb22f542a

SHA1
f3f974d3f6245c50804dcc47173aa29d4d7f0e2c

SHA256
758b930a526fc670ab7537f8c26321527050a31f5f42149a2dda623c56a0a1a9

SHA512
4cfca5b10cd7addcff887c8f3621d2fbec1b5632436326377b0ce5af1ae3e8b68ac5a743ca6082fc79991b8eec703a6e1dfd5b896153407ad72327753222fdb3

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\conf\security\policy\limited\default_local.policy
Filesize
647B

MD5
6d7b4616a5dba477b6b6d3f9a12e568f

SHA1
7fb67e217c53a685cb9314001592b5bd50b5fbb9

SHA256
2b2627548e61316150d47ffc3e6cad465ca05b3cccd4785eb7d21aa7baa0f441

SHA512
a0b98cbbb49184df973bb2c4a506e9bc6e025a696bc0c8054a6352cc3f9b4a38e3baf117c6834ddaddc38498556607ed4eda8f1bc683f662d61da50e0db0c8c2

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\conf\security\policy\limited\exempt_local.policy
Filesize
566B

MD5
4cbb03f484c86cbea1a217baae07d3c9

SHA1
ee67275bc119c98191a09ff72f043872b05ab7fd

SHA256
8c3d7648abcd95a272ce12db870082937f4d7f6878d730d83cb7fbb31eb8b2c9

SHA512
2bd70518aed6b0e01c520c446830c5f567fa72974548818cac3e1e5c2be6f03db78ce6012f5463b1e19c36243d04cbaad38ec79524635eaae2e427eb1875ccdb

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\conf\security\policy\unlimited\default_local.policy
Filesize
193B

MD5
2a0f330c51aff13a96af8bd5082c84a8

SHA1
ad2509631ed743c882999ac1200fd5fb8a593639

SHA256
8d8a318e6d90dfd7e26612d2b6385aa704f686ca6134c551f8928418d92b851a

SHA512
2b0385417a3fc2af58b1cbb186dd3e0b0875e42923884153deee0efcb390ca00b326ed5b266b3892d31bf7d40e10969a0b51daa6d0b4ca3183770786925d3cde

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\conf\sound.properties.tlauncherdownload
Filesize
1KB

MD5
4f95242740bfb7b133b879597947a41e

SHA1
9afceb218059d981d0fa9f07aad3c5097cf41b0c

SHA256
299c2360b6155eb28990ec49cd21753f97e43442fe8fab03e04f3e213df43a66

SHA512
99fdd75b8ce71622f85f957ae52b85e6646763f7864b670e993df0c2c77363ef9cfce2727badee03503cda41abe6eb8a278142766bf66f00b4eb39d0d4fc4a87

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.base\ADDITIONAL_LICENSE_INFO
Filesize
2KB

MD5
71bb3ad0017bf36d14bb96a8d4b32c45

SHA1
1a5c553e71bdb7d94995b206bc9eaa49abd1e888

SHA256
a69bce275ba7a3570af6579cb0f55682cd75fedfcd49e0e8e9022270c447c916

SHA512
9f658dfea71bdc3cc1549edfb5ad3171dbfa0082b2d91e820c09abe0b376b6bcd8b5170442a5e25e72274e98f130176bbdecfa7997c59705782b214f02136a20

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.base\LICENSE.tlauncherdownload
Filesize
18KB

MD5
3e0b59f8fac05c3c03d4a26bbda13f8f

SHA1
a4fb972c240d89131ee9e16b845cd302e0ecb05f

SHA256
4b9abebc4338048a7c2dc184e9f800deb349366bdf28eb23c2677a77b4c87726

SHA512
6732288c682a39ed9edf11a151f6f48e742696f4a762c0c7d8872b99b9f6d5ab6c305064d4910b1a254862a873129f11fd0fa56ff11bc577d29303f4fb492673

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.base\aes.md
Filesize
1KB

MD5
2e33468a535a4eb09ef57fc12a2652d0

SHA1
e64516f3fa1e72f88caa50f14b8046dd74d012b6

SHA256
45c6d4da48325edfbff3dcf71c704e504c057904435ed23c6d57046d551eb69d

SHA512
4d14b5ddbb4d09797264ed29ba71fab6986b4a9e75efb9402c1476e0a9e2884813d6a922dea125643b4f74e1f3e458f4e48d6c840e0f4d16ed72ffbc4611dbb2

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.base\c-libutl.md
Filesize
1KB

MD5
2e89a282a50f8702e52703464e6937ca

SHA1
cfc22a6f5b17cd539234d5b3160a5224abefadb9

SHA256
bef40679922d6fdfb7e4ddb223ad6722300f6054ba737bbf6188d60fcec517f9

SHA512
ae459d8ce5581ea57e203088373c1ce86d122d0e27eb871ee1383e0e64cd8a184fa207eee0e835347316e70afa24a1c95aec30def3e09d15ee19a0b2c3ad2095

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.base\public_suffix.md
Filesize
17KB

MD5
1411e0a639389f2dbb2b21490a5c0713

SHA1
1706fdcd0dbf23d793f81f4130c81a8d16b4f765

SHA256
e662969300048d914f80265eb516021ad2b0015c7e7eedd45c93655f11f256d7

SHA512
cbd16c4c29a51669f51ff9817ed33e29b871df215fb252a946c3b4e80fc83d4f0e4e1b32d46c2998924092e4b14585666f748b598708773dc6d2432701d6f627

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.base\wepoll.md
Filesize
1KB

MD5
cef1d92ff8ace278bd32ac5e18735b86

SHA1
6c7d15e2b8f3e99527458c8ea33420ee1d34af7b

SHA256
3ac2992770080453b98c42afa807ba4b2c1738ef756b92a55c645f55e7df48f0

SHA512
12aa61ae93fc626a230f39f44ca11c75086fd9bb50f2794fb9fec29b9bef924545fc19d9cb38fda631560ca78ae8e587144cf3cf3c83a6b336bb4711611393bf

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.base\zlib.md.tlauncherdownload
Filesize
1011B

MD5
440321d71d082c9f04a9995b613bdff2

SHA1
9af688d499b3026ec8e5a2e266dc4b9b4884a87b

SHA256
81518ebc49d23a7c77b2e08eff48664ea0c7dd90957a0caf22fd9654985d3285

SHA512
c516403a109630b79998f3bea6b698247a0b5367cc9873defa75014e8c98c690d34d0810d32792d80fde1333980ac6c5f19324743795cb6455ef0ee4979496bb

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.compiler\LICENSE.tlauncherdownload
Filesize
32B

MD5
663f71c746cc2002aa53b066b06c88ab

SHA1
12976a6c2b227cbac58969c1455444596c894656

SHA256
d60635c89c9f352ae1e66ef414344f290f5b5f7ce5c23d9633d41fde0909df80

SHA512
507b7d09d3bcd9a24f0b4eeda67167595ac6ad37cd19fb31cd8f5ce8466826840c582cb5dc012a4bd51b55e01bb551e207e9da9e0d51948e89f962ba09606aab

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.desktop\ADDITIONAL_LICENSE_INFO.tlauncherdownload
Filesize
48B

MD5
512f151af02b6bd258428b784b457531

SHA1
84d2102ad171863db04e7ee22a259d1f6c5de4a5

SHA256
d255311b0a181e243de326d111502a8b1dc7277b534a295a8340ab5230e74c83

SHA512
1a305bc333c7c2055a334dc67734db587fd6fda457b46c8df8f17ded0a8982e3830970bee75cc17274aa0a4082f32792b5dbff88410fa43cc61b55c1dce4c129

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.desktop\ASSEMBLY_EXCEPTION.tlauncherdownload
Filesize
43B

MD5
bd468da51b15a9f09778545b00265f34

SHA1
c80e4bab46e34d02826eab226a4441d0970f2aba

SHA256
7901499314e881a978d80a31970f0daec92d4995f3305e31fb53c38d9cc6ec3b

SHA512
2c1d43c3e17bb2fca24a77bea3d2b3954a47da92e0cdd0738509bffcdbe2935c11764cd5af50439061638bba8b8d59da29e97ea7404ea605f7575fc13395ca93

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.desktop\colorimaging.md
Filesize
167B

MD5
0889fd01a6802a5a934572d9bd47f430

SHA1
7a7e547452ee1c72e8b0d96dccbe315f62d5b564

SHA256
04d61e3e8e71dd452ebe52008af5378d9f6640d14578aeb515dc5375973b0189

SHA512
f5872960470810cdbdc2db1dfb216cab88203b23400b16e157c8654c2eecff8d9b26ce066ec18718c8e6d54ee1c54533fdade395c454210fed5159fd4a7a0adb

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.desktop\giflib.md
Filesize
1KB

MD5
867001e2a577f88cfc856f45959502aa

SHA1
109c11cec13349212ba94b9f3eb7d0943229938e

SHA256
c8b99f33890887d27ad56fba9edd8ebbc668cfe0689168505a95613d1d4b32f8

SHA512
dafac31d75a7ab4ddd7666799a24abf22c1583ca22554a738cc26a77bf927b20dde52f12194670a5196bce3a43bd58de46944291727c8877fee1fe4a38a1f1ca

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.desktop\lcms.md.tlauncherdownload
Filesize
2KB

MD5
04a8a77cafdd6185a3506eccf7a83346

SHA1
1acbec21e9eab8bd2bee9826353c1e768d5457b5

SHA256
8acf00b5efd25c1c055927222fd3c26b0c9fd02ed02e478c225b64e7a24d9782

SHA512
a91faa243a09bdfe62714859b9b4420e8434dd09693a6a280e1c8ef6694fb7858d0171fae4ca36721b685e3ab8bc8000c5635bf3789250a5b9081130eb4ff57c

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.desktop\mesa3d.md.tlauncherdownload
Filesize
5KB

MD5
c7e0d19c8f4eff11e97f0eb9afd3f7f4

SHA1
6a98ee2703132e181f37d162452f073fb64ced83

SHA256
63f4e6f75caebbccb95d903fb43e46ac7111b3624d0a34f146b276d7d9e7b152

SHA512
9c4111728ab9472f0b160cb11ce1e4ebd75a83cfddca0b3cb87243d15afc5a7fa34dc6006e6b92084648cbad1426f70b405259f589cdef758442643e1618dff4

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.xml\bcel.md
Filesize
10KB

MD5
daae908a4dd474afec9c010d416acb2d

SHA1
a59717166af2e8fa9ecd6d622fd6b82b835acce9

SHA256
853a1e7ce397bb10de0e2b3bde0844bcc651f17d983decd07d2d003c0304c311

SHA512
25f2189643a113616f53cd87fc96df01b55602bfc3f6653e48c310de03f6d79ccbbec58936d54b88052e32d68c646017bf75b8a179f59fb9d2c5f6938e351a4d

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.xml\dom.md
Filesize
3KB

MD5
13952c46b3867103ad7d1e9c6c9e906c

SHA1
4bf3f9908314b05f3b0f6e27be2c1fb7e25fffbb

SHA256
6686e8877667584a3a7c07344baadca1a03e29f677162d87c3c0811e990d1148

SHA512
8c71f226f0f07b471aea6b8e715434b5eaa6b4a59a653ec22c2489e743e9288a0c4537f479719f9d58737d0257470c9cceff9ce647a96e79fd757a4cdcfed499

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\java.xml\jcup.md
Filesize
1KB

MD5
d19594fbf6eab2242dc29257905d8ded

SHA1
fbdcbe5a7e7d91d440c200f5fb00e0cf6a81976c

SHA256
8d5dcfdf50455a3c34c753a98f21e953248af200415a9084e3f102cb6c43b8bf

SHA512
7ed3e58f189f2922f7543d4617308d0c35f8adc2e7cbbb6fbba49d33cdd5da64c6edc022ae9842c28e58d97b056a245245c816003978f1e0152236636ca72ba5

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\jdk.crypto.cryptoki\pkcs11cryptotoken.md
Filesize
3KB

MD5
fa24b7e2a61a7045cb0c6c385000681b

SHA1
869fc0b687986ea26b8ff63c137e03c92234a5c8

SHA256
262802e081760b38b3748c8b194353d340e39bc936ac22e17abbb7158d895811

SHA512
2676cfdfd61762c7b6171985e8cfe1068c36683ca43753a1ffb10241ac61a74c9be1c00be22903df85ba6954fd908d77de60903c316506fd88b9679672ada968

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\jdk.crypto.cryptoki\pkcs11wrapper.md
Filesize
2KB

MD5
b77d1951df7a8488eb84ce1d25486a14

SHA1
e35415235ec3bbcb92beeceb03a9a8e7c13a6fce

SHA256
371974b1fca3744a3892c7ee1fcc593b8b4281fc218f4cafd2f709e9df5fd81d

SHA512
759c75f87309b67c56a5b7088045e04be7c023ecdbaea80842e22b81b0bfb36026191070471f8b08fef47ec73664611ce0453b4a9818f7708c95663733ee5ce9

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\jdk.internal.opt\jopt-simple.md
Filesize
1KB

MD5
4f3f190fd212329afc39442174ca4b3a

SHA1
d7e25adf223e68d06276ae7666bbc96590dda442

SHA256
99bc67f93cf57d6d20e6047731c93fbb267d70fbdd4115d119e0f85c6efe5c05

SHA512
fdd3d2fcfd865f62dad0ba2617ea816c78a3dc9d99d8991ffb5eb479fda37317dc3f70b0dcdb1847ffe4432947690436ad4046bfb056c37e2991e6fefa8b70c0

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\jdk.javadoc\jquery.md
Filesize
2KB

MD5
8ef4ab67241efd69eaa3df9871fa0dbd

SHA1
a20a019c3b06d4263b00f5e89ed394a52b8c1981

SHA256
0716943682c624fd2f49b3a718a2ed4d6386e872fe741f1c759573ae24509d3e

SHA512
1f85e70e166146d81457f05be906f18b9b16ed82bed5f544f090d894b8d0cb1ff4fe5fffd90022f06f2024b2dbf74a30f2940a21941871358469b1f9a1a19998

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\jdk.javadoc\jqueryUI.md
Filesize
1KB

MD5
86bfe7b4e5cbedc085060a2c3f13febe

SHA1
a98cfdc7d73e016ce8b23c1d00daa3d2d3c03a3d

SHA256
bb0a0e89ebd824df714516bf64b9101c62081e4b376f00f929a58c09555bf111

SHA512
2656ab0100db997c9306be156af613861c9071a3be1b26f2882a68424e37d1b17674183729c1ba1024302011d42658058f024ce98db5bbb4d528c498ddd21d6e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\legal\jdk.localedata\thaidict.md
Filesize
1KB

MD5
2ea6eb55ca40902554aaf2fd20a76ba8

SHA1
e5b9e88e174c797c313d6739e7e34772b723bc4b

SHA256
c326144a2351c9608fa708b5d7d3c5a3da03e82b66479b128e9db4969539824a

SHA512
5221112cd8ef83b636dc4364f53b72c5484a5885acb55c2c071c88d23058093caee38578f7e424ecafdb483ccc0bc8e78d7ac13add536ec824a8eac171a576cb

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\lib\jvm.cfg
Filesize
29B

MD5
7ce21bdcfa333c231d74a77394206302

SHA1
c5a940d2dee8e7bfc01a87d585ddca420d37e226

SHA256
aa9efb969444c1484e29adecab55a122458090616e766b2f1230ef05bc3867e0

SHA512
8b37a1a5600e0a4e5832021c4db50569e33f1ddc8ac4fc2f38d5439272b955b0e3028ea10dec0743b197aa0def32d9e185066d2bac451f81b99539d34006074b

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\lib\security\blocked.certs.tlauncherdownload
Filesize
2KB

MD5
8273f70416f494f7fa5b6c70a101e00e

SHA1
aeaebb14fbf146fbb0aaf347446c08766c86ca7f

SHA256
583500b76965eb54b03493372989ab4d3426f85462d1db232c5ae6706a4d6c58

SHA512
e697a57d64ace1f302300f83e875c2726407f8daf7c1d38b07ab8b4b11299fd698582d825bee817a1af85a285f27877a9e603e48e01c72e482a04dc7ab12c8da

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\lib\tzdb.dat.tlauncherdownload
Filesize
101KB

MD5
2fd920c56de68f65493ba6962fd079e1

SHA1
1e79bff02711d3dab3c75e90d4bb08f8086c9626

SHA256
b7dba25abdfee317daa042c89b01e5711f5781d020dd733ba411760b72addb93

SHA512
958f835407e4a10a268bf76bc2ef0196ecd5fa92e139de4c3760544dbdf76f95e67865bac22406aef8ac5ae7508fe63cd1a688c8328e46b73a5867efa4f18d47

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\runtime\java-runtime-delta\windows\java-runtime-delta\lib\tzmappings
Filesize
21KB

MD5
4c30d7867505379a18a27d0e8f03198c

SHA1
0cc871d5bd91e061d676a861749af68bbc0ca9c6

SHA256
b41575b332809b37ad423bdca30c7c48cdef3d82f82fa9d534781a6f15d6a2ab

SHA512
873d329682ce67267f438b88eee0fc25cecbbcc1f7d694118417ad12756ec2b6ae7502ec4eea0cc9b4ae8b9e68f5f8877762fa13dea89c4a6dcd54fd8bf82c56

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG
Filesize
45KB

MD5
d1172f72e8fec2b8ddbfe964b7197dd6

SHA1
91b86d380b4cf7f3fc6dba2be364551f0194ceab

SHA256
a8f33799d6ea706548917b5686b7bd1c6f077fcb344cbd51e9af8d7b4ffbb7d3

SHA512
afa1b94831188a4d15314a9c2a7c528e7c748a51030bbf6dfb735de5288f5a5fbcd6db3c275a0346c69dd6e999b50df81c7bf63a0cc5cc5c563c49844d363acb

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG
Filesize
206B

MD5
982b81691cac850c2b98b252e4064660

SHA1
0c284934268046484921afa55587d863a3a241a3

SHA256
3aca81c52680324664bf3128976503ce73931444b956cb3127810661dccd1687

SHA512
5be188c92fd6dc8ff014f4f4ff3195edc69edb6142833a42ad49d45807ccb6bc5e7309a91d5a7f822f96f2951872f85d7a48328d123d2df59158af64a15e9f69

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG13.PNG
Filesize
41KB

MD5
2fe88aedf465ed13678cdbc685e44fa0

SHA1
624f5a00e7cb017e9bfdfab79f6594a7e02171db

SHA256
4351cce19e5189a474a3e5dfba8c1c33e51bd875c1d574e5069b49a752f9f665

SHA512
6fbff486e7064d083ba8d12d0bffa102fdd61a3f818bc85516ed12b287b582adfe7d358d6ace18b45978bbafd9d9a1df2e08dde8291cabb35677314e99ab299c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG
Filesize
475B

MD5
b0a5a3db3901023adfc16cff5a381ead

SHA1
dfa2662d731eba223ede334a6f875b33e0da964e

SHA256
88812d618bc05aea2f43fe26cc7fb24953883418e51d6ca14d6a57fead9b97fd

SHA512
8eb6e90e6884b6ae0fdf943f4326d3ecf34eb9cc5e73d87137ffdea7caaf11cbf48bb7571096d7ed1e0de6c5627cddc9e018eeab2bfbe6639b573ac4b5209960

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG
Filesize
368B

MD5
9d399665b43d4310c637b43ae523da04

SHA1
5984f23773322e93fb762168cc1924fdab9cca0b

SHA256
c64efebdbee0cba76aa97b61953cfeab0097443bafdddc840feeb81ab0b4f2f7

SHA512
b881e136b499b8a32a68273d476daa5b258823cceaccf73740341f2af366458e66e1e91d5da8cf8bb07dd8f67665774caef58f15031c3bcc0a2ddad41d0c6145

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
18KB

MD5
fa46162ad06fffab549a264a18a9833d

SHA1
1926b3b9db10d2f656dfc7a6ba868cf3c26db816

SHA256
6b2f88869f6d7826394e8b974aa9c1bc983da2eeef638748916505836f176f62

SHA512
013f2c4cd09a12aa2a0181bfcaca9866cd853b1b06ed024bd4356f960a299b2067426cda89ffbc94f091d0bcd6cc4b15d5e1324716b3d2038beb323aafcd366d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
3KB

MD5
3a06c6b8c41bf2959578265e0b021912

SHA1
2e39dcb87dc50f2674fae5d11deea724d62d75a7

SHA256
6e89d5d89f8681ec78bf73d7d9ba9dcbd4ca4e3b1a0354c359cf93efc7752667

SHA512
02ad43bcb3e000ee4c850a30ae21535bb2bc1cf5c80d41ed11f08dc056863330ea7dd62a2d1d7e6571e2a59e61281b73422a5c8c786ea424389b9b63dc6344e3

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
4KB

MD5
60c9781b9cd83bbb424b0f8143f74eb3

SHA1
bf00b0b870f7a5d1f8570584a98d57170c8a2491

SHA256
224e13e2a0c29bfc2054524a06874dfbb02619cd7fd9725efa929bcb02055fb7

SHA512
a8140f1a93f4f14dc5e48265656cceeb9369a3710fffdadae26a25d584439ef55caad7b796fa9b14796c27ee8b2b321c8f3f60588b2c20a81c52dcd11f99495b

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.921\dependencies.json
Filesize
17KB

MD5
dd4d9eb42e26f86cdb8f58ac1401e217

SHA1
24fd4a27ca650aae032ad1ecc15f1b7560803822

SHA256
22127b008d98bf65a5fe9f846641eae124975eeb91b0af0285be977037c41993

SHA512
5df828b723041e41db19a58a20c8446a791a1dc07d3669b080c4d128b229dd8fa5b43f83f445ade20545339bc402372d7924861acdfecea1e609dbe7545fda1e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.921\resources.json
Filesize
17KB

MD5
d892039e33a914bdd174cbfdfd0e7331

SHA1
42754a8f3d087d09999d8b89ce6ea4eab522f1f9

SHA256
5acb848f36f188765ef517f67d90fda54892af1d5db3612ba8ed5d3802e2fbb6

SHA512
f21dd600db9140adc394b749485102a89723a7696101cf19ca6e365f2be9d3a7b0ad54a335985065165c07122415afb9a85170cc1144b8acf237f07538865511

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\appConfig.json
Filesize
3KB

MD5
91db38ec63d5ba27c2d84d1ce4f5950f

SHA1
0f981c54c5dc136c271387b919d0da1c043484d0

SHA256
4a21a1eada9a254e366a32670c65ae5e1fa9b12ac72b1be4e55be54347a1f38e

SHA512
299ea4bbf286e7f4d1eac2b9ed5e06d0deb25a79d3d8effd8524154b576c16b14074e6d6d4c8225cd633e2cccc74547a3ebeff1ced03e99b6879cba08e330356

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json
Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\COPYRIGHT
Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\LICENSE
Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ADDITIONAL_LICENSE_INFO
Filesize
51B

MD5
494903d6add168a732e73d7b0ba059a0

SHA1
f85c0fd9f8b04c4de25d85de56d4db11881e08ca

SHA256
0a256a7133bd2146482018ba6204a4ecc75836c139c8792da53536a9b67071d4

SHA512
b6e0968c9fd9464623bfa595bf47faf8f6bc1c55b09a415724c709ef8a3bcf8a954079cce1e0e6c91d34c607da2cecc2a6454d08c370a618fb9a4d7d9a078b24

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ASSEMBLY_EXCEPTION
Filesize
46B

MD5
c62a00c3520dc7970a526025a5977c34

SHA1
f81a2bcb42ccbf898d92f59a4dc4b63fef6c2848

SHA256
a4b7ad48df36316ddd7d47fcecc1d7a2c59cbfe22728930220ef63517fd58cb0

SHA512
60907d1910b6999b8210b450c6695b7cc35a0c50c25d6569cf8bb975a5967ca4e53f0985bee474b20379df88bb0891068347ecf3e9c42900ed19a1dcbc2d56ec

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\LICENSE
Filesize
35B

MD5
f815ea85f3b4676874e42320d4b8cfd7

SHA1
3a2ddf103552fefe391f67263b393509eee3e807

SHA256
01a4ebd2a3b2671d913582f1241a176a13e9be98f4e3d5f2f04813e122b88105

SHA512
ddf09f482536966ac17313179552a5efc1b230fa5f270ebde5df6adebf07ee911b9ef433dfbfcb4e5236922da390f44e355709ecaf390c741648dd2a17084950

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\tlauncher-2.0.properties
Filesize
1KB

MD5
1e33e2b8bba011e89cbb2abfc4340c9a

SHA1
30edb6d3a6278c87f555c541c95beae62c298b3d

SHA256
5b2fa173ebba109a1fd9d0b2571c949e414de8799329e7825db59265d9d5176f

SHA512
e195e2502d89ac8f0047e684deaa52b04507149714c4439f86125364a38769c225eeac465714788feb3cbf183446d5e25790793ca88a692e1a2f5af3ff77d652

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I77E5N90.txt
Filesize
869B

MD5
3c73a4721a4c8bb306ea41ca32c0faf8

SHA1
e2bb41c556936dcea56d7ba53f08cf6262322523

SHA256
f2d230abb0a66d6dbdffdb2f82471ede489f6b338c87db8d91d51ac92b26de12

SHA512
21227b9d4aa018bea683e9ca7205777db34745685d16e44544375efcc5567c7226f56e864dbd789a3c3ca81332f84d69d24df61225347013de8156ed966c2ec9

Download Submit
C:\Windows\Installer\f769727.msi
Filesize
1.0MB

MD5
d7390d55b7462787b910a8db0744c1e0

SHA1
b0c70c3ec91d92d51d52d4f205b5a261027ba80c

SHA256
4a2f7d9d33e4ad643bf72722587f2b268d92dab3bb1d9bc56af316672e34728a

SHA512
64f3837dd6099561ce9be97d6fae0b11f3f6cc08281f1a3266d5a6f3ca8baf13bbd780735ef62b449b577d62d086f942b48519671226c60f0e1480f9dbdde434

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.2MB

MD5
d795ef2a7b1d60d78cf3d4d083346a7c

SHA1
68a623b6b821476e543ea8dadb02ee3a78c55762

SHA256
c367e0f3b55b16ff6f167f19a3885b9dc7e9e34c0ccdf1df06af5ce7656bd61a

SHA512
bbc4161586240074989c56c9abed3bb36cc68516f03a741438a07633c21343a2a3c2ce43d741f83096e28a541ffb58e56c348cf8ebaa3dc91ae8953bb72c1666

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.2MB

MD5
a266e0ae1001da0023f9664afbcaee99

SHA1
f943c180e5221a5943039c21b21f394dd99cbe14

SHA256
819b9a02a788445ad6c4d8f38e05abe911e289e71e4d2c2e37923c9f66f576cf

SHA512
525b8473b17732ba94942df63b0e43b26ee0157b137a1a39f52034b04ce686097e92ec8d9ea422acf02edc4385863c0179a6af73af01dfcfc1cb6d7c9dad1e7c

Download Submit
\Users\Admin\AppData\Local\Temp\jds259424296.tmp\jre-windows.exe
Filesize
64.0MB

MD5
96d622d62567def49ad8999324a66709

SHA1
5a4749631631d97e9db816f5cca2392e69d0b7d9

SHA256
953b06705f72bfffac774c41ceb359fe1d3f8a0c5d6a44f93597ce9c39399994

SHA512
c2d350895f47c5164138d2e3befbeb0acda8097a7904a28d9ad9db70ea0aabb3ec54a476dcb2746a41308fb79616d810305c53f7e23a4856a3f9eb656896de0d

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe
Filesize
64.4MB

MD5
af1d24091758f1e02d51dc5f5297c932

SHA1
dc3f98dded6c1f1e363db6752c512e01ac9433f3

SHA256
e52a8d0337bae656b01cb76c03975ac3d75ac4984c028ba2a6531396dea6dddd

SHA512
8d4264a6b17f7bbfd533b11ec30d7754a960a9f2fbef10c9977b620051c5538d8eb6080ea78e070904c7c52a6ce998736fad2037f6389ad4c5c0ce3f1d09e756

Download Submit
\Windows\Installer\MSI9B1F.tmp
Filesize
953KB

MD5
64a261a6056e5d2396e3eb6651134bee

SHA1
32a34baf051b514f12b3e3733f70e608083500f9

SHA256
15c1007015be7356e422050ed6fa39ba836d0dd7fbf1aa7d2b823e6754c442a0

SHA512
d3f95e0c8b5d76b10b61b0ef1453f8d90af90f97848cad3cb22f73878a3c48ea0132ecc300bfb79d2801500d5390e5962fb86a853695d4f661b9ea9aae6b8be8

Download Submit
memory/448-3311-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/448-3290-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/448-5089-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/448-3314-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/448-4625-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/448-4624-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/448-3281-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/448-3289-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/448-3291-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/760-749-0x0000000003200000-0x00000000035E9000-memory.dmp

Filesize
3.9MB

Download
memory/760-747-0x0000000003200000-0x00000000035E9000-memory.dmp

Filesize
3.9MB

Download
memory/760-744-0x0000000003200000-0x00000000035E9000-memory.dmp

Filesize
3.9MB

Download
memory/832-2341-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/832-2352-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/832-2355-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/832-2380-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/832-2371-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/908-2114-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1412-2446-0x000007FFFFF70000-0x000007FFFFF80000-memory.dmp

Filesize
64KB

Download
memory/1416-5136-0x00000000006C0000-0x000000000071C000-memory.dmp

Filesize
368KB

Download
memory/1416-5138-0x00000000006C0000-0x000000000071C000-memory.dmp

Filesize
368KB

Download
memory/1416-5134-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/1416-5132-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/1416-5137-0x00000000006C0000-0x000000000071C000-memory.dmp

Filesize
368KB

Download
memory/1416-5133-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/1416-5142-0x0000000000440000-0x000000000046A000-memory.dmp

Filesize
168KB

Download
memory/1416-5143-0x0000000000440000-0x000000000046A000-memory.dmp

Filesize
168KB

Download
memory/1488-2589-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1488-2591-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1712-832-0x0000000003300000-0x00000000036E9000-memory.dmp

Filesize
3.9MB

Download
memory/1712-6-0x0000000003300000-0x00000000036E9000-memory.dmp

Filesize
3.9MB

Download
memory/2044-2889-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2084-2578-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2084-2575-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2144-1373-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2144-3270-0x0000000000150000-0x0000000000539000-memory.dmp

Filesize
3.9MB

Download
memory/2144-18-0x0000000000150000-0x0000000000539000-memory.dmp

Filesize
3.9MB

Download
memory/2144-597-0x00000000008B0000-0x00000000008B3000-memory.dmp

Filesize
12KB

Download
memory/2144-596-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2144-700-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2144-699-0x0000000000150000-0x0000000000539000-memory.dmp

Filesize
3.9MB

Download
memory/2144-704-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/2144-833-0x0000000000150000-0x0000000000539000-memory.dmp

Filesize
3.9MB

Download
memory/2144-2271-0x0000000000150000-0x0000000000539000-memory.dmp

Filesize
3.9MB

Download
memory/2144-2619-0x0000000000150000-0x0000000000539000-memory.dmp

Filesize
3.9MB

Download
memory/2144-2620-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2144-2463-0x0000000000150000-0x0000000000539000-memory.dmp

Filesize
3.9MB

Download
memory/2144-2458-0x0000000000150000-0x0000000000539000-memory.dmp

Filesize
3.9MB

Download
memory/2144-1372-0x0000000000150000-0x0000000000539000-memory.dmp

Filesize
3.9MB

Download
memory/2144-1532-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/2144-1530-0x0000000000150000-0x0000000000539000-memory.dmp

Filesize
3.9MB

Download
memory/2444-4637-0x00000000023E0000-0x00000000023EA000-memory.dmp

Filesize
40KB

Download
memory/2444-4704-0x000000001EFE0000-0x000000001EFEA000-memory.dmp

Filesize
40KB

Download
memory/2444-5139-0x000000001EFE0000-0x000000001EFEA000-memory.dmp

Filesize
40KB

Download
memory/2444-5140-0x000000001EFE0000-0x000000001EFEA000-memory.dmp

Filesize
40KB

Download
memory/2444-5135-0x00000000023E0000-0x00000000023EA000-memory.dmp

Filesize
40KB

Download
memory/2444-5141-0x000000001EFE0000-0x000000001EFEA000-memory.dmp

Filesize
40KB

Download
memory/2444-4705-0x000000001EFE0000-0x000000001EFEA000-memory.dmp

Filesize
40KB

Download
memory/2444-4703-0x000000001EFE0000-0x000000001EFEA000-memory.dmp

Filesize
40KB

Download
memory/2740-2329-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2740-2287-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2740-2303-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2740-2300-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2928-750-0x0000000000830000-0x0000000000C19000-memory.dmp

Filesize
3.9MB

Download
memory/2928-813-0x0000000000830000-0x0000000000C19000-memory.dmp

Filesize
3.9MB

Download