8f657e915ef6ab8f9f0ecb653f2b79b19a6e68bb14d997b4b8c6e005c3923453

Analysis

max time kernel
225s
max time network
219s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.2.exe
Size

22.3MB
MD5

7467a35cd1f34498c32d68fc11cf2dd6
SHA1

3349ad795ff859a581f8d1c99d735f1817ca17e6
SHA256

8f657e915ef6ab8f9f0ecb653f2b79b19a6e68bb14d997b4b8c6e005c3923453
SHA512

840fdc04e600fd6e0c01d2ee03b0e2f904f08ef1e59dce14b9c4897fa1971f4ad8431321e3061ef09ae981bcae5f008e613f8497745e29f9f007842877b6efa5
SSDEEP

393216:/25KXSlsQ8C+Q5JIkc2rr6of5MJ7ZWqxPAIgtMIMlFRqH0fHbS1K8kn/rbhQyDkd:GKXWsQ8CJIArrKJBH5lFRqH0fYk/pUJn

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 24 IoCs

pid	Process
2448	irsetup.exe
1604	TLauncher.exe
3056	jre-8u51-windows-x64.exe
2420	installer.exe
804	bspatch.exe
2328	unpack200.exe
2664	unpack200.exe
328	unpack200.exe
1660	unpack200.exe
1408	unpack200.exe
2152	unpack200.exe
2276	unpack200.exe
2776	unpack200.exe
1964	javaw.exe
2660	javaws.exe
1784	javaw.exe
1364	jp2launcher.exe
2512	javaws.exe
1496	jp2launcher.exe
2100	javaw.exe
596	javaw.exe
2556	jaureg.exe
2888	TLauncher.exe
1540	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
1984	TLauncher-Installer-1.4.2.exe
1984	TLauncher-Installer-1.4.2.exe
1984	TLauncher-Installer-1.4.2.exe
1984	TLauncher-Installer-1.4.2.exe
2448	irsetup.exe
2448	irsetup.exe
2448	irsetup.exe
2180	iexplore.exe
1144	Process not Found
1144	Process not Found
2612	msiexec.exe
804	bspatch.exe
804	bspatch.exe
804	bspatch.exe
2420	installer.exe
2328	unpack200.exe
2664	unpack200.exe
328	unpack200.exe
1660	unpack200.exe
1408	unpack200.exe
2152	unpack200.exe
2276	unpack200.exe
2776	unpack200.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
856	Process not Found
856	Process not Found
1964	javaw.exe
1964	javaw.exe
1964	javaw.exe
1964	javaw.exe
1964	javaw.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
2420	installer.exe
856	Process not Found
856	Process not Found
2660	javaws.exe
1784	javaw.exe
1784	javaw.exe
1784	javaw.exe
1784	javaw.exe
1784	javaw.exe
2660	javaws.exe
1364	jp2launcher.exe
1364	jp2launcher.exe
1364	jp2launcher.exe
1364	jp2launcher.exe
1364	jp2launcher.exe
1364	jp2launcher.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0081-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0017-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0051-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0009-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0040-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0066-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0028-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0081-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0068-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002d000000014983-3.dat	upx
behavioral1/memory/2448-19-0x0000000000280000-0x0000000000669000-memory.dmp	upx
behavioral1/memory/2448-662-0x0000000000280000-0x0000000000669000-memory.dmp	upx
behavioral1/memory/2448-1183-0x0000000000280000-0x0000000000669000-memory.dmp	upx
behavioral1/memory/2448-1737-0x0000000000280000-0x0000000000669000-memory.dmp	upx
behavioral1/files/0x0006000000018765-2448.dat	upx
behavioral1/memory/804-2449-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/804-2478-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_51\LICENSE	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_font_t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\plugin2\npjp2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\net.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\psfontj2d.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\java.policy	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\hprof.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jjs.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\jvm.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\task.xml	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfxswt.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\README.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\servertool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_fr.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\zipfs.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\splash.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaSansDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\management.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_common.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\CIEXYZ.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\currency.data	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\tzmappings	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\fxplugins.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2native.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightDemiItalic.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_de.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\logging.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\tnameserv.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\PYCC.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_es.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JAWTAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\policytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\sunec.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\US_export_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfxmedia.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\wsdetect.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\sound.properties	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunec.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jvm.hprof.txt	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\task64.xml	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\jmxremote.password.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jli.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\w2k_lsa_auth.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\classlist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightItalic.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_TW.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\dnsns.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaSansRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\resource.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\hijrah-config-umalqura.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr.jar	installer.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f770b8a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47BE.tmp	msiexec.exe
File created	C:\Windows\Installer\f770b85.msi	msiexec.exe
File created	C:\Windows\Installer\f770b88.ipi	msiexec.exe
File created	C:\Windows\Installer\f770b8b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770b8e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A0C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58FF.tmp	msiexec.exe
File created	C:\Windows\Installer\f770b8e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI598C.tmp	msiexec.exe
File created	C:\Windows\Installer\f770b90.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770b85.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f770b88.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770b8b.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 20b477e5d6b1da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f61e4a4789118d4b9ee992e14c10855d000000000200000000001066000000010000200000004f12c34650de328446a564b85e650c55305320b86aa0400afb863e5ab95367a9000000000e800000000200002000000081eb9411a34f02e4f61d7f254b1c36e85f1417ab17c129ff6a24c0677650819690000000ca10b9bca6cbfbfad4f6135fdcc79d81310c129c165fc547a1c4b5508a8a01862a388c064e769bcb6add91bb7b8a2f5897d0bfecb466758c9f36c9459bd572640b4335fbc1c7fa589b491afc9a307c65ece4e011c83703590aea74391d4916ab0c1adf76ee42dc085408faaa4f40d464313f83f9ff2a7a5718084b47319f9c2de037021af1a9e56f13d94797efbcab82400000003ef6039ef9c80ad2a1ad29e8997c384de802020c157aef40309d3acb8b1023600a964224db983a0cef6fd698b7af22f4a8d1e66db25ae20b122f5b9eac0304ca	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f61e4a4789118d4b9ee992e14c10855d000000000200000000001066000000010000200000003112bb5d2a62911e8142368f384a37b7dd662b173d16a876d251be2789ef476a000000000e8000000002000020000000e1420cc180615ea765ce8659e1c0182b34885e244cfd96fea34e307136156ffc20000000e1f6decb252e86bef2f6e9464b23ea5fd1852a574b82700e74f3af0602c4719f4000000074532d831bfd99ffb69527cbc812da5010b191d67ceea5a02e295be9670b29c67ad1cc0b47db482e2b9f98e5598eb1973a6c30db4ebd09b881ca5e3dc92674b1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c042f4f3d6b1da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1D419011-1DCA-11EF-8FBA-CEEE273A2359} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_20"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_14"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0098-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_10"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0063-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_44"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0008-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_28"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0028-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_01"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_43"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_101"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_39"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_26"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_78"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0050-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_06"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_15"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0069-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0014-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_03"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_10"	installer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1364	jp2launcher.exe
1496	jp2launcher.exe
2612	msiexec.exe
2612	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeSecurityPrivilege	2612	msiexec.exe
Token: SeCreateTokenPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeLockMemoryPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeMachineAccountPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeTcbPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeSecurityPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeTakeOwnershipPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeLoadDriverPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeSystemProfilePrivilege	3056	jre-8u51-windows-x64.exe
Token: SeSystemtimePrivilege	3056	jre-8u51-windows-x64.exe
Token: SeProfSingleProcessPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeIncBasePriorityPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeCreatePagefilePrivilege	3056	jre-8u51-windows-x64.exe
Token: SeCreatePermanentPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeBackupPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	3056	jre-8u51-windows-x64.exe
Token: SeShutdownPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeDebugPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeAuditPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeChangeNotifyPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeRemoteShutdownPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeUndockPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeSyncAgentPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeEnableDelegationPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeManageVolumePrivilege	3056	jre-8u51-windows-x64.exe
Token: SeImpersonatePrivilege	3056	jre-8u51-windows-x64.exe
Token: SeCreateGlobalPrivilege	3056	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2180	iexplore.exe
2180	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2448	irsetup.exe
2448	irsetup.exe
2448	irsetup.exe
2448	irsetup.exe
2180	iexplore.exe
2180	iexplore.exe
908	IEXPLORE.EXE
908	IEXPLORE.EXE
908	IEXPLORE.EXE
908	IEXPLORE.EXE
1364	jp2launcher.exe
1496	jp2launcher.exe
1540	javaw.exe
1540	javaw.exe
1540	javaw.exe
1540	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2448	1984	TLauncher-Installer-1.4.2.exe	28
PID 1984 wrote to memory of 2448	1984	TLauncher-Installer-1.4.2.exe	28
PID 1984 wrote to memory of 2448	1984	TLauncher-Installer-1.4.2.exe	28
PID 1984 wrote to memory of 2448	1984	TLauncher-Installer-1.4.2.exe	28
PID 1984 wrote to memory of 2448	1984	TLauncher-Installer-1.4.2.exe	28
PID 1984 wrote to memory of 2448	1984	TLauncher-Installer-1.4.2.exe	28
PID 1984 wrote to memory of 2448	1984	TLauncher-Installer-1.4.2.exe	28
PID 1604 wrote to memory of 2180	1604	TLauncher.exe	31
PID 1604 wrote to memory of 2180	1604	TLauncher.exe	31
PID 1604 wrote to memory of 2180	1604	TLauncher.exe	31
PID 1604 wrote to memory of 2180	1604	TLauncher.exe	31
PID 2180 wrote to memory of 908	2180	iexplore.exe	32
PID 2180 wrote to memory of 908	2180	iexplore.exe	32
PID 2180 wrote to memory of 908	2180	iexplore.exe	32
PID 2180 wrote to memory of 908	2180	iexplore.exe	32
PID 2180 wrote to memory of 908	2180	iexplore.exe	32
PID 2180 wrote to memory of 908	2180	iexplore.exe	32
PID 2180 wrote to memory of 908	2180	iexplore.exe	32
PID 2180 wrote to memory of 3056	2180	iexplore.exe	36
PID 2180 wrote to memory of 3056	2180	iexplore.exe	36
PID 2180 wrote to memory of 3056	2180	iexplore.exe	36
PID 2612 wrote to memory of 2420	2612	msiexec.exe	39
PID 2612 wrote to memory of 2420	2612	msiexec.exe	39
PID 2612 wrote to memory of 2420	2612	msiexec.exe	39
PID 2420 wrote to memory of 804	2420	installer.exe	40
PID 2420 wrote to memory of 804	2420	installer.exe	40
PID 2420 wrote to memory of 804	2420	installer.exe	40
PID 2420 wrote to memory of 804	2420	installer.exe	40
PID 2420 wrote to memory of 804	2420	installer.exe	40
PID 2420 wrote to memory of 804	2420	installer.exe	40
PID 2420 wrote to memory of 804	2420	installer.exe	40
PID 2420 wrote to memory of 2328	2420	installer.exe	42
PID 2420 wrote to memory of 2328	2420	installer.exe	42
PID 2420 wrote to memory of 2328	2420	installer.exe	42
PID 2420 wrote to memory of 2664	2420	installer.exe	44
PID 2420 wrote to memory of 2664	2420	installer.exe	44
PID 2420 wrote to memory of 2664	2420	installer.exe	44
PID 2420 wrote to memory of 328	2420	installer.exe	46
PID 2420 wrote to memory of 328	2420	installer.exe	46
PID 2420 wrote to memory of 328	2420	installer.exe	46
PID 2420 wrote to memory of 1660	2420	installer.exe	48
PID 2420 wrote to memory of 1660	2420	installer.exe	48
PID 2420 wrote to memory of 1660	2420	installer.exe	48
PID 2420 wrote to memory of 1408	2420	installer.exe	50
PID 2420 wrote to memory of 1408	2420	installer.exe	50
PID 2420 wrote to memory of 1408	2420	installer.exe	50
PID 2420 wrote to memory of 2152	2420	installer.exe	52
PID 2420 wrote to memory of 2152	2420	installer.exe	52
PID 2420 wrote to memory of 2152	2420	installer.exe	52
PID 2420 wrote to memory of 2276	2420	installer.exe	54
PID 2420 wrote to memory of 2276	2420	installer.exe	54
PID 2420 wrote to memory of 2276	2420	installer.exe	54
PID 2420 wrote to memory of 2776	2420	installer.exe	56
PID 2420 wrote to memory of 2776	2420	installer.exe	56
PID 2420 wrote to memory of 2776	2420	installer.exe	56
PID 2420 wrote to memory of 1964	2420	installer.exe	58
PID 2420 wrote to memory of 1964	2420	installer.exe	58
PID 2420 wrote to memory of 1964	2420	installer.exe	58
PID 2420 wrote to memory of 2660	2420	installer.exe	59
PID 2420 wrote to memory of 2660	2420	installer.exe	59
PID 2420 wrote to memory of 2660	2420	installer.exe	59
PID 2660 wrote to memory of 1784	2660	javaws.exe	60
PID 2660 wrote to memory of 1784	2660	javaws.exe	60
PID 2660 wrote to memory of 1784	2660	javaws.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.2.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.2.exe" "__IRCT:3" "__IRTSS:23398040" "__IRSID:S-1-5-21-2297530677-1229052932-2803917579-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2448

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:908
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\jre-8u51-windows-x64.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\jre-8u51-windows-x64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      -cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
      4⤵
      Executes dropped EXE
      PID:2100
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      -cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
      4⤵
      Executes dropped EXE
      PID:596
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\AU\au.msi" ALLUSERS=1 /qn
      4⤵
      PID:2992
  - - C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
      "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.8.0_51-b16
      4⤵
      Executes dropped EXE
      PID:2556

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Program Files\Java\jre1.8.0_51\installer.exe
  "C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" REPAIRMODE=0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:804
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2328
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2664
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:328
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1660
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1408
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2152
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2276
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2776
- - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1964
- - C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1784
  - - C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1364
- - C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    PID:2512
  - - C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1496
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C15ECFA81586AD85228981567486D4FD
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /c del "C:\Program Files\Java\jre1.8.0_51\installer.exe"
    3⤵
    PID:1628
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9CA4C2104E33F3A3F5E10EDB51F491D0
  2⤵
  PID:2628

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:2888
- C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f770b89.rbs

Filesize
788KB

MD5
29d5574000c202ddf06b551dc422e502

SHA1
a22d219ccee1ff8cd9055ef2e87254c28242a541

SHA256
990e085efd7cd7c1579d37441718695554770343cad5e0ea3f2e8928e2d3eb60

SHA512
d828009aa20b19986e5e0453c260d269f59a6eca31ad5f4f65dcd1908d8eb027d6c6ce6fa75050c1aa191f9955e30c3f187d0952894e97a3360ac170a365f737

Download Submit
C:\Config.Msi\f770b8f.rbs

Filesize
8KB

MD5
11d386a9ab1500a894d647ef0bac0773

SHA1
d08b22c419075ed047daf4bd79a9d1f2785c96ca

SHA256
890fc8bd432540e57f919b28ed61e0090b2230d51cafb6e95f7f27db18fe2ae0

SHA512
a4cdc593a24768c5d6cf0f8fdf51d9bd146ba346af2d2f78764b4ea6c4e109435083edb534e69ee785ae98a423b178962c8c343c579912a5e810a9ae3f075051

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\MSVCR100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll

Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe

Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe

Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack

Filesize
1.0MB

MD5
45288142b863dc4761b634f9de75e5e5

SHA1
9d07fca553e08c47e38dd48a9c7824e376e4ce80

SHA256
91517ff5c74438654956aae554f2951bf508f561b288661433894e517960c2ac

SHA512
f331cd93f82d2751734eb1a51cb4401969fb6e479b2e19be609e13829454ec27cec864c57bdc116bf029317c98d551e9feafc44386b899a94c242bc0464556d8

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack

Filesize
1.8MB

MD5
5cfc3a1b269312f7a2d2f1d7c0497819

SHA1
d048284db9ce7103156f8bbce988b4d9978786b7

SHA256
80ba80d2a6c20deef6e2f3973337e15e22eec30508899ae998bf191ba725db26

SHA512
8735af7c8bc5b48aac42120326a5dee21f98512ba31c57c77b6fc3906b7b1b98e5f22f57a31f26dc3e16abe63a6f15ef2e115c7fc17bbab35e846dc373da9c6b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack

Filesize
211KB

MD5
5a83bc9b3e4a7e960fd757f3ad7cd263

SHA1
f5f308aec7e93accb5d6714c178b8bf0840fb38d

SHA256
0a95ab97c85e534b72a369b3ee75200f8075cb14e6f226196b18fd43e6ba42f5

SHA512
b8e554bbf036d0500686e878597ffdefa8bcd091ab6533eae76fa04eda310cec7cac89b71911f1f81012f499c7bec890ac9032685945f7e5e6b68f7ad3f7430c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack

Filesize
150KB

MD5
168f72fd2f288a96ee9c4e845339db02

SHA1
e25b521b0ed663e2b050af2b454d571c5145904f

SHA256
5552e52e39c0e7ac423d6939eec367a0c15b4ca699a3a1954f2b191d48a034e6

SHA512
01cdf3d8d3be0b2458d9c86976cef3f5a21131d13eb2a1c6f816aeb2c384779b67d1b419fa9233aedd3bbd16970ec7c81689bf2e25a8bebadec5de8e9b5a19f1

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack

Filesize
482KB

MD5
538777ddaa33641aa2c17b8f71eed307

SHA1
ac7b5fdba952ce65b5a85578f2a81b37daed0948

SHA256
9948b1c18d71a790e7b5a82d773fea95d25ab67109843a3f3888f3f0ac9d1135

SHA512
7a5877e0eaef6424ea473a203184fedb902cd9d47df5d95d6f617ca4efa1162f0ffd418e9bc6b7492f938cb33fc6384907237487d6ad4f6d0d2d962402529d8b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\rt.pack

Filesize
13.1MB

MD5
f0177701b36068c9a2bb4924dd409fa5

SHA1
71e4b32c95e20dd565a6603d3de3819eb4f19d33

SHA256
93c1e08034b68e12d78005c2950145595327477c17c1f716248d3e16313b4eec

SHA512
8e198bf60dbb95f38bf5eca67c9b7cd4fe9920890ba3d569e08de59b38c1b00830a0a37168fd74c874df86b7ff0915c8b69adb1591432b42b5ff35e5885e6641

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\diff

Filesize
9.1MB

MD5
d417682702b140d7131851bae877f046

SHA1
aa78da727e8a62c839a9bb6f7a93b48d3a04be70

SHA256
3b3657c83e4f588f0e759cd46e99309cece2ebb54af2c377f9dc087ec764fda8

SHA512
9e107b7f61e42410807aa1e6761ac7adce412846f69ae8e2e21b147e39d1a95d41367e21624381750eb11c77322206c4d869a477e5442e8323405c85854c03cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
cbed24fd2b55aea95367efca5ee889de

SHA1
946f48b5c344fd57113845cd483fed5fb9fa3e54

SHA256
1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

SHA512
c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
f980da371bbdc64d59e72d2a392ad915

SHA1
98ed8f1259895e393483033b30e502ed5e356cfd

SHA256
86658a40808e738a82902b1d4b2e953ae538a2295186735fa15a6f98717decd5

SHA512
a5a59582830b6b1f1ef24ca0924735d7aeb26ee321c3b52b8d1f7284e108d8c1acba055d2b3e17afa5f3ff037a6dece9a8536efed9c72c6b78bb4181094e56db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE

Filesize
1KB

MD5
9ff3b14c6a7376a6a7214b6919746bf1

SHA1
22f864799d6bbf724c8e72baa6501a9ef38e2b84

SHA256
05127d9375d60017ac255d990657291100058e9f41d9c3538d99be0b0647f832

SHA512
edadf1550e4e779153328751004e8c99f0fd24863feeb47ed31eb77370b00d7942af680ee9ca16376ee714d0592de4bb25a553552b595dd0cd95887c5b9d37f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
af3b7c8a6952dc79ec7a031aa00db701

SHA1
8207585a061d5a7f69f1878ecb746c4c7faa5c96

SHA256
9b1d82d107459ad93794f229b27f896abb6c64acf3cc6e3fa3f691c624d605bc

SHA512
9fcdb7ef8682b26cac0b3e434a85b0f33738a40f2b9f464a317ad6120ff41878fcb9c1ba32c86bd045f0d516e39ee5261a0bf3d24bf0c0febc0384417ace444e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10aba9bd7c148cde4dbcf39398b117e7

SHA1
85d25a48fc4ce966679444c023259f5339e29d3a

SHA256
d97eda7b7bb3d01ed4e166e168c11d0a9c04fe3a05f38a638f152d4ccc596cfa

SHA512
b3c76fead847df7bf94e4f5a4a111ec85921f8aa6e3d9e1165857faff69957481a2e61fc6289a734c99a7044ad97ce0d1a3fb0845415bd01fb5fae196ea4c2f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2471327d3b99bbc1bce451dae4b0c12b

SHA1
84208bd0b7274e0e428a9ccff135df5501c64baa

SHA256
4f6e4afb6d802233bbf92377a245371254f7e2e5024c53b9830c3dc7163de834

SHA512
86eac9f56cd6c89550337c33e88e778f953bc9240ecac5b1ac0ee00f14512bd0d537f317915b34657d637eaf330a0df92633cdff81bab89915c0fd780aa9c3c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8bf58ffbf1df76d2baa7b46464376d3

SHA1
dfac1d1d0ecb3a007c79e3ee019db96e4b96d980

SHA256
648823c36652d4879eaf26b36e0f88543eff3309a79086799bf646a12f110560

SHA512
57a297dc1956a5352e721365cbe85217e8fc3b4bc7e44160a412a879f6b1dda63e3d544d5a01106823f5394fae0a791787f30f333aabf2489bf7f6653d4c5417

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40d118205481f4fbf0752803c8948a38

SHA1
c6cf891cda0d690a3d6f57626baf86ecb3acd24f

SHA256
da18fe2fcc37677229e958fafaab58170056993e58231acec15ae7df091323e7

SHA512
19d65ec113cef819dce782063e33c7c563e8fad2af057c66335bdd409034032f59ef522b10f593185695bbce0ce88e255a14ee769666abd86db9e0b677733dfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35f55e2f0d4f79efd8358e7b98ca61b8

SHA1
5cd11993881182ffcfb341a200328027e33d07c4

SHA256
b47e3eb17094d5bf108f64523d6abe0155d9e2ebc1aac6455aab4ec1efa34056

SHA512
a2aa3e3fb6bff00dd05c4136334df299264af50d1f8b09cbff316baec0b55d21bee145ab0412c639e7745e21b88bd10fdebfeb26e60798a30da01eb64025b6be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48fa455afab447cc7ffc6365bcc7e005

SHA1
5902f6bba132facff9aa7d30a4225620d74028c8

SHA256
ffdc235c405baaecd71af8cdc73bd2a615731a247d867081ee0bea34433a6890

SHA512
5fa14ed6c8f0346057089ea90a8e76c30b5fc1e417663aee72b99d5b0ac205278d05db0a9bb4bd462a32b1310b763317e2c87cfaec563b60ea7477ae921e295d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b48c14c77332e62b25a3271926a6d0b

SHA1
25a6487475f2afc132715e2f5fc2dc04a67529eb

SHA256
09d401fe7d82049be248b4365069a8102dc544156a4a96de4640974de62a72a2

SHA512
ffd5be33bcac619df95a89a807d2bf0a2677a7be849f63d68fa77a28c65e3ec5623aec957764407780a5fbc5c3897a930c35f312bc313c3cca03246c965cbd79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
250cc18decc5e9c2dc95f7249f2a2b44

SHA1
dbcb5fc33a23ed2ddda0b0437dda828b731007bd

SHA256
67ab0e8e47460ecfb9113da4c0c95f4c609b093e4babf3e7352e634152121a90

SHA512
7745b930741442b1dfe9839b24da209026386c890539f9747b14019db406e7c1f319837e6977b78ee80b14f3bdf16bbb0f4ca2da598ef165b2dfa7cba5c100f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
72922547a179282b93f1c11daafc5ea0

SHA1
ccf147ee7900b632484878cfc0c5a408c62e3867

SHA256
b1bf2cf60d306d651af1a0b082233ce3bb0de10a1d9d491019c74d4d4001ee1c

SHA512
a6d3732edc741cf67c571dbf027e892ff997f9f8efe265b92f39a704ee31c1079165d4c9620bffe227d09f0de9c6fba152e40959efcb733a14e59d5ff0fc01b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
9939b9607a7f7fb10a3f6863a6f52be5

SHA1
0ab0bed91c0cd6e1489b14746221d6d3de1721ee

SHA256
06afdcacccacdbe702a3d347f8037fbebc1e1f33b95eea8b3262a20e5ca0c81e

SHA512
6b19777ba5f74328aa170441d03d2b2845f27ca58669182f14157a514766210c887bbc20af34816e5fb0dba4532f2ac3bbe479d08e47bd7bf7151208eec89fb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE

Filesize
402B

MD5
00de128a36fe4b6138d097cee9abbf5f

SHA1
a717b7ef47867d321a2a50239865a9ddac4b7b21

SHA256
c13b2f580ae618e63a0877e66bf6bcc60eeda16efd6c7d9b5782cccf125cfef5

SHA512
68b6159435a2d98827d9ef618e8861e8c783b4514783ba5137812b5d6b2246250bf6bbdd5aa1098e6f828221919fb6cc57ad1987a5f1079982a39208bee510cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
010f372968190afd8b86a65f95c494dd

SHA1
183631dd22e04595270275f28aa57862a74777a5

SHA256
541ca2804ac9d2eccb2a19abfbf55a3db6e4fae09cf5985eadea232d5c6380f3

SHA512
49b47a3b1ec5da573593312434bf2be0b138cd5dbfc0407e8491960835ce326464c69b7c1a267dd5cdb49ba248f355f4307118f068d7f307f3e976391a7c9d77

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
69e725452c8517664db73a8ac3111aca

SHA1
0060e093b9ba91e6f96ed93a9ab5a4394953d5f6

SHA256
48d50a2116f274f52e893896b87147f46835234210c3edd4e3b5e5509dc3619d

SHA512
3545b56b0e544a95e4fb733d915d1c4a8f1b3902babadfa8634ba803df65a404473c0d58993f3f57e638ad12c79140c3b43b7b139123834180c335c54d29e279

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi

Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\jre-8u51-windows-x64.exe.qn3auo5.partial

Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar36D1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
2885c4a1dc2bc52ea298b8d9c7e1bfbb

SHA1
964bff819cbfd38692900403460c67b9d0dae8b0

SHA256
4007ca82da52600902ad2e269445e0ae15701187d111ba7f59546c7dfe1fc3dc

SHA512
e0480ece21136a29a727fe99001fae8a9009a4ce92bb1a48644cf20dfc57fe70cb685b6427a6582f85ac2ffee93d85fe91c7cb1bc5b8e2121f3cb38907da2e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
9d0f62b656198cc2751cab6bf2a36a46

SHA1
616dbed062f7ef1be165cb167ea5788867a34923

SHA256
d1ec7db451e7e25d970fd62b22a7779a3f59eb3978a0081120d069ffbdb14295

SHA512
2591c988f685b9140a7fada6320f3ef5763ecce62cc47bf0f9bba6885b1714e136bb552672d9656efd19a08ea891e1686270fe56289598c6093dc8483a5f7636

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
faefac14b9ba4ba2f2571fb164539f77

SHA1
9dd91143d4a95e52f9c380e3c3ce23c9180eaa15

SHA256
6509bb99d5392d840700e08452366518bc5ed578ee36b964adbee69f37048b2d

SHA512
f9851d8f801fc78739ab038375401582a7d8554df0efa05bd397127a0e431520c6715c5ebe65cc012306aa542128484f387473d200f58b0065581403721c9e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
e802a83fd63eefd5b70eb246f075639b

SHA1
5d201c7d3172ceafa318151acf499270f33db060

SHA256
50c8dccb06fe1332b471400c9d5d1bfcb47df1833077ada7e54e0018a82deee5

SHA512
7febb82664b9b160f5b00d978bb97d2f993a7d40a70696a40ffc472fdea23a636f5faaee6a67fd74c55d7c17b685e38e7f6d14be88f9f260d6520f17af06f09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG

Filesize
438B

MD5
b66b94a905366bf25b5163fe5925e0d9

SHA1
b0e91b1797a1f9455d111e9d8dd5bd4aa72e935a

SHA256
0ced93717234ba2914c3a3b5c2dae4a7c4c52fd5393415e7c1482e4cb4ccf7f8

SHA512
2fc07db7c8791eb2c0eb67eb50b472f61fc180a281159f9a68d3e49391d89545726ef0a481d0efa8267eee64ee6514835a81a09bb537e62889612baa95a5bedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
7KB

MD5
2920d3508ba27e9ac59c7e585487c407

SHA1
092c52f9ce1697dab409677fc4f4832f2dbecd7d

SHA256
0d187ee8a9b73c02c864287108b8e608ec8d5a1fde341c9ba917e8c701d3e335

SHA512
a1762bf68ee94d5193cdd5901d4b5638128d200dc8e752d7af48730854cfb303031c713469cf70c10be6ae8bc613d12ba1b1df50d6c1f8ac9414701a25425a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
18KB

MD5
07d2130b67c7a6e6023c21ba1d79a046

SHA1
5fe6f713cecea3f3593c567f155631e2323fbb12

SHA256
f71314b54e872ea8b1753a4b053034fc5128f451060aab75378aab74b9c01388

SHA512
1e13233b0e1f92572a35002cb84db98f602f90a151d28e9ff9a8b6a59dbfe7f60f93d614cf011717f61fb020049339bfbaf0c63bf933c4b2dc60dd746b5568a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
19KB

MD5
2defa6a4173f829ad71af886a0bd14b3

SHA1
ed3c9873006f32679b0013d32ad85ff762b25658

SHA256
b37d42b6d49227a1904fce20e66e80b35b70f01714f53b2574883d4315e9a69e

SHA512
1d05d4b57e1c1c1d4dbac66faccedeafba54109e74abee35fff11c0ee4fb26766ca8e8ac2cf4ae07d2c6c94dc1f8b7bdb07c2af0d61fb92ff6fc6a3d6b40bcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
19KB

MD5
d1ca1beaf172ad0dcbc4153c7bb763a2

SHA1
05172be163913340433fd6f2117da42da1207cb6

SHA256
99c0315539e9dce83f3211568144caafba3485712d3ce74f002d7944cf3f0362

SHA512
61fcdc73833f82528448e38167fc08bba3c07c6796f4d2f6b54d5ebef513c05c1a50db4ded9f860bb7793c70748c70be3a0b41184e51cdf9dab7929e5505ebea

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF7EE017E01DA0E0DA.TMP

Filesize
16KB

MD5
2c84d484e6e2630ec4e07ff101090643

SHA1
9b11a7ff57fd93f637bcbb66dca4772347c3226d

SHA256
fc671df241bc81d2ae2718533a2f56b9bc3dcfef7ecfe2681d4573de1e9ae89d

SHA512
f118887f6873e62b8569fdc66922bcddf2f2c85c9951b605bd6627c50ce9a3455d5757127d5c0fd50c92fe572d028a107b7ae10b675fad2081ae759127c383e8

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
833512c89f1ab92c80131d415f89f442

SHA1
dd9953ddcc33278bb97502ffdc6e7462e8005680

SHA256
717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

SHA512
f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
b3900ec4c610092ddcecd3fe8d14a529

SHA1
f3c0713b0fa185bc2acd774ea4b6a7a568b20f2a

SHA256
d077af4a50d041a710c2362e29da0dcc4eae5c90cc7aa3f058a2cbed28f1c5a4

SHA512
5dbcab9c44fced17af4a1dcd713c81c079689e53a979501e2a0714494f553305d03bf52270b533828a71a9ad2c0c722f87a64a91c3b0e7cc4484774b4b54daf1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG

Filesize
206B

MD5
cecc7c02d44d9c449121a542bb0fb36c

SHA1
6984cb702147fa42d975f101b286d802c66148f9

SHA256
a64ddc02113b74aedc3e77837b5045b178e82978e68e9be9d04425eefc6fc690

SHA512
e4a5bf35cbfe71789cee597df48268679b76093ac3dfa22cdc71015e734f6f68027e5efa489e6d010ec3b67f0eb56508cee949905e6a2d48c438b02d19edcd79

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
b5fb5788225a22d2235f27b5f4f0a275

SHA1
0820031da047efec3105b7f52c4254170102700f

SHA256
58f73ecf94e61492320c1cbaeed3b989fb60131d1441320cab502768c67a58c3

SHA512
1cdda78535038b51ef264acfcfc299bfa3521f69ad6d86b4451c0a3e311c882fd442094e99a213304670f0b4c50aada99b3559c4b55422261cc6b37b431955f3

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
cee48467f5141425823298a0726aa52a

SHA1
8af5b57d4163514bdf1f1548ba612f227539b532

SHA256
d8aba6d89980c78a3554511653a7147210f544dabc457011a45957be596a7b72

SHA512
48c7ec8ba3087e06a38d66d2c3548c37ff02efe508a6303d3361de38c1d27ec8f8b17aa07eccb9e2c7ea10478d548c8049a3a50f13dffb0a006eded034e9fff9

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
b196ede7761b55fd40b2167723f489b8

SHA1
c6fb9ec2a28bb6cb0c052d05018e9c81205244c9

SHA256
987b0a991162db5aa6d7560abd18474818e0639aed080643132c42b701fd1d8d

SHA512
661f91be3e77679cda55a63ab50636b2b68256e08bb4ed511e646bbf6835f85c3959388632843a1062677b5e405c1d76a09890086feb3d23f52cd72885763497

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
17KB

MD5
8cbb1dbdfa9a6e046f2e09310f93b138

SHA1
5a35daf608e109f97ae2ed58eb55c70a4c87d44c

SHA256
73d10eae23e7b72072a67bba6d5227b65ece549484e5c18835dd09da6812f426

SHA512
97093d19f4824cd4d5b41a63843c598278c23dcbf750a1551ccf7b7228ad433e95bae7031e685a09b689b95f71e258c0449bf53c1b3580dc3f5a4b5279953342

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
95c07ef3184f029f0dfa94d689ea4c4a

SHA1
c3e4c5d9faa0c038454e6e93396163e0b837e590

SHA256
ac1db8f6fc75cfda3f5021d419c22afaeb798d767198dd5c3f6647f25c380729

SHA512
67e866e2e6219e8d2850694b239d3f9cad499041871b237d1327c567a3b2995302c319e992e5a3805c874a34be49c9ba5cc5a5bb4497af903f34982f5677df23

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\dependencies.json

Filesize
17KB

MD5
24817047786540dd5d8cbfb94132c84d

SHA1
ff45f1ae7748fab985e0580c5746b0327a4b59ac

SHA256
a5584b00241e6aa455dce9c0d584d61f8350a7bc07a4137e9289e23f46878721

SHA512
6e048803859517d052d88d8c96c382d481620c1d930e219051264cb2c4d096b5b68d8e8e66ba2244ef7343df99f120600f8763f67bcf060c3132743eca7934ef

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\resources.json

Filesize
17KB

MD5
8ab0113596cd48af76657e53d5d93e70

SHA1
3ab4244668932e0396022372d8f311c62ce1b89b

SHA256
b0a6157bb0f4da765f93d13ca167017144c5eb15955015b0b42f7d7c0b70599d

SHA512
55fb4d7ed644ae5e47ee376b00323199788baf596b493b4959ec4c88bdb37295ee59e34d3a7d4310fc9e35d776e1ae19fcead53c09d3a440dcfec8dc6736b170

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\appConfig.json

Filesize
3KB

MD5
a9bd1871a6a69e12bb017e1375b0a659

SHA1
0cc4c515fea150c982d02fa73acf73cfa68810e7

SHA256
f725e50dc4377a28b06589b028cd3cff58845d5ed882b22b17129c4413f8b9b3

SHA512
0595d54b19805f57a1b09a492c90c4c9f655d6a501179966b1a282b0aec90b27eeba634ee4a54fb9982f80ae046e6feb2b3e2097f14a0a3e051e80c162a83bd6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json

Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\COPYRIGHT

Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ADDITIONAL_LICENSE_INFO

Filesize
51B

MD5
494903d6add168a732e73d7b0ba059a0

SHA1
f85c0fd9f8b04c4de25d85de56d4db11881e08ca

SHA256
0a256a7133bd2146482018ba6204a4ecc75836c139c8792da53536a9b67071d4

SHA512
b6e0968c9fd9464623bfa595bf47faf8f6bc1c55b09a415724c709ef8a3bcf8a954079cce1e0e6c91d34c607da2cecc2a6454d08c370a618fb9a4d7d9a078b24

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ASSEMBLY_EXCEPTION

Filesize
46B

MD5
c62a00c3520dc7970a526025a5977c34

SHA1
f81a2bcb42ccbf898d92f59a4dc4b63fef6c2848

SHA256
a4b7ad48df36316ddd7d47fcecc1d7a2c59cbfe22728930220ef63517fd58cb0

SHA512
60907d1910b6999b8210b450c6695b7cc35a0c50c25d6569cf8bb975a5967ca4e53f0985bee474b20379df88bb0891068347ecf3e9c42900ed19a1dcbc2d56ec

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\LICENSE

Filesize
35B

MD5
f815ea85f3b4676874e42320d4b8cfd7

SHA1
3a2ddf103552fefe391f67263b393509eee3e807

SHA256
01a4ebd2a3b2671d913582f1241a176a13e9be98f4e3d5f2f04813e122b88105

SHA512
ddf09f482536966ac17313179552a5efc1b230fa5f270ebde5df6adebf07ee911b9ef433dfbfcb4e5236922da390f44e355709ecaf390c741648dd2a17084950

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9IUO67AB.txt

Filesize
512B

MD5
91ea3d82517bbe6a38423ff3b39930bd

SHA1
a6d61e528baea698123da9fe6f511400c7fe4692

SHA256
8f50988ace5dcd4d87d208fcea39625238664cb6196e8b577a4c8515c16f4d26

SHA512
8172d536f94f04e301c8d2bfbba6f0bf8722463c51e2ea43c8d53db9049409bf92de9f6d7d1e73e194611900f84a3458d810429b4c0610dd97ff07723a6394a0

Download Submit
C:\Windows\Installer\f770b90.msi

Filesize
660KB

MD5
4afca17a0a4d54c04b8c3af40fb2a775

SHA1
96934a0657f09b25640b6ad18f26af6bd928d62f

SHA256
b15d3a450b7b3e5ce3194ab9e518796cc5f164c3e28762ffe36966990dcd2fe8

SHA512
ee76f5fcfdd9c1202fd5abdc2bbde8fb2543cee83265f6d2fb5458d1a086152ff6bdd4bf62a88150d325ea282bd2ecd66dd5f127bdd847cfa69cdb88985a8305

Download Submit
\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
cd0ba34e6182159d0c7a70c40fa0bf6e

SHA1
a20c20dee4b7ecd1e2c1f6b025e2766b583e2c38

SHA256
fe88a318681b47a1e9aad79cd8b42fed323555fed23a04633b1bd16921380d86

SHA512
2c540e510bd22fd70dc6393599b13aa1cd820b8434692b4fb2cdc60c08f4c03e4a4d0357e75672d4c08573d15ba3d1e62692756c30be00226225b5bec0efd79e

Download Submit
memory/596-2987-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/596-2989-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/804-2456-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/804-2454-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/804-2449-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/804-2478-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/804-2455-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1364-2826-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/1364-2862-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1364-2868-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1364-2827-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/1496-2872-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/1496-2873-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/1496-2922-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1496-2910-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1496-2921-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1540-3204-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-3100-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/1540-3208-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-3219-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-3413-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/1540-3160-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-3231-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-4636-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1540-3199-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-3066-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-3085-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-3414-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/1540-3099-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/1540-3102-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-3116-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-3117-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-3142-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1540-3232-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1604-1741-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1784-2820-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1964-2740-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1984-1182-0x0000000003180000-0x0000000003569000-memory.dmp

Filesize
3.9MB

Download
memory/1984-20-0x0000000003180000-0x0000000003569000-memory.dmp

Filesize
3.9MB

Download
memory/1984-14-0x0000000003180000-0x0000000003569000-memory.dmp

Filesize
3.9MB

Download
memory/1984-18-0x0000000003180000-0x0000000003569000-memory.dmp

Filesize
3.9MB

Download
memory/2100-2970-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2100-2967-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2448-662-0x0000000000280000-0x0000000000669000-memory.dmp

Filesize
3.9MB

Download
memory/2448-663-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2448-582-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2448-583-0x0000000002240000-0x0000000002243000-memory.dmp

Filesize
12KB

Download
memory/2448-19-0x0000000000280000-0x0000000000669000-memory.dmp

Filesize
3.9MB

Download
memory/2448-1183-0x0000000000280000-0x0000000000669000-memory.dmp

Filesize
3.9MB

Download
memory/2448-1738-0x0000000002240000-0x0000000002243000-memory.dmp

Filesize
12KB

Download
memory/2448-1737-0x0000000000280000-0x0000000000669000-memory.dmp

Filesize
3.9MB

Download
memory/2888-3056-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download