8f657e915ef6ab8f9f0ecb653f2b79b19a6e68bb14d997b4b8c6e005c3923453

Analysis

max time kernel
210s
max time network
214s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.2.exe
Size

22.3MB
MD5

7467a35cd1f34498c32d68fc11cf2dd6
SHA1

3349ad795ff859a581f8d1c99d735f1817ca17e6
SHA256

8f657e915ef6ab8f9f0ecb653f2b79b19a6e68bb14d997b4b8c6e005c3923453
SHA512

840fdc04e600fd6e0c01d2ee03b0e2f904f08ef1e59dce14b9c4897fa1971f4ad8431321e3061ef09ae981bcae5f008e613f8497745e29f9f007842877b6efa5
SSDEEP

393216:/25KXSlsQ8C+Q5JIkc2rr6of5MJ7ZWqxPAIgtMIMlFRqH0fHbS1K8kn/rbhQyDkd:GKXWsQ8CJIArrKJBH5lFRqH0fYk/pUJn

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 24 IoCs

Processes:

irsetup.exeTLauncher.exejre-8u51-windows-x64.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejavaws.exejp2launcher.exejavaw.exejavaw.exejaureg.exeTLauncher.exejavaw.exe

pid	process
1636	irsetup.exe
3464	TLauncher.exe
3464	jre-8u51-windows-x64.exe
1836	installer.exe
1780	bspatch.exe
872	unpack200.exe
2712	unpack200.exe
780	unpack200.exe
3100	unpack200.exe
3176	unpack200.exe
3228	unpack200.exe
3280	unpack200.exe
3348	unpack200.exe
2896	javaw.exe
3872	javaws.exe
3880	javaw.exe
2852	jp2launcher.exe
1280	javaws.exe
1644	jp2launcher.exe
2924	javaw.exe
2748	javaw.exe
2072	jaureg.exe
1724	TLauncher.exe
1116	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-Installer-1.4.2.exeirsetup.exeiexplore.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exe

pid	process
2280	TLauncher-Installer-1.4.2.exe
2280	TLauncher-Installer-1.4.2.exe
2280	TLauncher-Installer-1.4.2.exe
2280	TLauncher-Installer-1.4.2.exe
1636	irsetup.exe
1636	irsetup.exe
1636	irsetup.exe
3492	iexplore.exe
1104
1028	msiexec.exe
1780	bspatch.exe
1780	bspatch.exe
1780	bspatch.exe
1836	installer.exe
872	unpack200.exe
2712	unpack200.exe
780	unpack200.exe
3100	unpack200.exe
3176	unpack200.exe
3228	unpack200.exe
3280	unpack200.exe
3348	unpack200.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
852
852
2896	javaw.exe
2896	javaw.exe
2896	javaw.exe
2896	javaw.exe
2896	javaw.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
1836	installer.exe
852
852
3872	javaws.exe
3880	javaw.exe
3880	javaw.exe
3880	javaw.exe
3880	javaw.exe
3880	javaw.exe
3872	javaws.exe
2852	jp2launcher.exe
2852	jp2launcher.exe
2852	jp2launcher.exe
2852	jp2launcher.exe
2852	jp2launcher.exe
2852	jp2launcher.exe
2852	jp2launcher.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0034-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0011-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0047-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0023-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0087-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0067-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1636-19-0x0000000000B20000-0x0000000000F09000-memory.dmp	upx
behavioral1/memory/1636-662-0x0000000000B20000-0x0000000000F09000-memory.dmp	upx
behavioral1/memory/1636-668-0x0000000000B20000-0x0000000000F09000-memory.dmp	upx
behavioral1/memory/1636-1188-0x0000000000B20000-0x0000000000F09000-memory.dmp	upx
behavioral1/memory/1636-1743-0x0000000000B20000-0x0000000000F09000-memory.dmp	upx
behavioral1/memory/1780-2469-0x0000000000400000-0x0000000000417000-memory.dmp	upx
\ProgramData\Oracle\Java\installcache_x64\bspatch.exe	upx
behavioral1/memory/1780-2479-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exemsiexec.exejavaw.exeunpack200.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_51\bin\keytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\jmxremote.password.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\psfont.properties.ja	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\rt.jar	unpack200.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\deploy.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\lcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_HK.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kinit.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\plugin2\msvcr100.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jvm.hprof.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JAWTAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\jmxremote.access	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\trusted.libraries	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\mlib_image.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fontconfig.bfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightDemiItalic.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\GRAY.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\hijrah-config-umalqura.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javacpl.cpl	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\content-types.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\dnsns.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\classes.jsa	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\plugin2\npjp2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\jvm.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\LINEAR_RGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\tzmappings	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\awt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\rmid.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\servertool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunpkcs11.jar	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\rmiregistry.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dt_shmem.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_sw.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dcpr.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\US_export_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\cursors.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\wsdetect.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java-rmi.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_TW.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklisted.certs	installer.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f77ee07.msi	msiexec.exe
File created	C:\Windows\Installer\f77ee0c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77ee0d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB06.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77ee10.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEF50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2292.tmp	msiexec.exe
File created	C:\Windows\Installer\f77ee0d.msi	msiexec.exe
File created	C:\Windows\Installer\f77ee12.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77ee07.msi	msiexec.exe
File created	C:\Windows\Installer\f77ee0a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAAB7.tmp	msiexec.exe
File created	C:\Windows\Installer\f77ee10.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77ee0a.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = c046e4b243b5da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEinstaller.exeirsetup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e06d46c343b5da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f45d02a7b2b6b747bf0b25aea4013ce7000000000200000000001066000000010000200000009bbd4acbf7c4ce85a00eae9efe8c2e3575e7979b4073b4452402662b1324b608000000000e8000000002000020000000ea9e44832634c945609363d57517e5f6f60ed87bbbb5560765b9767be5494d26200000002e13d5f56d2ce3ba338ada3a37299bf1c846634b2936db79c836d6b30112259b400000003fffc767a465e37dc461431b47154ca25ec10b793a0162d4dfdd53eead718510afeac9c5082d84d64e1ec83ec6d7851353216494074dde53bf32fe4e5670f906	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EAD1EEC1-2136-11EF-805C-EAAAC4CFEF2E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f45d02a7b2b6b747bf0b25aea4013ce70000000002000000000010660000000100002000000020185c87e68197000c667afc8325ddfcd66354bc749757df19928e9df1a90cff000000000e8000000002000020000000423ae2b0c879bfd60cde9dc042c2c41d536599f807ef20ce429e79c149f99d3c90000000c15003209f3f5084767304165d72f557581fb9083aec110e2e89830c5dbf058f93ca4b5a562eaf0c2e16d0f7d3b1890ba58afddb68ae4285aa0f7863845803bca51141ab67eab5a51fa35481e8755a49d5020cf65b1d388eb82a0418c150194d523cc8c2abe36b1a58adfc97bad8fdb75135ed93b9d80ca402ef1f0cc049f08d810fb3734141f62d1e55925e9d31bdaa40000000743ad830a5c579ca01b357cd06124858f35cc62f0a647f38622cfa0488cb31eadab487299a0c85502cc5b45381bbf65ecb66e5d29544c0f8b27c82ac82ff648c	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0034-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0030-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0053-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_53"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0098-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0044-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_24"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_32"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0096-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_45"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_08"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_24"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_21"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0034-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0037-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0047-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

jp2launcher.exejp2launcher.exemsiexec.exe

pid process

2852 jp2launcher.exe
1644 jp2launcher.exe
1028 msiexec.exe
1028 msiexec.exe

pid	process
2852	jp2launcher.exe
1644	jp2launcher.exe
1028	msiexec.exe
1028	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-8u51-windows-x64.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeSecurityPrivilege	1028	msiexec.exe
Token: SeCreateTokenPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeLockMemoryPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeMachineAccountPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeTcbPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeSecurityPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeTakeOwnershipPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeLoadDriverPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeSystemProfilePrivilege	3464	jre-8u51-windows-x64.exe
Token: SeSystemtimePrivilege	3464	jre-8u51-windows-x64.exe
Token: SeProfSingleProcessPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeIncBasePriorityPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeCreatePagefilePrivilege	3464	jre-8u51-windows-x64.exe
Token: SeCreatePermanentPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeBackupPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	3464	jre-8u51-windows-x64.exe
Token: SeShutdownPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeDebugPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeAuditPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeChangeNotifyPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeRemoteShutdownPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeUndockPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeSyncAgentPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeEnableDelegationPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeManageVolumePrivilege	3464	jre-8u51-windows-x64.exe
Token: SeImpersonatePrivilege	3464	jre-8u51-windows-x64.exe
Token: SeCreateGlobalPrivilege	3464	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

3492 iexplore.exe
3492 iexplore.exe

pid	process
3492	iexplore.exe
3492	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

irsetup.exeiexplore.exeIEXPLORE.EXEjp2launcher.exejp2launcher.exejavaw.exe

pid	process
1636	irsetup.exe
1636	irsetup.exe
1636	irsetup.exe
1636	irsetup.exe
3492	iexplore.exe
3492	iexplore.exe
3552	IEXPLORE.EXE
3552	IEXPLORE.EXE
3552	IEXPLORE.EXE
3552	IEXPLORE.EXE
2852	jp2launcher.exe
1644	jp2launcher.exe
1116	javaw.exe
1116	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-Installer-1.4.2.exeTLauncher.exeiexplore.exemsiexec.exeinstaller.exejavaws.exe

description	pid	process	target process
PID 2280 wrote to memory of 1636	2280	TLauncher-Installer-1.4.2.exe	irsetup.exe
PID 2280 wrote to memory of 1636	2280	TLauncher-Installer-1.4.2.exe	irsetup.exe
PID 2280 wrote to memory of 1636	2280	TLauncher-Installer-1.4.2.exe	irsetup.exe
PID 2280 wrote to memory of 1636	2280	TLauncher-Installer-1.4.2.exe	irsetup.exe
PID 2280 wrote to memory of 1636	2280	TLauncher-Installer-1.4.2.exe	irsetup.exe
PID 2280 wrote to memory of 1636	2280	TLauncher-Installer-1.4.2.exe	irsetup.exe
PID 2280 wrote to memory of 1636	2280	TLauncher-Installer-1.4.2.exe	irsetup.exe
PID 3464 wrote to memory of 3492	3464	TLauncher.exe	iexplore.exe
PID 3464 wrote to memory of 3492	3464	TLauncher.exe	iexplore.exe
PID 3464 wrote to memory of 3492	3464	TLauncher.exe	iexplore.exe
PID 3464 wrote to memory of 3492	3464	TLauncher.exe	iexplore.exe
PID 3492 wrote to memory of 3552	3492	iexplore.exe	IEXPLORE.EXE
PID 3492 wrote to memory of 3552	3492	iexplore.exe	IEXPLORE.EXE
PID 3492 wrote to memory of 3552	3492	iexplore.exe	IEXPLORE.EXE
PID 3492 wrote to memory of 3552	3492	iexplore.exe	IEXPLORE.EXE
PID 3492 wrote to memory of 3552	3492	iexplore.exe	IEXPLORE.EXE
PID 3492 wrote to memory of 3552	3492	iexplore.exe	IEXPLORE.EXE
PID 3492 wrote to memory of 3552	3492	iexplore.exe	IEXPLORE.EXE
PID 3492 wrote to memory of 3464	3492	iexplore.exe	jre-8u51-windows-x64.exe
PID 3492 wrote to memory of 3464	3492	iexplore.exe	jre-8u51-windows-x64.exe
PID 3492 wrote to memory of 3464	3492	iexplore.exe	jre-8u51-windows-x64.exe
PID 1028 wrote to memory of 1836	1028	msiexec.exe	installer.exe
PID 1028 wrote to memory of 1836	1028	msiexec.exe	installer.exe
PID 1028 wrote to memory of 1836	1028	msiexec.exe	installer.exe
PID 1836 wrote to memory of 1780	1836	installer.exe	bspatch.exe
PID 1836 wrote to memory of 1780	1836	installer.exe	bspatch.exe
PID 1836 wrote to memory of 1780	1836	installer.exe	bspatch.exe
PID 1836 wrote to memory of 1780	1836	installer.exe	bspatch.exe
PID 1836 wrote to memory of 1780	1836	installer.exe	bspatch.exe
PID 1836 wrote to memory of 1780	1836	installer.exe	bspatch.exe
PID 1836 wrote to memory of 1780	1836	installer.exe	bspatch.exe
PID 1836 wrote to memory of 872	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 872	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 872	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 2712	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 2712	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 2712	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 780	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 780	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 780	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3100	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3100	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3100	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3176	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3176	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3176	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3228	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3228	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3228	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3280	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3280	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3280	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3348	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3348	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 3348	1836	installer.exe	unpack200.exe
PID 1836 wrote to memory of 2896	1836	installer.exe	javaw.exe
PID 1836 wrote to memory of 2896	1836	installer.exe	javaw.exe
PID 1836 wrote to memory of 2896	1836	installer.exe	javaw.exe
PID 1836 wrote to memory of 3872	1836	installer.exe	javaws.exe
PID 1836 wrote to memory of 3872	1836	installer.exe	javaws.exe
PID 1836 wrote to memory of 3872	1836	installer.exe	javaws.exe
PID 3872 wrote to memory of 3880	3872	javaws.exe	javaw.exe
PID 3872 wrote to memory of 3880	3872	javaws.exe	javaw.exe
PID 3872 wrote to memory of 3880	3872	javaws.exe	javaw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.2.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.2.exe" "__IRCT:3" "__IRTSS:23398040" "__IRSID:S-1-5-21-3452737119-3959686427-228443150-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
2⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3492 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3552

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\jre-8u51-windows-x64.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\jre-8u51-windows-x64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
-cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
4⤵
- Executes dropped EXE
PID:2924

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
-cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
4⤵
- Executes dropped EXE
PID:2748

C:\Windows\system32\msiexec.exe
"C:\Windows\system32\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\AU\au.msi" ALLUSERS=1 /qn
4⤵
PID:1596

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.8.0_51-b16
4⤵
- Executes dropped EXE
PID:2072

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Program Files\Java\jre1.8.0_51\installer.exe
"C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" REPAIRMODE=0
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836

C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:872

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3100

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3176

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3228

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3280

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3348

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2896

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3872

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3880

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
PID:1280

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A312A029270EA4E48C32A176DB8670C7
2⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /c del "C:\Program Files\Java\jre1.8.0_51\installer.exe"
3⤵
PID:2664

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1AF5385E205931C1C05DDCCE18244EDF
2⤵
PID:1340

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:1724

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77ee0b.rbs
Filesize
788KB

MD5
a1f020e04cf3d7a6a08df9e19866e50e

SHA1
791438694855c468e06bab6a4810aa2b1e842f65

SHA256
ed7e11fd7a0d09fa13d61d1921bf81864aae7d31b6e0e21e1cf50e13edf10f2d

SHA512
8d45ca43118fbf816bdd8d8205cf15976cee90702aca3d17d99557ce33f2ad12dda98e12e2aa0241c67b66a1a27a7788944ed9ceee2ab29c22360bda30c06ea9

Download Submit
C:\Config.Msi\f77ee11.rbs
Filesize
8KB

MD5
885114703251fd9d6343e967ae0e54d3

SHA1
1f917c1621355a8d404d8febf7b74603c091482a

SHA256
184cb0aed017f4dd0568dc3b9bbddd4ce9e1cdcdf20f6d1aef5c40463f29d4a1

SHA512
28120f79bc791b7bba9bc92ed3919a66e5ea802d23f97e090df2b1f41cbacf68439f439adc252b9e055fee664e2523defde5819b8ea9335375a0743ba3ac5111

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll
Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe
Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack
Filesize
1.0MB

MD5
45288142b863dc4761b634f9de75e5e5

SHA1
9d07fca553e08c47e38dd48a9c7824e376e4ce80

SHA256
91517ff5c74438654956aae554f2951bf508f561b288661433894e517960c2ac

SHA512
f331cd93f82d2751734eb1a51cb4401969fb6e479b2e19be609e13829454ec27cec864c57bdc116bf029317c98d551e9feafc44386b899a94c242bc0464556d8

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack
Filesize
1.8MB

MD5
5cfc3a1b269312f7a2d2f1d7c0497819

SHA1
d048284db9ce7103156f8bbce988b4d9978786b7

SHA256
80ba80d2a6c20deef6e2f3973337e15e22eec30508899ae998bf191ba725db26

SHA512
8735af7c8bc5b48aac42120326a5dee21f98512ba31c57c77b6fc3906b7b1b98e5f22f57a31f26dc3e16abe63a6f15ef2e115c7fc17bbab35e846dc373da9c6b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack
Filesize
1.3MB

MD5
2ad7c3462a7494b29edbe3701ebeab4c

SHA1
7358ab9b0c4771efdc0d28764b90a46aac55e865

SHA256
7cdc489fa093e924649e82f4eb9689bc1bc0d28e20e37a0a94060efd5428c2db

SHA512
8b1f0f5932896f1876e5f8137dc8f74ff79f02b7708220b53ab2146fc742403ee952c68dddff9a92c786d4a534f7a266327934a8fe84a3c979c016cc8c93efdb

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack
Filesize
211KB

MD5
5a83bc9b3e4a7e960fd757f3ad7cd263

SHA1
f5f308aec7e93accb5d6714c178b8bf0840fb38d

SHA256
0a95ab97c85e534b72a369b3ee75200f8075cb14e6f226196b18fd43e6ba42f5

SHA512
b8e554bbf036d0500686e878597ffdefa8bcd091ab6533eae76fa04eda310cec7cac89b71911f1f81012f499c7bec890ac9032685945f7e5e6b68f7ad3f7430c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack
Filesize
150KB

MD5
168f72fd2f288a96ee9c4e845339db02

SHA1
e25b521b0ed663e2b050af2b454d571c5145904f

SHA256
5552e52e39c0e7ac423d6939eec367a0c15b4ca699a3a1954f2b191d48a034e6

SHA512
01cdf3d8d3be0b2458d9c86976cef3f5a21131d13eb2a1c6f816aeb2c384779b67d1b419fa9233aedd3bbd16970ec7c81689bf2e25a8bebadec5de8e9b5a19f1

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack
Filesize
482KB

MD5
538777ddaa33641aa2c17b8f71eed307

SHA1
ac7b5fdba952ce65b5a85578f2a81b37daed0948

SHA256
9948b1c18d71a790e7b5a82d773fea95d25ab67109843a3f3888f3f0ac9d1135

SHA512
7a5877e0eaef6424ea473a203184fedb902cd9d47df5d95d6f617ca4efa1162f0ffd418e9bc6b7492f938cb33fc6384907237487d6ad4f6d0d2d962402529d8b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\rt.pack
Filesize
13.1MB

MD5
f0177701b36068c9a2bb4924dd409fa5

SHA1
71e4b32c95e20dd565a6603d3de3819eb4f19d33

SHA256
93c1e08034b68e12d78005c2950145595327477c17c1f716248d3e16313b4eec

SHA512
8e198bf60dbb95f38bf5eca67c9b7cd4fe9920890ba3d569e08de59b38c1b00830a0a37168fd74c874df86b7ff0915c8b69adb1591432b42b5ff35e5885e6641

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\diff
Filesize
9.1MB

MD5
d417682702b140d7131851bae877f046

SHA1
aa78da727e8a62c839a9bb6f7a93b48d3a04be70

SHA256
3b3657c83e4f588f0e759cd46e99309cece2ebb54af2c377f9dc087ec764fda8

SHA512
9e107b7f61e42410807aa1e6761ac7adce412846f69ae8e2e21b147e39d1a95d41367e21624381750eb11c77322206c4d869a477e5442e8323405c85854c03cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB
Filesize
834B

MD5
cbed24fd2b55aea95367efca5ee889de

SHA1
946f48b5c344fd57113845cd483fed5fb9fa3e54

SHA256
1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

SHA512
c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
5045963f2f3edf90c8bca8ad623d8ca7

SHA1
c0a2729fc8e9b10d01658b5391a54e783fe13ea1

SHA256
3638488981c1c73205ecf3c13253e8fa4ae7a70110f6e87da7f4746962d587de

SHA512
3e054dfe0a69c357ad6eb0f7cf3abb574962ec21d4af1817e5c95b2b7766f87c108ed71e9bdea020a09ef4d6c971e5b8ec502554f018ccf1b1c9092ae491ecc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
1KB

MD5
4471f5087c2379f776de68df98528f93

SHA1
6e92316beb7a60d5ccbefb495d24ac61fb1655bb

SHA256
e2843fcc3d6b9864e059275af94114369b3f9bc24c06beb8c4d2a65a4bcd6ffa

SHA512
c700f25359be1cefdf63ef843f1689645875b96f98e7d514902f36c35814558a92abf2059d64c9048d266acba65ed01055199ba682ccd6bb87f2f8406bbcbd74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB
Filesize
180B

MD5
7ed3cce70f2846147d3c0891aa399aed

SHA1
b1429194a2940ff93703644d1bbe12bdc7e7c083

SHA256
b49e155f202c2859df53e508ba86265ea6a3ea3deec4fe9d167d6de9fc23e64c

SHA512
a5686c1be321e5430fe94cd14add4f0aa011859682f50cd2bedafeeaebb0b24b3a4abf37f3c155e7a127f45e7d4b3666008cb3b6b789727f841b54a56abf2a07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
e5ba217c9f076a7a06b8c849b3bb5630

SHA1
d9db8026acae025ad24232a0ef385450b2e3e58b

SHA256
a12bc63adc6de882fcdda29e2ad98907edb3f138abd6bc812ef3457fcf4e1d4b

SHA512
e3eeadbd061017e7648547dbd9d5fb4610519dc229f17646f2b224b746d66bb624c446830edb08b20f3b46328a60998022ee980095c7aca80d100f1fce04d1cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
fc6d0e6042abc4affbafa92bb59e83e9

SHA1
334a9b8918aebc1740908a9dfc19ab38d558b017

SHA256
552ce8936cc79f52837c54885418733f271b9101246a5023feebd349623ac859

SHA512
f5f467e027c471dc06ef1b6a7c307959bdcd0ce36cf233739321eea4f764d0f7746fd74277d2c0dd6de1a165e397565d40b6b3c6fa82ee9ded20a7d86a926088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
efb8053536670ba0ecf2ee9223178d24

SHA1
229bf4dfe011c86ea2b447ddf903d9d9d9930be9

SHA256
7c182e78a2faba5d9e1b7a47d14e377b92a244dd613e2818105544c9f6335a4a

SHA512
d7efe6c1e01c28c860dbcd727eb237d7265ab4265386f9d702edd90e9cbbbcb482a5aa560274445fc52faa0846c62405f213def875f9e88429829dbbbadf3b63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
b68d7536ba2b464a85f789383ac1b63a

SHA1
0b7e48911d1f5cc6ee9581129f632d01a7d49037

SHA256
19875eee6a66f8a3d75b8476ec36bc8670b10e6835b2a984eb799497de1334b0

SHA512
ef26d398927eb10d006b0f80a8d45d7025b7a7887513f8adc040052b017053ef11e87200d2d06b24a97f893d22165fd0bd7799dd9bc2151a1cd9849c34adeb4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
111393987a11fb0be032ce555f0def39

SHA1
360e53c9d60e06ac4bcc2b4cfa046742f957ec4f

SHA256
86f79b26dbf91dffc33e3dcad3cc2cbcee61bf3d243ef4c450074717d05481d5

SHA512
ede0863800da53b9a9aa68e79346b0ec187500249bcbc882c0273a2006002af170a1438628460b267eae4185ac5fc257aeed07d3e894bfcd5e217cb58cf5fb5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
41fcafece564f4d30e17d6e8dbbde135

SHA1
47927a53e00fd66640e40ec3259f724da7a7da89

SHA256
621ed6bc1f0705eebf10c5c20de667c6571b04c59cb3ce971fc6e41e9c5ac84b

SHA512
867aa1c301d8f88a5f108ce4322dd9582298120249c873dcc631d90498efe302789cdfa1cb1947c85601027e248f1feee730bbf8548b7839b0a62336808f2865

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
303e755066fcaa27232fad4b26d8231c

SHA1
db10de30cb3edf000c6321f831569a655a0c8173

SHA256
7a12e8c371ed29c0779ee4ea8cd7330939d91950cdaf394cb0c0498b69be79fa

SHA512
62248215cd1899ef40ce478eba36a7ccea8b65ad077aeb91a53994eca27ef44ee08b788f8397c34837a0f5b12a996fc03fbb3838867ed2953106bed56c8ddb53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
62c7de04e9173142b30f3c5942d4ee0f

SHA1
eaf64485e0dfa6d1408820418a127f540693922a

SHA256
460ce349fe242bda86c449dca286e7af578697217dda1e3246b0fc66a0851758

SHA512
151a39a81006143c4c682f9314b7e12fbebcbd2e6b599a488c175ac6cbc19a95f1d8b60ad026c7392678b90f2fd1c9836626a63df81d39c62f9f4e129ea47f51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
b19628c95dde153bd054529661147fbb

SHA1
afe774c3c4c69aa0716635c44d3296d87ceedcd7

SHA256
d56641352d474556e17e8952086f489efd2bb1d5c2788610f4accbc053c5636a

SHA512
af5858da006901bb094116406354c9795b47a31b9bae9f991e653dd5717d21c68c561413d2aac9617f18512a8a2d927ed239a14d2e7274f91520c74cbb1eeb49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
abf668be7f2c7086919a0f74572c3067

SHA1
6eedba81944885418a0c2d7b8df27e363ac9bf42

SHA256
74ad240bb5f0ba2adc6324712e04f702e16d7053f47938dc25b6e688cc23079e

SHA512
f072155b4d2045f4b40573399d365f63b475e373886fd11da8d02bf8f4d9efe58b2fa3d0d98b67e4a1c85719ca4f29de7a1d84ca6d594845b4b8e84642be6c07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
74464bec32ecdfb795512733492b6a25

SHA1
6115c9639f181e0e1694d8090608c7b76a32e511

SHA256
7ae870408b20758b4e48d0064f67ff3ed2a0b4ef526fe3e1e8aa185da01dd862

SHA512
9d74280766ceb240e7d12d04a357b26296bc46612e518cc61a92d3728ddf10345ec1d291ca463161367da977e16833f10f4d6f7fff2254d89f08dd02935e313a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
b355e1aa7dab450b39bd213a0a94f3d4

SHA1
5c660e877dcb42d0cb7dfeac1eb6f73c40587aae

SHA256
67281de0e46264c8aa7e6444a71ebedc777cdb0403f3f8fdd23fadcce18377ac

SHA512
8d2d9b6c6749dba432975d3130fd9b6b784e7a34eb3c0bd925a0a2a98e38fa360f316768629d097f1018a50681e41d4c7310821d2d81c068209056d73435a9bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
398B

MD5
4e1910d5b9c6c6ce32e560c728739df1

SHA1
f1f30bbf92854ff01018936c49d399ca69d203b6

SHA256
7708f145a008a58bb05adcf3739a56a6894d7fdf1fd789064426a0e0cff1ddbf

SHA512
8202e20136c253dd83bef48a1cda6fe39d5b37baf3c292a7fb0a11f519872f7e140e38737acddf247a32d6f5ec6372b3361869f7cdb2dff4a887c2f66fedc473

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
402B

MD5
3f96f53d80163c820dd9ff086abe37de

SHA1
d119f2c657b1799497b85f791890d43d54696771

SHA256
218a40db2329441fde5d28ba5071334a4de6244db27c971579594e04964aa637

SHA512
da00703d8338f4ea012de7c7e09a615a9a04705ef4a20f6bb9cf1ec8ba8c7fc5976e08a83da4740e9cbec40e351b885426fbe5ca9c93afc6faef4dc28ea03275

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
64eedcc4836c263fb11e6b17ee18148f

SHA1
a2107cd5ce756916f01aead59389c3919c4c6e87

SHA256
ee0f9fcbe4b25c946e7c61fc5d73dd5a6e5984bbe5fca0e154784905b3f19dcd

SHA512
b4e913070f1af32d8e812dbf6be66c65dacd9c288e1312070ed79bccda915b1e75c38981ca7e34aab253cbb930eace87e81d746469b74902ac037109664c29dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
700424268f9cba976072d83467ead04f

SHA1
cd65005e7a0c202980222c05a2585eb892fca0a1

SHA256
0f74081fe023a019aafcfa88e7e39965605b7621dc8a85e26c93909fdb46d8cd

SHA512
a78e11a0e3cf9ecb247aca0b7b5e8c67ae56e9e96adfb37884400b136b6662171a3091bb3bb7d527078e617e31cc88922442d53307c0681ba18403fc177bd2b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi
Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\jre-8u51-windows-x64.exe.uzq3jdy.partial
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1D39.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe
Filesize
1.6MB

MD5
2885c4a1dc2bc52ea298b8d9c7e1bfbb

SHA1
964bff819cbfd38692900403460c67b9d0dae8b0

SHA256
4007ca82da52600902ad2e269445e0ae15701187d111ba7f59546c7dfe1fc3dc

SHA512
e0480ece21136a29a727fe99001fae8a9009a4ce92bb1a48644cf20dfc57fe70cb685b6427a6582f85ac2ffee93d85fe91c7cb1bc5b8e2121f3cb38907da2e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP
Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG
Filesize
43KB

MD5
9d0f62b656198cc2751cab6bf2a36a46

SHA1
616dbed062f7ef1be165cb167ea5788867a34923

SHA256
d1ec7db451e7e25d970fd62b22a7779a3f59eb3978a0081120d069ffbdb14295

SHA512
2591c988f685b9140a7fada6320f3ef5763ecce62cc47bf0f9bba6885b1714e136bb552672d9656efd19a08ea891e1686270fe56289598c6093dc8483a5f7636

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG
Filesize
644B

MD5
faefac14b9ba4ba2f2571fb164539f77

SHA1
9dd91143d4a95e52f9c380e3c3ce23c9180eaa15

SHA256
6509bb99d5392d840700e08452366518bc5ed578ee36b964adbee69f37048b2d

SHA512
f9851d8f801fc78739ab038375401582a7d8554df0efa05bd397127a0e431520c6715c5ebe65cc012306aa542128484f387473d200f58b0065581403721c9e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG
Filesize
40KB

MD5
e802a83fd63eefd5b70eb246f075639b

SHA1
5d201c7d3172ceafa318151acf499270f33db060

SHA256
50c8dccb06fe1332b471400c9d5d1bfcb47df1833077ada7e54e0018a82deee5

SHA512
7febb82664b9b160f5b00d978bb97d2f993a7d40a70696a40ffc472fdea23a636f5faaee6a67fd74c55d7c17b685e38e7f6d14be88f9f260d6520f17af06f09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP
Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP
Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG
Filesize
438B

MD5
b66b94a905366bf25b5163fe5925e0d9

SHA1
b0e91b1797a1f9455d111e9d8dd5bd4aa72e935a

SHA256
0ced93717234ba2914c3a3b5c2dae4a7c4c52fd5393415e7c1482e4cb4ccf7f8

SHA512
2fc07db7c8791eb2c0eb67eb50b472f61fc180a281159f9a68d3e49391d89545726ef0a481d0efa8267eee64ee6514835a81a09bb537e62889612baa95a5bedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
8KB

MD5
da79e9f2d5f305567f337ffa0983cbd3

SHA1
d999c364b64d71e22ce9cccfc33ec895b437a161

SHA256
81314807f052a8f65d16934d6386491f39ee89d537798008f28cb43c07fcfe21

SHA512
2e08ace373b5ef9c303287ab3ecb4009c95fce42eb25b88562e8c3d1e3823442eaab036e2fb1be578ba9a64153dcbe7d9291717170370d47887b2e683b0b9214

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
18KB

MD5
78de628097965c30cedc7230ae1eebfb

SHA1
613098fe84a53b3f97edc626f5b97faed0d61d9d

SHA256
4c4ded4149d005c2f518f560b9a5c5caed3999d19efe6141f5bd844a9f56b628

SHA512
06c8c71a76a013f6419a29b6b977400233e7ea1cef58949df8ebf552053bff2aee35b5b22a9a39bd68f46aea0fd91a4b61c361a4cab5757be06d4cdf8e5d4933

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF1F6B71DDAC95ECCF.TMP
Filesize
16KB

MD5
3e16b21581d93d9db0ab740d9030fb96

SHA1
06a73a5eeb6ae081a6499587e32f9b014f8efc6a

SHA256
9f35d08a48c743d575cd811a2b14c4998dc8bebe8f6190b8f9aa5ed2e758d768

SHA512
38629013ddd1311d71cb650ffe2a1bca8893e51d031e75ca414a15ec5cb87cacc28c037b55285058c43df24d5fe5834bdd59b130644c3bd1b2db9f4d98c52e57

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
9.1MB

MD5
833512c89f1ab92c80131d415f89f442

SHA1
dd9953ddcc33278bb97502ffdc6e7462e8005680

SHA256
717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

SHA512
f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG
Filesize
45KB

MD5
b3900ec4c610092ddcecd3fe8d14a529

SHA1
f3c0713b0fa185bc2acd774ea4b6a7a568b20f2a

SHA256
d077af4a50d041a710c2362e29da0dcc4eae5c90cc7aa3f058a2cbed28f1c5a4

SHA512
5dbcab9c44fced17af4a1dcd713c81c079689e53a979501e2a0714494f553305d03bf52270b533828a71a9ad2c0c722f87a64a91c3b0e7cc4484774b4b54daf1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG
Filesize
206B

MD5
cecc7c02d44d9c449121a542bb0fb36c

SHA1
6984cb702147fa42d975f101b286d802c66148f9

SHA256
a64ddc02113b74aedc3e77837b5045b178e82978e68e9be9d04425eefc6fc690

SHA512
e4a5bf35cbfe71789cee597df48268679b76093ac3dfa22cdc71015e734f6f68027e5efa489e6d010ec3b67f0eb56508cee949905e6a2d48c438b02d19edcd79

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG
Filesize
41KB

MD5
b5fb5788225a22d2235f27b5f4f0a275

SHA1
0820031da047efec3105b7f52c4254170102700f

SHA256
58f73ecf94e61492320c1cbaeed3b989fb60131d1441320cab502768c67a58c3

SHA512
1cdda78535038b51ef264acfcfc299bfa3521f69ad6d86b4451c0a3e311c882fd442094e99a213304670f0b4c50aada99b3559c4b55422261cc6b37b431955f3

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG
Filesize
475B

MD5
cee48467f5141425823298a0726aa52a

SHA1
8af5b57d4163514bdf1f1548ba612f227539b532

SHA256
d8aba6d89980c78a3554511653a7147210f544dabc457011a45957be596a7b72

SHA512
48c7ec8ba3087e06a38d66d2c3548c37ff02efe508a6303d3361de38c1d27ec8f8b17aa07eccb9e2c7ea10478d548c8049a3a50f13dffb0a006eded034e9fff9

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG
Filesize
368B

MD5
b196ede7761b55fd40b2167723f489b8

SHA1
c6fb9ec2a28bb6cb0c052d05018e9c81205244c9

SHA256
987b0a991162db5aa6d7560abd18474818e0639aed080643132c42b701fd1d8d

SHA512
661f91be3e77679cda55a63ab50636b2b68256e08bb4ed511e646bbf6835f85c3959388632843a1062677b5e405c1d76a09890086feb3d23f52cd72885763497

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
17KB

MD5
28d1e2ae273aac31a1a7a75c7b82e49c

SHA1
3e811172958b35ffcdbb9ea3d87ff8d9cf591332

SHA256
2a09d6b6c635d2a05f1371cbb1dc2a549a527de7366dcb5da0aa89e34959430b

SHA512
ddf8fba19a68deceee29f9f37878ac1a9381fbfc27c593a0bb3d70fb3fc539468fe7fa6ef5deeb3f7c0f2b44005623e0ac9d5059695af23ec640c21448c6ecdd

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
4KB

MD5
7485ba0021020f5e01c5f5d1dc46a259

SHA1
374e07adb890b335d4847bd9b9d355fa049e47d0

SHA256
66cc78022a6aef9a56a2d19fd9d80a93c7b2dc3fb1b939d765e001085dd04051

SHA512
db41e162066552222fbab87eebe1e6a821aab52fa770973af85ff6db2fa6e916abd74413b19f52baef2768e6a30a74b0868ab32eb1446778e27c626142762e20

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\dependencies.json
Filesize
17KB

MD5
24817047786540dd5d8cbfb94132c84d

SHA1
ff45f1ae7748fab985e0580c5746b0327a4b59ac

SHA256
a5584b00241e6aa455dce9c0d584d61f8350a7bc07a4137e9289e23f46878721

SHA512
6e048803859517d052d88d8c96c382d481620c1d930e219051264cb2c4d096b5b68d8e8e66ba2244ef7343df99f120600f8763f67bcf060c3132743eca7934ef

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\resources.json
Filesize
17KB

MD5
8ab0113596cd48af76657e53d5d93e70

SHA1
3ab4244668932e0396022372d8f311c62ce1b89b

SHA256
b0a6157bb0f4da765f93d13ca167017144c5eb15955015b0b42f7d7c0b70599d

SHA512
55fb4d7ed644ae5e47ee376b00323199788baf596b493b4959ec4c88bdb37295ee59e34d3a7d4310fc9e35d776e1ae19fcead53c09d3a440dcfec8dc6736b170

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\appConfig.json
Filesize
3KB

MD5
a9bd1871a6a69e12bb017e1375b0a659

SHA1
0cc4c515fea150c982d02fa73acf73cfa68810e7

SHA256
f725e50dc4377a28b06589b028cd3cff58845d5ed882b22b17129c4413f8b9b3

SHA512
0595d54b19805f57a1b09a492c90c4c9f655d6a501179966b1a282b0aec90b27eeba634ee4a54fb9982f80ae046e6feb2b3e2097f14a0a3e051e80c162a83bd6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json
Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NB4ER2HB.txt
Filesize
512B

MD5
4ffa741ee5dc9e96983fbf05177597ce

SHA1
75314554ab61edcd4d61c46529474c7f636d6038

SHA256
66b23bc662a094dff8829a49d78cfd1d9417005a6e89f8f241693677d2bc48b8

SHA512
eb07b6ae9ded302d379cff39f0306a779338ea2eff72d27061812cec4865c29d6791df5b50892a0b0bf050236b9539d61289c674f613783e78139de4ce9fac09

Download Submit
C:\Windows\Installer\f77ee12.msi
Filesize
660KB

MD5
4afca17a0a4d54c04b8c3af40fb2a775

SHA1
96934a0657f09b25640b6ad18f26af6bd928d62f

SHA256
b15d3a450b7b3e5ce3194ab9e518796cc5f164c3e28762ffe36966990dcd2fe8

SHA512
ee76f5fcfdd9c1202fd5abdc2bbde8fb2543cee83265f6d2fb5458d1a086152ff6bdd4bf62a88150d325ea282bd2ecd66dd5f127bdd847cfa69cdb88985a8305

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.2MB

MD5
cd0ba34e6182159d0c7a70c40fa0bf6e

SHA1
a20c20dee4b7ecd1e2c1f6b025e2766b583e2c38

SHA256
fe88a318681b47a1e9aad79cd8b42fed323555fed23a04633b1bd16921380d86

SHA512
2c540e510bd22fd70dc6393599b13aa1cd820b8434692b4fb2cdc60c08f4c03e4a4d0357e75672d4c08573d15ba3d1e62692756c30be00226225b5bec0efd79e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
memory/1116-3207-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3211-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3206-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3210-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3214-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3162-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3212-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3199-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3142-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3220-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3118-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3104-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3102-0x0000000001CB0000-0x0000000001CBA000-memory.dmp

Filesize
40KB

Download
memory/1116-3103-0x0000000001CB0000-0x0000000001CBA000-memory.dmp

Filesize
40KB

Download
memory/1116-3069-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1116-3234-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1636-663-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1636-583-0x0000000000560000-0x0000000000563000-memory.dmp

Filesize
12KB

Download
memory/1636-667-0x0000000000560000-0x0000000000563000-memory.dmp

Filesize
12KB

Download
memory/1636-1743-0x0000000000B20000-0x0000000000F09000-memory.dmp

Filesize
3.9MB

Download
memory/1636-666-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1636-662-0x0000000000B20000-0x0000000000F09000-memory.dmp

Filesize
3.9MB

Download
memory/1636-582-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1636-668-0x0000000000B20000-0x0000000000F09000-memory.dmp

Filesize
3.9MB

Download
memory/1636-19-0x0000000000B20000-0x0000000000F09000-memory.dmp

Filesize
3.9MB

Download
memory/1636-1188-0x0000000000B20000-0x0000000000F09000-memory.dmp

Filesize
3.9MB

Download
memory/1644-2925-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1644-2881-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1644-2918-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1644-2924-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1724-3059-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1780-2477-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/1780-2476-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/1780-2475-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/1780-2479-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1780-2469-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2280-16-0x0000000003210000-0x00000000035F9000-memory.dmp

Filesize
3.9MB

Download
memory/2280-18-0x0000000003210000-0x00000000035F9000-memory.dmp

Filesize
3.9MB

Download
memory/2280-664-0x0000000003210000-0x00000000035F9000-memory.dmp

Filesize
3.9MB

Download
memory/2280-20-0x0000000003210000-0x00000000035F9000-memory.dmp

Filesize
3.9MB

Download
memory/2748-2989-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2748-2991-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2852-2833-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2852-2876-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2852-2832-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2852-2870-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2852-2877-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2896-2748-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2924-2972-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3464-1746-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3880-2828-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download