a49a364b7394a70e5bac73917bd825b703aa9f11b66848069379b01a595ca307

Resubmissions

13-06-2024 14:15

240613-rkz25asdja 8

13-06-2024 14:15

13-06-2024 14:11

13-06-2024 14:08

13-06-2024 14:05

Analysis

max time kernel
702s
max time network
703s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 14:15

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.5.exe
Size

22.8MB
MD5

b4c335fec6bbb46bc5e8dfd74be77a78
SHA1

da6aeca92a7b0e562f1db8e83d73386046b1beb7
SHA256

a49a364b7394a70e5bac73917bd825b703aa9f11b66848069379b01a595ca307
SHA512

caca2ce1edbbdf04b1eb0ad2eff2f5c73f2d51db5b49612a516325b27329f4ee7db86dea0e2fa8df264b40557d0167112a22440bc4ef513089ba11e90720a15d
SSDEEP

393216:025KNJux8K2E+Q5JIkc2rr6of5MJ7ZWqxPAIgtMIMlFRqH0fHbS1K8kn/rbhQyD0:RKNJuIMJIArrKJBH5lFRqH0fYk/pUJ8a

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

pid	Process
1680	irsetup.exe
2028	BrowserInstaller.exe
2596	irsetup.exe
2088	jre-windows.exe
1932	jre-windows.exe
1276	installer.exe
2084	javaw.exe
2056	ssvagent.exe
2416	javaws.exe
2064	jp2launcher.exe
2032	javaws.exe
2896	jp2launcher.exe
2780	MSI3829.tmp
2856	javaw.exe
2176	javaw.exe
1248	TLauncher.exe
2808	javaw.exe
2128	TLauncher.exe
2968	javaw.exe
1284	TLauncher.exe
540	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
2188	TLauncher-Installer-1.4.5.exe
2188	TLauncher-Installer-1.4.5.exe
2188	TLauncher-Installer-1.4.5.exe
2188	TLauncher-Installer-1.4.5.exe
1680	irsetup.exe
1680	irsetup.exe
1680	irsetup.exe
1680	irsetup.exe
1680	irsetup.exe
1680	irsetup.exe
1680	irsetup.exe
1680	irsetup.exe
2028	BrowserInstaller.exe
2028	BrowserInstaller.exe
2028	BrowserInstaller.exe
2028	BrowserInstaller.exe
2596	irsetup.exe
2596	irsetup.exe
2596	irsetup.exe
1680	irsetup.exe
2088	jre-windows.exe
1196	Process not Found
1196	Process not Found
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
3044	MsiExec.exe
2964	msiexec.exe
1276	installer.exe
1276	installer.exe
1276	installer.exe
868	Process not Found
868	Process not Found
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe
2084	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2360	icacls.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0252-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0063-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0155-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0141-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0222-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0278-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0344-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0122-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0151-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0141-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0094-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0124-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0136-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0132-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0100-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0035-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0166-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0201-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0052-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0202-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0141-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0383-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0257-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0112-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0158-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0120-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0179-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0091-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0105-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0275-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0306-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0272-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0308-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0068-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0165-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0055-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0056-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0335-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0210-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0232-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0034000000013a53-3.dat	upx
behavioral1/memory/2188-17-0x0000000003420000-0x0000000003809000-memory.dmp	upx
behavioral1/memory/1680-20-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-714-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/files/0x000400000001dca3-777.dat	upx
behavioral1/memory/1680-779-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/2596-783-0x0000000000AC0000-0x0000000000EA9000-memory.dmp	upx
behavioral1/memory/2596-847-0x0000000000AC0000-0x0000000000EA9000-memory.dmp	upx
behavioral1/memory/1680-1487-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1494-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1510-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1512-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1514-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1517-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1519-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1521-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1523-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1525-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1527-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1531-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1533-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1536-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-1695-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-2518-0x0000000000E80000-0x0000000001269000-memory.dmp	upx
behavioral1/memory/1680-3569-0x0000000000E80000-0x0000000001269000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
29	2964	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 12 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	rundll32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\javaws.exe	rundll32.exe
File created	C:\Windows\system32\java.exe	rundll32.exe
File created	C:\Windows\system32\javaw.exe	rundll32.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Porto_Velho	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxwebkit.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Lagos	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Detroit	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\javaws.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jaas_nt.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzmappings	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\rt.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\accessibility.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\sRGB.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\libxslt.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\default.jfc	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\README.txt	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tirane	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Adak	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Menominee	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santarem	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\decora-sse.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_it.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Maputo	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Makassar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Malta	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuching	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Antigua	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\bci.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklist	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Godthab	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\localedata.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Creston	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST5EDT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Asuncion	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\net.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe	msiexec.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC4DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC51B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2071.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC5B9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC761.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC939.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f78b8f6.ipi	msiexec.exe
File created	C:\Windows\Installer\f78b8fb.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3828.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI649A.tmp	msiexec.exe
File created	C:\Windows\Installer\f78bb43.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC636.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6D3.tmp	msiexec.exe
File created	C:\Windows\Installer\f78b8f6.ipi	msiexec.exe
File created	C:\Windows\Installer\f78b8f8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2082.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3887.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f78b8fb.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f78b8f3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC410.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3829.tmp	msiexec.exe
File created	C:\Windows\Installer\f78bb45.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC85C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC938.tmp	msiexec.exe
File created	C:\Windows\Installer\f78b8f3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f78bb43.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC9A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f78bb40.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6390.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBEF.tmp	msiexec.exe
File created	C:\Windows\Installer\f78bb40.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "19"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0386-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0090-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_90"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0095-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_95"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0097-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0307-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_307"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_10"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0372-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_372"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0271-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0176-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0308-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0275-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0396-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0288-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0294-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0144-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_144"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0088-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0187-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0240-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0294-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0374-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0093-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0048-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0352-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0268-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0082-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0112-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_84"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0394-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0166-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_166"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0134-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0171-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_171"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0211-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_211"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0204-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0379-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0341-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0090-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0097-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0404-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_404"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0141-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0235-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0336-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0160-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\JavaSoft\DeploymentProperties\deployment.roaming.profile = "false"	jp2launcher.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0108-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0099-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0201-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0188-ABCDEFFEDCBB}	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0256-ABCDEFFEDCBA}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0341-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0038-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_38"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0107-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_78"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0089-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0300-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0324-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0090-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0201-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_201"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0009-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_33"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0245-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0220-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0034-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0175-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0096-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0177-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0372-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0397-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0072-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0159-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0178-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0145-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_145"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0362-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0181-ABCDEFFEDCBB}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0205-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0237-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0353-ABCDEFFEDCBB}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0178-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0191-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0175-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0362-ABCDEFFEDCBB}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0186-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0255-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBC}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0117-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0345-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0209-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0144-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_144"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0374-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0279-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_279"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0363-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0119-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0138-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0201-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_201"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBC}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0066-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0213-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBA}	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBC}	rundll32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BCC37D24A63088F24462C3A21B1B04AA10961D91\Blob = 0f00000001000000200000001e850f0f23ab786c192063e2527279d7e65b6e2696792e72e23e109d463daa74030000000100000014000000bcc37d24a63088f24462c3a21b1b04aa10961d912000000001000000f9020000308202f5308201dda00302010202103d02c7c42b1a04d79deff140ba35654f300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303532373137303030305a170d3239303532363137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100daf26950675075c350f4d7be050e6b8a9134b1ab051355aa28bb9be561ff7972b85a75d7745237d5d2e9bf4b107f2c40f073fb8eb8f23adbebccda457795a109d1b7a8e90d439dd7388fa8cf336b97f6bc9d3a45b7aecb6dcce35abebcebce50711670a76937bb45ba3021b312ae4ca542ba1d3c987a164eaf301d0b762e78133ecec125720a945d030e9a5f9cc71f9f48808852f6a1f5d61a371298377174cbb12087d2c07f29907485111f629f70c1e035c0680d47183322f784d427310ea2adcf4e2e4cfdf1f0e3ceefa3ccaf8849d29523365914a61eff71d12055dfdbb8844da930ed34a26bf0f466bc74dd5b51a4bbf818d14823bf08f14e98dd0d72150203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414045004069dbbfe7e5eb83b5cbfc128ce0f7c2f99300d06092a864886f70d01010b05000382010100ae7424ecbb5ca144ab4e10644570c3ad37153e0a117c772b805cba4697154196634b5814b8ecc5a63fb148e3aecd25c7628cb55061315dfcd163bac33307f2fd372f1f62480dc6d7ce494d401ac444ff4e25201b81c595dd2c915715cd462bc2e7e6907843ea28db0def47dfb580350bb9a39e16d6ee95bd634794374cf38d983497179986df12022aa23fd8c1eb1b5a76d6cf15dd2594c5c66abebf3be778be737926d01616f2c2b57c36538ca47d7c76500e0ef17ce0cca367cb47ab0ac5354ae9bd732bad25c6fd7d71d04f0d76b0f1c58bffd37514973d5bcf8ea5b2ecee021baa50006497add154ab950c0607eff9b1e5b0ef4c531868771d7e573354c6	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BCC37D24A63088F24462C3A21B1B04AA10961D91\Blob = 140000000100000014000000045004069dbbfe7e5eb83b5cbfc128ce0f7c2f99030000000100000014000000bcc37d24a63088f24462c3a21b1b04aa10961d910f00000001000000200000001e850f0f23ab786c192063e2527279d7e65b6e2696792e72e23e109d463daa742000000001000000f9020000308202f5308201dda00302010202103d02c7c42b1a04d79deff140ba35654f300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303532373137303030305a170d3239303532363137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100daf26950675075c350f4d7be050e6b8a9134b1ab051355aa28bb9be561ff7972b85a75d7745237d5d2e9bf4b107f2c40f073fb8eb8f23adbebccda457795a109d1b7a8e90d439dd7388fa8cf336b97f6bc9d3a45b7aecb6dcce35abebcebce50711670a76937bb45ba3021b312ae4ca542ba1d3c987a164eaf301d0b762e78133ecec125720a945d030e9a5f9cc71f9f48808852f6a1f5d61a371298377174cbb12087d2c07f29907485111f629f70c1e035c0680d47183322f784d427310ea2adcf4e2e4cfdf1f0e3ceefa3ccaf8849d29523365914a61eff71d12055dfdbb8844da930ed34a26bf0f466bc74dd5b51a4bbf818d14823bf08f14e98dd0d72150203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414045004069dbbfe7e5eb83b5cbfc128ce0f7c2f99300d06092a864886f70d01010b05000382010100ae7424ecbb5ca144ab4e10644570c3ad37153e0a117c772b805cba4697154196634b5814b8ecc5a63fb148e3aecd25c7628cb55061315dfcd163bac33307f2fd372f1f62480dc6d7ce494d401ac444ff4e25201b81c595dd2c915715cd462bc2e7e6907843ea28db0def47dfb580350bb9a39e16d6ee95bd634794374cf38d983497179986df12022aa23fd8c1eb1b5a76d6cf15dd2594c5c66abebf3be778be737926d01616f2c2b57c36538ca47d7c76500e0ef17ce0cca367cb47ab0ac5354ae9bd732bad25c6fd7d71d04f0d76b0f1c58bffd37514973d5bcf8ea5b2ecee021baa50006497add154ab950c0607eff9b1e5b0ef4c531868771d7e573354c6	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BCC37D24A63088F24462C3A21B1B04AA10961D91\Blob = 190000000100000010000000e403f19f03627c11c48a980ae25c07270f00000001000000200000001e850f0f23ab786c192063e2527279d7e65b6e2696792e72e23e109d463daa74030000000100000014000000bcc37d24a63088f24462c3a21b1b04aa10961d91140000000100000014000000045004069dbbfe7e5eb83b5cbfc128ce0f7c2f992000000001000000f9020000308202f5308201dda00302010202103d02c7c42b1a04d79deff140ba35654f300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303532373137303030305a170d3239303532363137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100daf26950675075c350f4d7be050e6b8a9134b1ab051355aa28bb9be561ff7972b85a75d7745237d5d2e9bf4b107f2c40f073fb8eb8f23adbebccda457795a109d1b7a8e90d439dd7388fa8cf336b97f6bc9d3a45b7aecb6dcce35abebcebce50711670a76937bb45ba3021b312ae4ca542ba1d3c987a164eaf301d0b762e78133ecec125720a945d030e9a5f9cc71f9f48808852f6a1f5d61a371298377174cbb12087d2c07f29907485111f629f70c1e035c0680d47183322f784d427310ea2adcf4e2e4cfdf1f0e3ceefa3ccaf8849d29523365914a61eff71d12055dfdbb8844da930ed34a26bf0f466bc74dd5b51a4bbf818d14823bf08f14e98dd0d72150203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414045004069dbbfe7e5eb83b5cbfc128ce0f7c2f99300d06092a864886f70d01010b05000382010100ae7424ecbb5ca144ab4e10644570c3ad37153e0a117c772b805cba4697154196634b5814b8ecc5a63fb148e3aecd25c7628cb55061315dfcd163bac33307f2fd372f1f62480dc6d7ce494d401ac444ff4e25201b81c595dd2c915715cd462bc2e7e6907843ea28db0def47dfb580350bb9a39e16d6ee95bd634794374cf38d983497179986df12022aa23fd8c1eb1b5a76d6cf15dd2594c5c66abebf3be778be737926d01616f2c2b57c36538ca47d7c76500e0ef17ce0cca367cb47ab0ac5354ae9bd732bad25c6fd7d71d04f0d76b0f1c58bffd37514973d5bcf8ea5b2ecee021baa50006497add154ab950c0607eff9b1e5b0ef4c531868771d7e573354c6	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BCC37D24A63088F24462C3A21B1B04AA10961D91	irsetup.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2596	irsetup.exe
2596	irsetup.exe
2964	msiexec.exe
2964	msiexec.exe
2416	javaws.exe
2064	jp2launcher.exe
2032	javaws.exe
2896	jp2launcher.exe
2780	MSI3829.tmp
2964	msiexec.exe
2964	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1932	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1932	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1932	jre-windows.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeCreateTokenPrivilege	1932	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	1932	jre-windows.exe
Token: SeLockMemoryPrivilege	1932	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1932	jre-windows.exe
Token: SeMachineAccountPrivilege	1932	jre-windows.exe
Token: SeTcbPrivilege	1932	jre-windows.exe
Token: SeSecurityPrivilege	1932	jre-windows.exe
Token: SeTakeOwnershipPrivilege	1932	jre-windows.exe
Token: SeLoadDriverPrivilege	1932	jre-windows.exe
Token: SeSystemProfilePrivilege	1932	jre-windows.exe
Token: SeSystemtimePrivilege	1932	jre-windows.exe
Token: SeProfSingleProcessPrivilege	1932	jre-windows.exe
Token: SeIncBasePriorityPrivilege	1932	jre-windows.exe
Token: SeCreatePagefilePrivilege	1932	jre-windows.exe
Token: SeCreatePermanentPrivilege	1932	jre-windows.exe
Token: SeBackupPrivilege	1932	jre-windows.exe
Token: SeRestorePrivilege	1932	jre-windows.exe
Token: SeShutdownPrivilege	1932	jre-windows.exe
Token: SeDebugPrivilege	1932	jre-windows.exe
Token: SeAuditPrivilege	1932	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	1932	jre-windows.exe
Token: SeChangeNotifyPrivilege	1932	jre-windows.exe
Token: SeRemoteShutdownPrivilege	1932	jre-windows.exe
Token: SeUndockPrivilege	1932	jre-windows.exe
Token: SeSyncAgentPrivilege	1932	jre-windows.exe
Token: SeEnableDelegationPrivilege	1932	jre-windows.exe
Token: SeManageVolumePrivilege	1932	jre-windows.exe
Token: SeImpersonatePrivilege	1932	jre-windows.exe
Token: SeCreateGlobalPrivilege	1932	jre-windows.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1680	irsetup.exe
1680	irsetup.exe
1932	jre-windows.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1680	irsetup.exe
1680	irsetup.exe
1680	irsetup.exe
1680	irsetup.exe
2596	irsetup.exe
2596	irsetup.exe
1932	jre-windows.exe
1932	jre-windows.exe
1932	jre-windows.exe
1932	jre-windows.exe
2064	jp2launcher.exe
2896	jp2launcher.exe
2808	javaw.exe
2808	javaw.exe
540	javaw.exe
540	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1680	2188	TLauncher-Installer-1.4.5.exe	28
PID 2188 wrote to memory of 1680	2188	TLauncher-Installer-1.4.5.exe	28
PID 2188 wrote to memory of 1680	2188	TLauncher-Installer-1.4.5.exe	28
PID 2188 wrote to memory of 1680	2188	TLauncher-Installer-1.4.5.exe	28
PID 2188 wrote to memory of 1680	2188	TLauncher-Installer-1.4.5.exe	28
PID 2188 wrote to memory of 1680	2188	TLauncher-Installer-1.4.5.exe	28
PID 2188 wrote to memory of 1680	2188	TLauncher-Installer-1.4.5.exe	28
PID 1680 wrote to memory of 2028	1680	irsetup.exe	30
PID 1680 wrote to memory of 2028	1680	irsetup.exe	30
PID 1680 wrote to memory of 2028	1680	irsetup.exe	30
PID 1680 wrote to memory of 2028	1680	irsetup.exe	30
PID 1680 wrote to memory of 2028	1680	irsetup.exe	30
PID 1680 wrote to memory of 2028	1680	irsetup.exe	30
PID 1680 wrote to memory of 2028	1680	irsetup.exe	30
PID 2028 wrote to memory of 2596	2028	BrowserInstaller.exe	31
PID 2028 wrote to memory of 2596	2028	BrowserInstaller.exe	31
PID 2028 wrote to memory of 2596	2028	BrowserInstaller.exe	31
PID 2028 wrote to memory of 2596	2028	BrowserInstaller.exe	31
PID 2028 wrote to memory of 2596	2028	BrowserInstaller.exe	31
PID 2028 wrote to memory of 2596	2028	BrowserInstaller.exe	31
PID 2028 wrote to memory of 2596	2028	BrowserInstaller.exe	31
PID 1680 wrote to memory of 2088	1680	irsetup.exe	36
PID 1680 wrote to memory of 2088	1680	irsetup.exe	36
PID 1680 wrote to memory of 2088	1680	irsetup.exe	36
PID 1680 wrote to memory of 2088	1680	irsetup.exe	36
PID 2088 wrote to memory of 1932	2088	jre-windows.exe	37
PID 2088 wrote to memory of 1932	2088	jre-windows.exe	37
PID 2088 wrote to memory of 1932	2088	jre-windows.exe	37
PID 2964 wrote to memory of 3044	2964	msiexec.exe	40
PID 2964 wrote to memory of 3044	2964	msiexec.exe	40
PID 2964 wrote to memory of 3044	2964	msiexec.exe	40
PID 2964 wrote to memory of 3044	2964	msiexec.exe	40
PID 2964 wrote to memory of 3044	2964	msiexec.exe	40
PID 2964 wrote to memory of 1276	2964	msiexec.exe	41
PID 2964 wrote to memory of 1276	2964	msiexec.exe	41
PID 2964 wrote to memory of 1276	2964	msiexec.exe	41
PID 1276 wrote to memory of 2084	1276	installer.exe	42
PID 1276 wrote to memory of 2084	1276	installer.exe	42
PID 1276 wrote to memory of 2084	1276	installer.exe	42
PID 1276 wrote to memory of 2416	1276	installer.exe	44
PID 1276 wrote to memory of 2416	1276	installer.exe	44
PID 1276 wrote to memory of 2416	1276	installer.exe	44
PID 2416 wrote to memory of 2064	2416	javaws.exe	45
PID 2416 wrote to memory of 2064	2416	javaws.exe	45
PID 2416 wrote to memory of 2064	2416	javaws.exe	45
PID 1276 wrote to memory of 2032	1276	installer.exe	46
PID 1276 wrote to memory of 2032	1276	installer.exe	46
PID 1276 wrote to memory of 2032	1276	installer.exe	46
PID 2032 wrote to memory of 2896	2032	javaws.exe	47
PID 2032 wrote to memory of 2896	2032	javaws.exe	47
PID 2032 wrote to memory of 2896	2032	javaws.exe	47
PID 2964 wrote to memory of 1936	2964	msiexec.exe	48
PID 2964 wrote to memory of 1936	2964	msiexec.exe	48
PID 2964 wrote to memory of 1936	2964	msiexec.exe	48
PID 2964 wrote to memory of 1936	2964	msiexec.exe	48
PID 2964 wrote to memory of 1936	2964	msiexec.exe	48
PID 2964 wrote to memory of 2000	2964	msiexec.exe	49
PID 2964 wrote to memory of 2000	2964	msiexec.exe	49
PID 2964 wrote to memory of 2000	2964	msiexec.exe	49
PID 2964 wrote to memory of 2000	2964	msiexec.exe	49
PID 2964 wrote to memory of 2000	2964	msiexec.exe	49
PID 2964 wrote to memory of 2780	2964	msiexec.exe	51
PID 2964 wrote to memory of 2780	2964	msiexec.exe	51
PID 2964 wrote to memory of 2780	2964	msiexec.exe	51

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.5.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.5.exe" "__IRCT:3" "__IRTSS:23874292" "__IRSID:S-1-5-21-2721934792-624042501-2768869379-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1709283" "__IRSID:S-1-5-21-2721934792-624042501-2768869379-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2596
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\jds259557224.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds259557224.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1932
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
        5⤵
        Executes dropped EXE
        
        PID:2856
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
        5⤵
        Executes dropped EXE
        
        PID:2176
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    PID:2128
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      Executes dropped EXE
      PID:2968

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 96A7C20E42BA17A4B1C186335FFC53C9
  2⤵
  - Loads dropped DLL
  PID:3044
- C:\Program Files\Java\jre-1.8\installer.exe
  "C:\Program Files\Java\jre-1.8\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre-1.8\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={71024AE4-039E-4CA4-87B4-2F64180401F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2084
- - C:\Program Files\Java\jre-1.8\bin\ssvagent.exe
    "C:\Program Files\Java\jre-1.8\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    PID:2056
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2064
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2896
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 56760329054E85C75DD0274815F21781 M Global\MSI0000
  2⤵
  PID:1936
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 574EACB299F99FF44312311571C422DB
  2⤵
  PID:2000
- C:\Windows\Installer\MSI3829.tmp
  "C:\Windows\Installer\MSI3829.tmp" C:\Program Files\Java\jre7\;C;2
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint
  2⤵
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:780
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F86E270003DFB6DF54BD4D3047890FF5
  2⤵
  PID:956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9120312C40A8EEB658033471C3DA27C0 M Global\MSI0000
  2⤵
  PID:1340

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:1248
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2808
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2360

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:1284
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:540

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
PID:3416

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f78b8f7.rbs

Filesize
962KB

MD5
38cd68b3fd9ccce62df897cfa52007fc

SHA1
5f8cca0c8cf8bf3877c6624800f8048b635df9da

SHA256
fac996337d7b020a29bd7a69813677ee640035786aca55155f097285f31f4d6f

SHA512
5a87fb8436631bce6e2a2c15f97dd48a0a36346220bc95c91e18add4ba0559ef143657d0bfd9bfde6c64e62cb90f725c49f50a57fdd995cda518e4dfa68cca8c

Download Submit
C:\Config.Msi\f78b8fc.rbs

Filesize
113KB

MD5
f505ba775a70d6458c8315c974923bf2

SHA1
73db177655d3d14f2861350ef4fb2a897f66312c

SHA256
fe6c66509c5e7715e1faf2a712d4a771a74b62318b9a93aa7551dc33a0f65e90

SHA512
82801f923be5083c0058f004202a9e0e8a688f0943d6167da30abb7fa2d4686d8d5a0e117e57fb7f101ded04ed5ad3c176e307e2b93e4d118a0ffde47ce63941

Download Submit
C:\Config.Msi\f78bb44.rbs

Filesize
7KB

MD5
0ec5fc94b63fd17210a84201319c05af

SHA1
434f33353907d3966eb2c2ad2d294f5c418c9b25

SHA256
03f8275176cc44ac713e6445e9c738007c850b40ff640eda7ffff0f1a4590dd7

SHA512
6bac11d1e97ceae6cdc48741719bdb99f59f6b0957c58068f8a53f46b8386a082fdfdaa392908a23f7597e8902c822ef52a052b12cdf445337686d85ce4a1bb2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
177B

MD5
6684bd30905590fb5053b97bfce355bc

SHA1
41f6b2b3d719bc36743037ae2896c3d5674e8af7

SHA256
aa4868d35b6b3390752a5e34ab8e5cba90217e920b8fb8a0f8e46edc1cc95a20

SHA512
1748ab352ba2af943a9cd60724c4c34b46f3c1e6112df0c373fa9ba8cb956eb548049a0ac0f4dccff6b5f243ff2d6d210661f0c77b9e1e3d241a404b86d54644

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
173B

MD5
625bd85c8b8661c2d42626fc892ee663

SHA1
86c29abb8b229f2d982df62119a23976a15996d9

SHA256
63c2e3467e162e24664b3de62d8eeb6a290a8ffcdf315d90e6ca14248bc0a13a

SHA512
07708de888204e698f72d8a8778ed504e0fe4d159191efb48b815852e3997b50a27ba0bc8d9586c6fb4844166f38f5f9026a89bbbc3627e78121373982656f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
fa95e2b01b4dabb563e7c51b283ee894

SHA1
7441dc12d3e1438e7261993f8fd2d4a3b898b86e

SHA256
492a551a6b1b082112c6c66fb632afd7f060f61e17dcdf3744e9801feac04a03

SHA512
e117dec5c3d2485656e5a2b0019b97e077e6fa50821acce2e1c97ee217816ac0efa2ab3344e75c003ba3e0d36c155690d36a2babc2960ffb342fd6aaef669b92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
211c2f8f8cecd6fc604a539f64c8c6d1

SHA1
a53849bfb8da3ec99ecbcbd1825e7340cf08fe42

SHA256
c21bd8b7395f3dbc8f9644f82add5c42abf9b8cf5f6f22f3acaec64777be4d61

SHA512
7ee6330ca1d2424dcc89c80a072c018cab2ad089d61373b8130d6277553444f2dd4a9f175c7779b092c197ee9add564c7b5fb0a425fbeb9d88cca80fad709961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9405b24a011cb928b0754b3d57a81c3

SHA1
9ce1c44854a66706b0c372763d095e275c413e5e

SHA256
9f090c74e6019b8f895ca833af5acebc847048a5534b679a433410e8e331187c

SHA512
18d68941238b821c35ff033f20664aa5d77b5bd6dfed589c9d5f8e24e003634904bf6290606f2131aaf7701b228d1138f458e126d19705e4748fde559078ac35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbde11026a164219329122648dbcf9fe

SHA1
ffc876775973b78c407e32125ea810c1d8ef1092

SHA256
ed3802e6ab39d4cca82ac9dcbf860662df58c542f46f98d2d0d8eaf96be68473

SHA512
fb66791961ddd70b7365b26be914f3927654ed6463f2342352abec721c03a9558a7ae104696db5ff9912b3ac5e0f0d77e6fb77d59a1602fedf53f2f5c66626d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
33d4b61b3827232bfd9fa53985c9a0b1

SHA1
ceaa659ebfc9c468b9cad8a74119cfe65537a1a8

SHA256
802d1e8e128f2a615d0684292ffb621f5c8ae68fe71c5eb71425f4bfe122f368

SHA512
f16e66969d67352ece5a7805ed7c5b06607909b0558cfd4049714289eab98c7a2c608f672d9d5da4ad3f0327b653b8a4a8d8ebb0898a9d0ec1a03309274e3d16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9b63d809ab80880340d9944d8d0bc632

SHA1
eef729fc38bea9e8a788a4db25a90b5493f3e351

SHA256
6cce3b9f3c1e40a7a5f973d3471f6a0301d7a9d9e2c8e7ef3d9ae78f8570975d

SHA512
7b59ae6d1174e23213c45f844ddb835bc9719f1c6b66799efe52096cd18639a6d4c7c88be0db22c3fc1fd70d7b02e5b87dae4c756cc4d62c3750180ce60abf5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\host[1]

Filesize
1KB

MD5
a752a4469ac0d91dd2cb1b766ba157de

SHA1
724ae6b6d6063306cc53b6ad07be6f88eaffbab3

SHA256
1e67043252582aea0e042f5a7be4a849b7cd01b133a489c3b2e67c10ade086f3

SHA512
abc2899705a23f15862acf3d407b700bb91c545722c02c7429745ab7f722507285c62614dcb87ea846f88fc0779345cb2e22dc3ad5f8113f6907821505be2c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\layout[1]

Filesize
2KB

MD5
cc86b13a186fa96dfc6480a8024d2275

SHA1
d892a7f06dc12a0f2996cc094e0730fe14caf51a

SHA256
fab91ced243da62ec1d938503fa989462374df470be38707fbf59f73715af058

SHA512
0e3e4c9755aa8377e00fc9998faab0cd839dfa9f88ce4f4a46d8b5aaf7a33e59e26dbf55e9e7d1f8ef325d43302c68c44216adb565913d30818c159a182120fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\masthead_left[1]

Filesize
4KB

MD5
b663555027df2f807752987f002e52e7

SHA1
aef83d89f9c712a1cbf6f1cd98869822b73d08a6

SHA256
0ce32c034dfb7a635a7f6e8152666def16d860b6c631369013a0f34af9d17879

SHA512
b104ed3327fed172501c5aa990357b44e3b31bb75373fb8a4ea6470ee6a72e345c9dc4bcf46a1983c81adb567979e6e8e6517d943eb204c3f7fac559cd17c451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\l10n[1]

Filesize
4KB

MD5
1fd5111b757493a27e697d57b351bb56

SHA1
9ca81a74fa5c960f4e8b3ad8a0e1ec9f55237711

SHA256
85bbec802e8624e7081abeae4f30bd98d9a9df6574bd01fe5251047e8fdaf59f

SHA512
80f532e4671d685fa8360ef47a09efcb3342bcfcf929170275465f9800bfbfffc35728a1ba496d4c04a1fdefb2776af02262c3774f83fea289585a5296d560b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\masthead_fill[1]

Filesize
1KB

MD5
91a7b390315635f033459904671c196d

SHA1
b996e96492a01e1b26eb62c17212e19f22b865f3

SHA256
155d2a08198237a22ed23dbb6babbd87a0d4f96ffdc73e0119ab14e5dd3b7e00

SHA512
b3c8b6f86ecf45408ac6b6387ee2c1545115ba79771714c4dd4bbe98f41f7034eae0257ec43c880c2ee88c44e8fc48c775c5bb4fd48666a9a27a8f8ac6bcfdcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\common[1]

Filesize
1KB

MD5
f5bb484d82e7842a602337e34d11a8f6

SHA1
09ea1dee4b7c969771e97991c8f5826de637716f

SHA256
219108bfef63f97562c4532681b03675c9e698c5ae495205853dbcbfd93faf1a

SHA512
a23cc05b94842e1f3a53c2ea8a0b78061649e0a97fcd51c8673b2bcb6de80162c841e9fdde212d3dfd453933df2362dcb237fe629f802bafaa144e33ca78b978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\runtime[1]

Filesize
42KB

MD5
5d4657b90d2e41960ebe061c1fd494b8

SHA1
71eca85088ccbd042cb861c98bccb4c7dec9d09d

SHA256
93a647b1f2cadcbdb0fe9c46b82b2b4baf7685167de05933811549145c584ee0

SHA512
237738c0a6cb25efe29effc9c3637245e3e2397207ed51e67bae5a1b54749f88e090de524f7868d964debbb29a920a68205ccbd2dfceed4a1f3cd72d08b16fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\rtutils[1]

Filesize
244B

MD5
c0a4cebb2c15be8262bf11de37606e07

SHA1
cafc2ccb797df31eecd3ae7abd396567de8e736d

SHA256
7da9aa32aa10b69f34b9d3602a3b8a15eb7c03957512714392f12458726ac5f1

SHA512
cc68f4bc22601430a77258c1d7e18d6366b6bf8f707d31933698b2008092ba5348c33fa8b03e18c4c707abf20ce3cbcb755226dc6489d2b19833809c98a11c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2530.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
27KB

MD5
07d1f65d5fe4735c87bc0c0449af8070

SHA1
a4eec2eb5cdb6aa3401a87a3b79965f2d1a6b25d

SHA256
32ad9765a33769340b30ea1919f91042f9944cbc63dd7528a7493eaba83917ca

SHA512
9afb76bafed84a473b9327489ba32fb1a75e8613343866b447f1d9bb428c960091333546c54436e3d57b7325a77d61fd755ab838d5d8d230f664b45be2636658

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar34F0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
2885c4a1dc2bc52ea298b8d9c7e1bfbb

SHA1
964bff819cbfd38692900403460c67b9d0dae8b0

SHA256
4007ca82da52600902ad2e269445e0ae15701187d111ba7f59546c7dfe1fc3dc

SHA512
e0480ece21136a29a727fe99001fae8a9009a4ce92bb1a48644cf20dfc57fe70cb685b6427a6582f85ac2ffee93d85fe91c7cb1bc5b8e2121f3cb38907da2e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG10.PNG

Filesize
206B

MD5
1c09f11f645f5bc8ad2fc424184e36fd

SHA1
7be93cc50c32e0f7307489c9e5cc2928c7083ae6

SHA256
d28d35dd7eac3d02d501365b6e264a63bafc58e9620a89d05d320de6571cc785

SHA512
f77aa3f143ed8925b5161715775ed4cf6d281c85d609d34dff601b688dd7b24f795333a447c3ed65a7a612ca0808346e73888473cac74cdf2b91018701683b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
0314a0f669165b4e59739311ae077948

SHA1
993a17c3e130275bb8734162773cf70808fccfd2

SHA256
4d573e91bf0c8cb83127ee7d0f8bd94344dd0d9d80f5212355d405c301a8fb41

SHA512
6a43b3faba1018403adbc18c5336d53fd81cc95e55777a3c54a87d2ee53c7d1574ca04a045e02745a5a422fc1faa54ab3702e94653177da6b8b91c1e7194dc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
bdd65c0250504bbae95d89e3af56c12c

SHA1
c963f7e440c4c391201533acae3be513c6723bf0

SHA256
ec78b5098bc883fc6c96f46821de3ea9ca11d05faab67b8b560b1dd8aca584c8

SHA512
555479c3799e15189aa76a48ff42afef3b25c2abd127e045ccba062b6e7810a4bd27ca49eba6146fa11bdcba001153b07e0ef9000b2a8b14c82fdba6109557b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
76a95eb3aa924d130b2a60147cc4443c

SHA1
b19c95c2a38fa2d2e7d9acb89a68f7ca664924d0

SHA256
05b954ed90eb42c480056bcd5101d49a3be83fafb9db0dae8226ba1616d5e402

SHA512
f24b3c669cfa461431c9ba91a91b146990d72c6ab9557793d8f28596d2cc96e588114fbce4cd2c21bb38dfc6445c174856f5044ca7f71e77f1738876df62b163

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG

Filesize
438B

MD5
e74e81694bdd2d1370dc43c71ead9b9f

SHA1
fec3d9689a883eb978b171b39570a829bbb83c0b

SHA256
6f86d8c78b9da18aed4d1df50cf13fde56754e7d2398c6ccdc44504c4a8a824e

SHA512
bf8ac81c62e2c6f8a4e7d1e28a4ea0036bf31273876b4521c593c715024a150ac9d07f1d9ec4fa060266f854df8005cf088d90b97de6c9898f3cb638805679b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
140KB

MD5
fb6e4b6d29a7745edfae660f67014ee9

SHA1
b40377b43ccf09a372363d3aae6c3c1c65148700

SHA256
86656a12b39fa2db2d3b2ef82944b7b876d494eafcefb6d4ad356e3fb091bb49

SHA512
d911b7ab912e9305c3f54f1e63ae524df87e3e3e34b23695ae5e029ab47b569db11d3bb2c066b539b416ee5e79796068b788cfab40f6b490880ef40684d4029a

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
5KB

MD5
515c45d9da4c615f7aa931fe67941121

SHA1
71582470022487dc37cbcae8395bf9614ee8b365

SHA256
251c6dcbaff7129aba535ab84bba4e4828f2eacee8172d6b07acb4db2714c6c9

SHA512
587c416a401848ee7306a26c8a3100f778e71ccf1cbccdb04be9b405f85201120c2a1aac7551d6d119153d52b464eace7bf78fd4b0a81b8952700d30cb44f06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
0d0a9be74e328916be135faee9a2b114

SHA1
7ab511478f3cb2f2b478bbdd955faa744e3ff31b

SHA256
02084d3503215071b345d509a34b4ba013ba43ac6dd0ca4ca51057875448c40d

SHA512
467ca575f19143ead93c3ef43d54ac84a5a02f3bd2a532c514517635af6ca0a6fbb04d03b17f450d429770d1ea2c53047b91ce1f3c61114ef369c9161a833eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
5eee7021924702d6825a64c223df5d49

SHA1
10dbceb3fe0e4e4ddaf356e68fa472d78290898e

SHA256
ce072c2788616cf5f76910baa0f541a27c45d63054fe149ac44df61f7a92e7fb

SHA512
dd3821ea878f608faf59005753f1557a0c0cd4befe7c18408b3bce28d075ccb62125b5dc97fa6c256c65b03a7a73a09779e997190e73e6d109a87c3d8e048fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
23KB

MD5
2f161fcd31041d178d39f1eb9eaef94f

SHA1
b04ba372285cb96c9242578cb61ba258f6e593e7

SHA256
161fd195a0bb3e4c56c07012a73630436ee150a1889ad97b3303886303fbe4f4

SHA512
fd989abba7fd83c6e9d1fde3e36577890588fd4fdc948d9424a1f134899f1056d20d0160cdd54db5fb3696869d0d4d3187cc519ada7302a892964222e530e026

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
740B

MD5
2a4c79a20718be447e9b21e5782ff079

SHA1
1658aeac276c9baa560102b4093e56e43aed3563

SHA256
6fcbeb3a48902a1ba8fe77b566f6af64fd8a5604ff1f9f75eda1f1cf62cd00bf

SHA512
6678be417b82755636dc4ea07e5f6321eb3b5dd1464e38011a06ff2219cd46112f2cd9c8b7c5920b8d301b297833ea2a9dc768ac1facc4da2aca2c84d3c4f87a

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
833512c89f1ab92c80131d415f89f442

SHA1
dd9953ddcc33278bb97502ffdc6e7462e8005680

SHA256
717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

SHA512
f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
bed1faf91ad17cf27a07d784c4f7552e

SHA1
08bc59a0bf1af7d52a3fc1b838b87ccc8ba63b54

SHA256
0c280eb11d5c15cc34bde953c9fc3b6a61454b3bfa457910a2b19843eca68618

SHA512
d35dcf99c4e1d585bcda498aa957bc2b53a13bde7e5607522b63673a21ddf08f90f10f212df0dcff6109e7c5faaa509fb68b0014ae56f7346e1d1e37e8798282

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
cdcf2f8c2e28d874c185493ea4cb706b

SHA1
a00b1fc305af1d9dfd578909b98f344e834c1738

SHA256
c55b2ad6bd86ef8be2608ad383949ae82237cd47a7a06a7d6cba3f39500aee71

SHA512
9c9b171fac23add340706a459a0fbb8dcb8e6d8339698b1cb243e2c0850f8cbad53ae243f9dd71199c2c146c0a8250419a16e64e600ff468f206e9de5c12c217

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
a16fd532ec028ddffa4e4adde1e74af7

SHA1
ccd3375736524ec24ec30324d1c5d773a9dbf737

SHA256
969184f6dfeecb188617dd49aed73de00d2776c5bce56b7dc3e8580398afa914

SHA512
80b53ebc964acd08342c32ded2ba92fbf1799f543cfc4487c929817e75e8873747606c3b15ea7d4e18cae859db8e9918c511ebf7f3aacf34bffc65c934618e45

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
edd7a2b497282c1a576123adfb5518ec

SHA1
c9ae4ce71d152b42b86f9ff5662ab850e9f74126

SHA256
33ccb0cc6b7af88b812a560309848a722d0030e964c6f3c6151feb216ac20413

SHA512
db4290363a46f3304849970ca7bd6cf9c839b95c06b86841cd643fb4b61bf609aaae444c5c943fbdd674261b4bc089c85dbbca2f9dc9b7f5e169baf6522ad3d5

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
82d20b0cb4fd7c6ab43b73e8d4442b37

SHA1
04f2f958d6f441c497d0ca6b2b78a782802ee9d8

SHA256
08e30b65eab922e6c30b505466748689cc20fe62662f8a39cd1392b5f0a558da

SHA512
ec1975aeb2d957eadc6f913133b345ec6a14437de118f0b012e11dc0a773813387bd899a9a85f9a792eb3218fad54af9aad5d49c89722dc340b739993c4171e0

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
21KB

MD5
3ab4a62a0499355cd9c8e785a40c5f6f

SHA1
5678c712087f1ec52e0b03803a10bdfadf65b631

SHA256
f8e1110cb1808982656627af6bba859c17772348928d2a22687cf9646ca1dbd7

SHA512
863a2a2de720dd7488243f103479bfb365f275e414b2d9f7a62d7b4daefaab040793e88adefe08a0f49d388874b1838046e774fd7c3d1476592782571ee00f03

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.923\dependencies.json

Filesize
17KB

MD5
24817047786540dd5d8cbfb94132c84d

SHA1
ff45f1ae7748fab985e0580c5746b0327a4b59ac

SHA256
a5584b00241e6aa455dce9c0d584d61f8350a7bc07a4137e9289e23f46878721

SHA512
6e048803859517d052d88d8c96c382d481620c1d930e219051264cb2c4d096b5b68d8e8e66ba2244ef7343df99f120600f8763f67bcf060c3132743eca7934ef

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.923\resources.json

Filesize
17KB

MD5
8ab0113596cd48af76657e53d5d93e70

SHA1
3ab4244668932e0396022372d8f311c62ce1b89b

SHA256
b0a6157bb0f4da765f93d13ca167017144c5eb15955015b0b42f7d7c0b70599d

SHA512
55fb4d7ed644ae5e47ee376b00323199788baf596b493b4959ec4c88bdb37295ee59e34d3a7d4310fc9e35d776e1ae19fcead53c09d3a440dcfec8dc6736b170

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\appConfig.json

Filesize
3KB

MD5
a9bd1871a6a69e12bb017e1375b0a659

SHA1
0cc4c515fea150c982d02fa73acf73cfa68810e7

SHA256
f725e50dc4377a28b06589b028cd3cff58845d5ed882b22b17129c4413f8b9b3

SHA512
0595d54b19805f57a1b09a492c90c4c9f655d6a501179966b1a282b0aec90b27eeba634ee4a54fb9982f80ae046e6feb2b3e2097f14a0a3e051e80c162a83bd6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json

Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-vfs2-2.0.jar

Filesize
405KB

MD5
a2cabc6a91a9de9e3d5d460b06d65b45

SHA1
b5af3b9c96b060d77c68fa5ac9384b402dd58013

SHA256
5af37bc47f6bcce94e740b9793115ff135dda54f9ccf98e057938c2c98765f4d

SHA512
8ec9f5646a95ec9d065f36475b722b8c2189cf708d88c298e7dd021607c5c29108e4cb98ec7e4838f91743b9803d60f120e58fb349df3e525d1e4a984609c212

Download Submit
C:\Windows\Installer\MSI3887.tmp

Filesize
235KB

MD5
16cae7c3dce97c9ab1c1519383109141

SHA1
10e29384e2df609caea7a3ce9f63724b1c248479

SHA256
8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

SHA512
5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

Download Submit
C:\Windows\Installer\MSIC410.tmp

Filesize
953KB

MD5
64a261a6056e5d2396e3eb6651134bee

SHA1
32a34baf051b514f12b3e3733f70e608083500f9

SHA256
15c1007015be7356e422050ed6fa39ba836d0dd7fbf1aa7d2b823e6754c442a0

SHA512
d3f95e0c8b5d76b10b61b0ef1453f8d90af90f97848cad3cb22f73878a3c48ea0132ecc300bfb79d2801500d5390e5962fb86a853695d4f661b9ea9aae6b8be8

Download Submit
C:\Windows\Installer\f78bb40.msi

Filesize
1.0MB

MD5
d7390d55b7462787b910a8db0744c1e0

SHA1
b0c70c3ec91d92d51d52d4f205b5a261027ba80c

SHA256
4a2f7d9d33e4ad643bf72722587f2b268d92dab3bb1d9bc56af316672e34728a

SHA512
64f3837dd6099561ce9be97d6fae0b11f3f6cc08281f1a3266d5a6f3ca8baf13bbd780735ef62b449b577d62d086f942b48519671226c60f0e1480f9dbdde434

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
da025e7c96d52ef9829b1fe3a9dbe061

SHA1
c722b5c15c319a205a3d6ba150e60e15bdf6c28e

SHA256
6682c060e9b5b003430bed3346e4715607cbcd07e2d06584a0cd7cdae5872e45

SHA512
3906ca655ccb67811828ea9b33e677c01cfb745a58d5f10e609b05da998d3be7e8cd026efb5a31724a22afbd9a9b5e14c651e4fef1d21ec3c524d49a362e32de

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.2MB

MD5
f9fc5d18316bd064596e9a195fccc9a0

SHA1
7432d5f5e217d8cd07a82d9c92ef3bc6affe4bb4

SHA256
5554bfccea57b84c310476c086e6a9e675ec8bc9c2646b97b2fa8f473130cf2c

SHA512
adcfae85e3d84e254a4814216669df3e1e467c904c1cef9c301b1c4a0a552ee45968acfbb62c0e6e839f593867c97e5413ceff231860e7ffd56d7d93662a7a98

Download Submit
memory/540-4439-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/540-4438-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/540-4273-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/540-4272-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1680-1533-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-739-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/1680-1514-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-2518-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1536-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1517-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-3569-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1519-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-779-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1487-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-20-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1496-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/1680-1527-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-625-0x0000000000880000-0x0000000000883000-memory.dmp

Filesize
12KB

Download
memory/1680-1521-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1524-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1680-1525-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1520-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1680-1695-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1510-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1511-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1680-624-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1680-1531-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1494-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1523-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-1512-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-714-0x0000000000E80000-0x0000000001269000-memory.dmp

Filesize
3.9MB

Download
memory/1680-715-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1932-2614-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download
memory/2028-780-0x0000000003370000-0x0000000003759000-memory.dmp

Filesize
3.9MB

Download
memory/2064-2487-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2064-2461-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2064-2458-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2064-2455-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2064-2442-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2084-2271-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2188-19-0x0000000003420000-0x0000000003809000-memory.dmp

Filesize
3.9MB

Download
memory/2188-21-0x0000000003420000-0x0000000003809000-memory.dmp

Filesize
3.9MB

Download
memory/2188-18-0x0000000003420000-0x0000000003809000-memory.dmp

Filesize
3.9MB

Download
memory/2188-17-0x0000000003420000-0x0000000003809000-memory.dmp

Filesize
3.9MB

Download
memory/2596-847-0x0000000000AC0000-0x0000000000EA9000-memory.dmp

Filesize
3.9MB

Download
memory/2596-783-0x0000000000AC0000-0x0000000000EA9000-memory.dmp

Filesize
3.9MB

Download
memory/2808-4217-0x0000000000470000-0x0000000000472000-memory.dmp

Filesize
8KB

Download
memory/2808-3786-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2808-3787-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2808-3616-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2808-3615-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2896-2514-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2896-2548-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2896-2531-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2896-2520-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2896-2517-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2896-2501-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2968-3793-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download
memory/2968-3623-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download
memory/2968-3792-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download
memory/2968-3622-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads