9f0ffcd4852f9af353558f104dd8edf13e67971076341e87da304b8e6d8c5414

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20231129-es
resource tags

arch:x64arch:x86image:win7-20231129-eslocale:es-esos:windows7-x64systemwindows
submitted
20/06/2024, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.7.exe
Size

24.1MB
MD5

86fc2557f00baf9698715dc99a8cec41
SHA1

75f8f54eabd25749af37d21316f02d7d5868c398
SHA256

9f0ffcd4852f9af353558f104dd8edf13e67971076341e87da304b8e6d8c5414
SHA512

521e19cc02c996fc478fead4239cd3ab24b70a441df138ed955d349eb46e7a03ccc10a3d58d8dc726292f494d6bd6efd2a92f62d3f179cb2751fc725ea7d449e
SSDEEP

786432:lKxabBbJyM9irrKJBH5lFRqH0fYk/pUJ8a:lKcSMQPKJBZlCUfYSpUJ8

Score

8^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 24 IoCs

pid	Process
2112	irsetup.exe
1344	TLauncher.exe
804	jre-8u51-windows-x64.exe
1680	installer.exe
1464	bspatch.exe
612	unpack200.exe
1560	unpack200.exe
2980	unpack200.exe
2476	unpack200.exe
1272	unpack200.exe
2412	unpack200.exe
2524	unpack200.exe
1644	unpack200.exe
2840	javaw.exe
308	javaws.exe
296	javaw.exe
2392	jp2launcher.exe
1896	javaws.exe
2620	jp2launcher.exe
2616	javaw.exe
1700	javaw.exe
2236	jaureg.exe
2060	TLauncher.exe
2344	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
2956	TLauncher-Installer-1.4.7.exe
2956	TLauncher-Installer-1.4.7.exe
2956	TLauncher-Installer-1.4.7.exe
2956	TLauncher-Installer-1.4.7.exe
2112	irsetup.exe
2112	irsetup.exe
2112	irsetup.exe
2308	iexplore.exe
1216	Process not Found
1872	msiexec.exe
1464	bspatch.exe
1464	bspatch.exe
1464	bspatch.exe
1680	installer.exe
612	unpack200.exe
1560	unpack200.exe
2980	unpack200.exe
2476	unpack200.exe
1272	unpack200.exe
2412	unpack200.exe
2524	unpack200.exe
1644	unpack200.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
876	Process not Found
876	Process not Found
2840	javaw.exe
2840	javaw.exe
2840	javaw.exe
2840	javaw.exe
2840	javaw.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
1680	installer.exe
876	Process not Found
876	Process not Found
308	javaws.exe
296	javaw.exe
296	javaw.exe
296	javaw.exe
296	javaw.exe
296	javaw.exe
308	javaws.exe
2392	jp2launcher.exe
2392	jp2launcher.exe
2392	jp2launcher.exe
2392	jp2launcher.exe
2392	jp2launcher.exe
2392	jp2launcher.exe
2392	jp2launcher.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016bfb-3.dat	upx
behavioral1/memory/2112-20-0x00000000013E0000-0x00000000017C9000-memory.dmp	upx
behavioral1/memory/2112-789-0x00000000013E0000-0x00000000017C9000-memory.dmp	upx
behavioral1/memory/2112-810-0x00000000013E0000-0x00000000017C9000-memory.dmp	upx
behavioral1/memory/2112-812-0x00000000013E0000-0x00000000017C9000-memory.dmp	upx
behavioral1/memory/2112-2215-0x00000000013E0000-0x00000000017C9000-memory.dmp	upx
behavioral1/files/0x0006000000019fdd-3000.dat	upx
behavioral1/memory/1464-3001-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1464-3010-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_51\bin\jaas_nt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jvm.hprof.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\policytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\logging.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\lcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\nio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\orbd.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_sw.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\sunec.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\tzmappings	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kinit.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\classlist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\dnsns.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunpkcs11.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\management.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_common.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\[email protected]	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JAWTAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\accessibility.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\CIEXYZ.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_ja.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_ko.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaSansDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\deploy.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\management.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\content-types.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\rt.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jawt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\snmp.acl.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dcpr.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java-rmi.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\LICENSE	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jli.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\keytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\verify.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management-agent.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsdt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\ktab.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr\profile.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\WindowsAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\LINEAR_RGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\mlib_image.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jdwp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsoundds.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\fontmanager.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jabswitch.exe	installer.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI573E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4770.tmp	msiexec.exe
File created	C:\Windows\Installer\f771319.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77131a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5595.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f771317.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f771317.ipi	msiexec.exe
File created	C:\Windows\Installer\f77131a.msi	msiexec.exe
File created	C:\Windows\Installer\f77131f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77131d.ipi	msiexec.exe
File created	C:\Windows\Installer\f771314.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16FC.tmp	msiexec.exe
File created	C:\Windows\Installer\f77131d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI569F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f771314.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = f0d3f79c34c3da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000036524a086f05ca4284af2e0a03d66beb000000000200000000001066000000010000200000006eb92106613f20eb72298f43ed3215a5ecd56cf3f07a721efb246a8c26e7e685000000000e80000000020000200000008ded049f8186a0fe68ec2f3f4759e33a8fb5165cb1b1239cd663a97eb74c995020000000de88382918cffbdb79cff9abe100bb7fda2a3f9ab4004e810f276bfc6a7fd9f340000000a431fc3c93caccbb054e7f4a4ba6dd4a5d0cdbe752fcfe1483dc75549d2d640bbfd83b79e8c7cbd31fad10b4c9d21714632653c94b791a89fdc3a7cdb28b7139	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503855ad34c3da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D5358FF1-2F27-11EF-8744-EAC5FA9F597E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000036524a086f05ca4284af2e0a03d66beb0000000002000000000010660000000100002000000024f80704fc18ac6cafc93cf7db7652c202be7cedcb79c4bb31afabcb83ecb3e3000000000e80000000020000200000005516c0caaefb6e883cb74cf1686da3da5bfb25ba6c7aaa9a365f746bbbe44a6d90000000097e8e7e33d9882db9295d10530bdf6cc264089a3a57ad59ec005efc0c5923042c9d776af124948791318825fdba3dd0c523b87a679088f59cba46530c46643ecc7696bdc9aea4405107ca32279ccdfb629f4f05c07ab2b1341117274ce3f5bf86e831c05a255a429a6f0b9477deddd1f246815e858a25ad69690b3841b246e378c0efd89faf923d426568e6a5ff493440000000e63e69c5f49afee4285d325f8fc4b3c01c4238cd507c360e32ed139eb6b395a128ce94e2ee4713cded7b71e60d309e511b46e1b570f66303977795f917be7372	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0082-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_82"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0051-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0011-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_11"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_89"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_08"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_62"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_34"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0095-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_06"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0040-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0043-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_14"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBB}	installer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2392	jp2launcher.exe
2620	jp2launcher.exe
1872	msiexec.exe
1872	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	804	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	804	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeSecurityPrivilege	1872	msiexec.exe
Token: SeCreateTokenPrivilege	804	jre-8u51-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	804	jre-8u51-windows-x64.exe
Token: SeLockMemoryPrivilege	804	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	804	jre-8u51-windows-x64.exe
Token: SeMachineAccountPrivilege	804	jre-8u51-windows-x64.exe
Token: SeTcbPrivilege	804	jre-8u51-windows-x64.exe
Token: SeSecurityPrivilege	804	jre-8u51-windows-x64.exe
Token: SeTakeOwnershipPrivilege	804	jre-8u51-windows-x64.exe
Token: SeLoadDriverPrivilege	804	jre-8u51-windows-x64.exe
Token: SeSystemProfilePrivilege	804	jre-8u51-windows-x64.exe
Token: SeSystemtimePrivilege	804	jre-8u51-windows-x64.exe
Token: SeProfSingleProcessPrivilege	804	jre-8u51-windows-x64.exe
Token: SeIncBasePriorityPrivilege	804	jre-8u51-windows-x64.exe
Token: SeCreatePagefilePrivilege	804	jre-8u51-windows-x64.exe
Token: SeCreatePermanentPrivilege	804	jre-8u51-windows-x64.exe
Token: SeBackupPrivilege	804	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	804	jre-8u51-windows-x64.exe
Token: SeShutdownPrivilege	804	jre-8u51-windows-x64.exe
Token: SeDebugPrivilege	804	jre-8u51-windows-x64.exe
Token: SeAuditPrivilege	804	jre-8u51-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	804	jre-8u51-windows-x64.exe
Token: SeChangeNotifyPrivilege	804	jre-8u51-windows-x64.exe
Token: SeRemoteShutdownPrivilege	804	jre-8u51-windows-x64.exe
Token: SeUndockPrivilege	804	jre-8u51-windows-x64.exe
Token: SeSyncAgentPrivilege	804	jre-8u51-windows-x64.exe
Token: SeEnableDelegationPrivilege	804	jre-8u51-windows-x64.exe
Token: SeManageVolumePrivilege	804	jre-8u51-windows-x64.exe
Token: SeImpersonatePrivilege	804	jre-8u51-windows-x64.exe
Token: SeCreateGlobalPrivilege	804	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2308	iexplore.exe
2308	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2112	irsetup.exe
2112	irsetup.exe
2112	irsetup.exe
2112	irsetup.exe
2308	iexplore.exe
2308	iexplore.exe
780	IEXPLORE.EXE
780	IEXPLORE.EXE
780	IEXPLORE.EXE
780	IEXPLORE.EXE
2392	jp2launcher.exe
2620	jp2launcher.exe
2344	javaw.exe
2344	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2112	2956	TLauncher-Installer-1.4.7.exe	28
PID 2956 wrote to memory of 2112	2956	TLauncher-Installer-1.4.7.exe	28
PID 2956 wrote to memory of 2112	2956	TLauncher-Installer-1.4.7.exe	28
PID 2956 wrote to memory of 2112	2956	TLauncher-Installer-1.4.7.exe	28
PID 2956 wrote to memory of 2112	2956	TLauncher-Installer-1.4.7.exe	28
PID 2956 wrote to memory of 2112	2956	TLauncher-Installer-1.4.7.exe	28
PID 2956 wrote to memory of 2112	2956	TLauncher-Installer-1.4.7.exe	28
PID 1344 wrote to memory of 2308	1344	TLauncher.exe	31
PID 1344 wrote to memory of 2308	1344	TLauncher.exe	31
PID 1344 wrote to memory of 2308	1344	TLauncher.exe	31
PID 1344 wrote to memory of 2308	1344	TLauncher.exe	31
PID 2308 wrote to memory of 780	2308	iexplore.exe	32
PID 2308 wrote to memory of 780	2308	iexplore.exe	32
PID 2308 wrote to memory of 780	2308	iexplore.exe	32
PID 2308 wrote to memory of 780	2308	iexplore.exe	32
PID 2308 wrote to memory of 780	2308	iexplore.exe	32
PID 2308 wrote to memory of 780	2308	iexplore.exe	32
PID 2308 wrote to memory of 780	2308	iexplore.exe	32
PID 2308 wrote to memory of 804	2308	iexplore.exe	36
PID 2308 wrote to memory of 804	2308	iexplore.exe	36
PID 2308 wrote to memory of 804	2308	iexplore.exe	36
PID 1872 wrote to memory of 1680	1872	msiexec.exe	39
PID 1872 wrote to memory of 1680	1872	msiexec.exe	39
PID 1872 wrote to memory of 1680	1872	msiexec.exe	39
PID 1680 wrote to memory of 1464	1680	installer.exe	40
PID 1680 wrote to memory of 1464	1680	installer.exe	40
PID 1680 wrote to memory of 1464	1680	installer.exe	40
PID 1680 wrote to memory of 1464	1680	installer.exe	40
PID 1680 wrote to memory of 1464	1680	installer.exe	40
PID 1680 wrote to memory of 1464	1680	installer.exe	40
PID 1680 wrote to memory of 1464	1680	installer.exe	40
PID 1680 wrote to memory of 612	1680	installer.exe	42
PID 1680 wrote to memory of 612	1680	installer.exe	42
PID 1680 wrote to memory of 612	1680	installer.exe	42
PID 1680 wrote to memory of 1560	1680	installer.exe	44
PID 1680 wrote to memory of 1560	1680	installer.exe	44
PID 1680 wrote to memory of 1560	1680	installer.exe	44
PID 1680 wrote to memory of 2980	1680	installer.exe	46
PID 1680 wrote to memory of 2980	1680	installer.exe	46
PID 1680 wrote to memory of 2980	1680	installer.exe	46
PID 1680 wrote to memory of 2476	1680	installer.exe	48
PID 1680 wrote to memory of 2476	1680	installer.exe	48
PID 1680 wrote to memory of 2476	1680	installer.exe	48
PID 1680 wrote to memory of 1272	1680	installer.exe	50
PID 1680 wrote to memory of 1272	1680	installer.exe	50
PID 1680 wrote to memory of 1272	1680	installer.exe	50
PID 1680 wrote to memory of 2412	1680	installer.exe	52
PID 1680 wrote to memory of 2412	1680	installer.exe	52
PID 1680 wrote to memory of 2412	1680	installer.exe	52
PID 1680 wrote to memory of 2524	1680	installer.exe	54
PID 1680 wrote to memory of 2524	1680	installer.exe	54
PID 1680 wrote to memory of 2524	1680	installer.exe	54
PID 1680 wrote to memory of 1644	1680	installer.exe	56
PID 1680 wrote to memory of 1644	1680	installer.exe	56
PID 1680 wrote to memory of 1644	1680	installer.exe	56
PID 1680 wrote to memory of 2840	1680	installer.exe	58
PID 1680 wrote to memory of 2840	1680	installer.exe	58
PID 1680 wrote to memory of 2840	1680	installer.exe	58
PID 1680 wrote to memory of 308	1680	installer.exe	59
PID 1680 wrote to memory of 308	1680	installer.exe	59
PID 1680 wrote to memory of 308	1680	installer.exe	59
PID 308 wrote to memory of 296	308	javaws.exe	60
PID 308 wrote to memory of 296	308	javaws.exe	60
PID 308 wrote to memory of 296	308	javaws.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe" "__IRCT:3" "__IRTSS:25232362" "__IRSID:S-1-5-21-3627615824-4061627003-3019543961-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2112

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:780
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF1Q0KZ7\jre-8u51-windows-x64.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF1Q0KZ7\jre-8u51-windows-x64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:804
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      -cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
      4⤵
      Executes dropped EXE
      PID:2616
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      -cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
      4⤵
      Executes dropped EXE
      PID:1700
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\AU\au.msi" ALLUSERS=1 /qn
      4⤵
      PID:1584
  - - C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
      "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.8.0_51-b16
      4⤵
      Executes dropped EXE
      PID:2236

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Program Files\Java\jre1.8.0_51\installer.exe
  "C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" REPAIRMODE=0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1464
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:612
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:1560
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2980
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2476
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1272
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2412
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2524
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1644
- - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2840
- - C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:296
  - - C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2392
- - C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    PID:1896
  - - C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2620
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57B6A30F24DB2A5646F352D059AA6E63
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /c del "C:\Program Files\Java\jre1.8.0_51\installer.exe"
    3⤵
    PID:2356
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DC81A0C0A7053427A785C1C1BAB2179F
  2⤵
  PID:844

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:2060
- C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771318.rbs

Filesize
788KB

MD5
7e58a5414204cebb3b882eb0ef871d4f

SHA1
6b7e50917a82f45288f0de61961877633e98ff2a

SHA256
ff7a0748acab5840dcc5eefea016558e24062d87bcd3b3d5a2d3e5bb514972c3

SHA512
0109c53f3057ee56383f1decce6648712b95a4cb50c61754dab51c49fa0c9e095eab21cef4d11af7e62cbab4a1bf0a05af3df210bf53988a40a09c21bc18b740

Download Submit
C:\Config.Msi\f77131e.rbs

Filesize
8KB

MD5
133e9be6a789b568cbf81d29e0d21e0a

SHA1
2aa0147907d5c6e3404ae89ef1841807f2a9ef38

SHA256
f3c376363545548de0cd5c87a54449676e7410ef4ba9f987e5d953387c38dac3

SHA512
593a185d0b5a447b6edfeb04d4f1f352d6fa4b624280104801ed2c5486203f25f56d6dfeab8c569e6493c8153f3b355652fd31dad730d4f3a1182174821bc306

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\MSVCR100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll

Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe

Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe

Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack

Filesize
1.0MB

MD5
45288142b863dc4761b634f9de75e5e5

SHA1
9d07fca553e08c47e38dd48a9c7824e376e4ce80

SHA256
91517ff5c74438654956aae554f2951bf508f561b288661433894e517960c2ac

SHA512
f331cd93f82d2751734eb1a51cb4401969fb6e479b2e19be609e13829454ec27cec864c57bdc116bf029317c98d551e9feafc44386b899a94c242bc0464556d8

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack

Filesize
1.8MB

MD5
5cfc3a1b269312f7a2d2f1d7c0497819

SHA1
d048284db9ce7103156f8bbce988b4d9978786b7

SHA256
80ba80d2a6c20deef6e2f3973337e15e22eec30508899ae998bf191ba725db26

SHA512
8735af7c8bc5b48aac42120326a5dee21f98512ba31c57c77b6fc3906b7b1b98e5f22f57a31f26dc3e16abe63a6f15ef2e115c7fc17bbab35e846dc373da9c6b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack

Filesize
211KB

MD5
5a83bc9b3e4a7e960fd757f3ad7cd263

SHA1
f5f308aec7e93accb5d6714c178b8bf0840fb38d

SHA256
0a95ab97c85e534b72a369b3ee75200f8075cb14e6f226196b18fd43e6ba42f5

SHA512
b8e554bbf036d0500686e878597ffdefa8bcd091ab6533eae76fa04eda310cec7cac89b71911f1f81012f499c7bec890ac9032685945f7e5e6b68f7ad3f7430c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack

Filesize
150KB

MD5
168f72fd2f288a96ee9c4e845339db02

SHA1
e25b521b0ed663e2b050af2b454d571c5145904f

SHA256
5552e52e39c0e7ac423d6939eec367a0c15b4ca699a3a1954f2b191d48a034e6

SHA512
01cdf3d8d3be0b2458d9c86976cef3f5a21131d13eb2a1c6f816aeb2c384779b67d1b419fa9233aedd3bbd16970ec7c81689bf2e25a8bebadec5de8e9b5a19f1

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack

Filesize
482KB

MD5
538777ddaa33641aa2c17b8f71eed307

SHA1
ac7b5fdba952ce65b5a85578f2a81b37daed0948

SHA256
9948b1c18d71a790e7b5a82d773fea95d25ab67109843a3f3888f3f0ac9d1135

SHA512
7a5877e0eaef6424ea473a203184fedb902cd9d47df5d95d6f617ca4efa1162f0ffd418e9bc6b7492f938cb33fc6384907237487d6ad4f6d0d2d962402529d8b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\rt.pack

Filesize
13.1MB

MD5
f0177701b36068c9a2bb4924dd409fa5

SHA1
71e4b32c95e20dd565a6603d3de3819eb4f19d33

SHA256
93c1e08034b68e12d78005c2950145595327477c17c1f716248d3e16313b4eec

SHA512
8e198bf60dbb95f38bf5eca67c9b7cd4fe9920890ba3d569e08de59b38c1b00830a0a37168fd74c874df86b7ff0915c8b69adb1591432b42b5ff35e5885e6641

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\diff

Filesize
9.1MB

MD5
d417682702b140d7131851bae877f046

SHA1
aa78da727e8a62c839a9bb6f7a93b48d3a04be70

SHA256
3b3657c83e4f588f0e759cd46e99309cece2ebb54af2c377f9dc087ec764fda8

SHA512
9e107b7f61e42410807aa1e6761ac7adce412846f69ae8e2e21b147e39d1a95d41367e21624381750eb11c77322206c4d869a477e5442e8323405c85854c03cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
cbed24fd2b55aea95367efca5ee889de

SHA1
946f48b5c344fd57113845cd483fed5fb9fa3e54

SHA256
1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

SHA512
c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
56f370073c9d8866796326fa3c34a83a

SHA1
9c2d75adb667d91eab12c74dbee2e18e5066e1cd

SHA256
7fffee6734e4183c563eba70ca5327f97dc9b071c79ee0be6ba6aff0b260302f

SHA512
b9c2212eb640f8025452e42b8719576f6c68450295b095319f2712ef301632d592b092b2adc1ae9d8fe6c9c444ce5242b126899f3514d2bc02d9d7fadd84b0be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE

Filesize
1KB

MD5
71d8558edb85f006bfde9ad85fbf69a8

SHA1
43a4d86326de4bfdaa4ab08be926a1435175b979

SHA256
ccfa27294bb0532b866cba36cc0d695cbc3c77d0ae07f00b440d7c41019e60fe

SHA512
e0641983608e738988b4a6899a33c8da2390009a12aeaa04623efecfaf288552be78ab5c16e8ae75543cef9325dc7f9772505d117e26e829d1f36c370a25cb87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
8e064eab2a85302267e01fb21d12107c

SHA1
48d6b1b004429f131c184c3a9b503421375d6b80

SHA256
50e9d9e20e5cb1519c693861fad25fa53dbad6275083178a808cc6798aed9671

SHA512
7a4dc2aa9b27d7b099c7e5701c215e267652138fe41dae8c5fa965fb6b788599cb28ad8f78a8cac99b567a35eea047141d7140296c4b4c0023ea37bf23898cb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
756d195b4e0ca72723ab476072141814

SHA1
48582c17c0e7e4e69c7ee44efeb9a6898a26fbd6

SHA256
f18a63a0dde1233eaf752e321743583db5e65bd47a94e58dbe19b6ff232e92fb

SHA512
116caf4519441beb21bdcebebf78db4a56f590b9f54fd22347c86e51d0de5eaf6175138d393d3464d4e224d946ca03c100e19944576c88a1bab485485a2f8181

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d527ac71ec56e3826593ea594b09f452

SHA1
494858ce2332e6cc7eb00bc96feac8253b0f75ef

SHA256
705bb0c18471087d8b5cf014a4f38f810c409d3e57b1197c28a10065df55fb7d

SHA512
2091cf36fd84207add26ebcbe34e83668020cd0c6fbda5cc7874988260c8e52614d1e4675f5f8779085b0c7ff8744faa85a38d271f07f625f72697881ff55c90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c10020d3c7c4be566dcf90684eb5d236

SHA1
69114ec84f5cdd88c8d43b739dc2631d03027d09

SHA256
fb467f68b67defc98d388875a15fcdb1742dc1c61674f35a268a38496f3703ef

SHA512
875f4b212c064def76ec298ffdb4de29a1f03482933e3f33a205a540af05ccfb6bde953793096ec6b16f945909bc443dce8ce82bdad734b35b2499f64eb9fa70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a0d6be2f05a82e90b2a08f888981ec5

SHA1
b52869d904f2cf8304e6e44d852eaaadb2046746

SHA256
04479a1d7f53f63b51f42db035d5566e1d48d08e430e9b847400147a83c28782

SHA512
7f31717ddb4080fe72acd4e4e616986a088c2ec3f3bf3c89ab207bc5f42b53ea886e832abe6321de428bb726700ba64824a82fb4bea6a8e5e265a073f1c69f32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7d898ee80499cc4125933558a9efd3a

SHA1
1e4acec5b73646fb34a4a7001aa29b23d5a54700

SHA256
92b60ac2a6bc606f22f333fc23a4ac010c383863433a15179fc4362b6fbba3d4

SHA512
c0345953cff74398c5e8866e1c099224ed9b81391d6ba05d94348bb852e5de83c574f85f42f20cdeb98350491511e4efe96caa6e6a0f83e7169728b68157a02b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd49e369fbe018b6d34ab418468ced81

SHA1
a6f01465bc330dc9df565f106a2c4d8fd1b5ce3f

SHA256
a789e036f561a0a8d8d832befa98c377f78703a18d525a25c413229392b5902e

SHA512
7892aac07fb2b7d8ef3b031767cc5bb35c9e798e333f6ebe02b15ba94697bd0176882a6e455fe9d3059a9cc3733d4b8b59ae6aa5a228ff68088ffed66056e264

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
076c1d4efa075d3724cb0dab41838c3d

SHA1
20d328cbef9a0fe903ed8999238bed5315121da7

SHA256
54643221e448ea75f736395cccffefeaf506d0b0c80c0d85df9c1e8f4eeb36de

SHA512
e4119b4ba9588169aa126264eca522648edf78e68f26581bb25151ea3710253eec88a2315dbe6b8f4b9aef8d5261b019d0b05ab7d3f2b0caf97d4fe5cbb2407f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dc1feb855c39a83ae2ae598ab84e372

SHA1
c37b7f76716a8f057b13c493d3f355b5cdf76e73

SHA256
74d6066afd2be50f2cb338da29c61bf6efd980dedd7ed2f2b526c5a567c47725

SHA512
89b56971228d563f6ced350d0f14ce2c8db36aeb5f80808d9711ffc0be4ca5fc1877ce6a7563fac1ced1ed7b591dc91a8dbbc879c5a33f877d12dcacc3abede2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c527fae41affe493727b4210fb44ce11

SHA1
c6c6988b9341e29b5c48058dadc08315ddbb5c1f

SHA256
80d1185f9fe0998330a29937500e1d1ef94aa763da2363cde4be5f4264c10086

SHA512
e6652f96240dcfefb727cf75a802f82147e52d5af9a2a3038a9696ba8d7ae36a122e31f6cdc0c3ae14d16f3b7b76571fac2a19a81f8c64e053581ba66f2baf5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5752ea60513a5cfdb3231728fd725ead

SHA1
3f0de3dced17b67f043a1a7fc313e5873341fb83

SHA256
e0911219f6e5a7668b5229c979692ba8a8bf110672806c1ba97e06410db325da

SHA512
e3bf771908fcc031aea08b922f136679f06147de25f42b2bae9fd9aac5e72737a8e7919cd12e0ee8c62b8030762dd2cafb437964edf225439352652e1fd7fb81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7588ee5c57d89527b2f3ce61defddf0

SHA1
cd1c0d599ccee937eeffabdaff384253eaa107b8

SHA256
ef3bdae0c948e3229d1d7e729440285729b1372e053833cd10bf3e22f9849ec4

SHA512
c6e84af4b77e7c5975975d2ec5b7593dc2e890b741959fafb4f78634ed8a52d0520ef95e19151d2b8487fff10b58c9d431221c8bef1009367e003d701853010b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4645f54a5acea1df1932b08a40a2e10b

SHA1
22cd561c95d8746887e1fba5cbc5d2daee7b902f

SHA256
03a021a7b954912063fafbb725070b8424e01afc89c395b909c05723f55db088

SHA512
f0f8ac29edf54ca51a5448e3c4dbd980d97a298694e86054cac1be19db651774492e3ea9997c4f183bb1af5fef20271c0391bcc4fd26b3b04c36bfebaf9453b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cefcb9582508ad4482b5c487859b25f5

SHA1
c5b40de562d687455e171b37477eab631ef9ad52

SHA256
3062684a73ec4355da172f1dad2e82b006ff7ac03430c12e015a3ddc2b4ed6e7

SHA512
438a65ec2ccd995e2a5dc89ff4b07f87d5404f1d06a31c5e94155b7c47b14ad2196e953c9ea3269e2de8236a3c503a47b317cf5e99e96f2f48e0542c8583d9c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
7501f7166bb82efbe473b5e9be66b5be

SHA1
940d2abac84d866a2b7d78910eccb9f0b56e979b

SHA256
55291c88bbaba93e7cdf48c3ccca3acc9c4cce2e2c6551a715a0fe93ba07c3a2

SHA512
77839a48568da37e9ff543afdd762cfdba477b2111429521774cf856562dcb8aca5dcbb8327e0de5a5dfdc041b7fee76de4f94d4e08d73484065760119b4a8ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
add592be13b2a028c593a9e88f4919f5

SHA1
c428a40b36bb34371c41f9a2d98bf10bfd917c90

SHA256
1920b45d8238daa38ca93750272c915483a9448383f3ba2f82aea517cd77d523

SHA512
4057e9573c2efa5f1a3649f55d96bf9949785307af906aecc1ce2d0fbdf2ab374c43d97b43b168e8304df8d87d3dd2faf33aeb39248e5065f2222f8bc8320c48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE

Filesize
402B

MD5
9783e582f2a6d6a1d266e4b436238ee8

SHA1
a317abe280d8d9bf00c91afb609bd714560ebb85

SHA256
05a69b7ddc7d533671fb78b8c8adee3116c522f73d137237993d4d72105b44f7

SHA512
0fdf8846214d167630b6dfd1f4a7d89a5c84271316f839ab5de9d503f981847e871b4c2fcba0d953bf990373f9f04410e85ac19a9fe2d7356ef23ea68a534c48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
af746779e74b32f5b74815cc62e8c056

SHA1
70b89a3cdb2d71f8e619c64895b91003480b7067

SHA256
358f9b5c66e02c619b8b40f5b045a484d97f0135471147bec5a3491e264e7508

SHA512
4aa62bf59e1f02c81414fd497ca52e93d875aba6765c3222beac807d5b560a79be08b89623d8287898e575d404cbee7203ec71e9d84ea2baf7b31cb20f56b2c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
8ee2b02097a6c8ed25b8da4b06201d67

SHA1
fc33182dec7aee9b8a8ced2c3a7df924277f5338

SHA256
4f9549a18c0621d668da753a8fce63151777a126f0e236101ec28a85d99a878f

SHA512
4207ec9cb5c92703f27439bd3949935e15bbac5238ca4ecdd06a1df5dfed3a7d3ae98825ae942b4196c5c29e3a4868d3fad20a5f054a235bc7a01bc511a121ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
4e35949cc41f8dd572a883468b504c15

SHA1
31280dfdedcd24fe6adee24d3684136788ff2df0

SHA256
fb14a087195d5b8c9518317a98a390d4623ad6b36ecfc33d8912aa74f7528c29

SHA512
450f051b376d3ea391691928084c79728957b68be3ed04ec2be930bddaf39be3be81863b143762e19098318cddb7ce521e2cd28cafa88aad9c5155fa2847ec40

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi

Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CFM0ZADR\jre-8u51-windows-x64[1].exe

Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3430.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
803866e63e1b433eafa31ddf1819d88a

SHA1
e5cbdf988d8711b831981c9cc5c2695e44ecd963

SHA256
3cff2eae4bc6ef69c72d163d41c4f387e8cc3413772024062d093583069fc6f1

SHA512
d494faf98f9179111f0a1e6ba8261d6b0924172c57663ae26efc4aa3022c1420dfc980705ca5579169a33a68baa299bdf3c38b8f322fbf2e54ed0f36198aff98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
4c8bb522e8cf8c27b8e7fc318c7ab17b

SHA1
3071a7f9b977d6a27e9ab0777456b3c13753568a

SHA256
3eccb1386194744d6596a9c3abf854ea591e12742d789518e90afb99fa370871

SHA512
d112bbbcaed8b8ec04bf52fa0f2a320c04dc4962c862e383e27b6f4f8bff621ee201b982140f84b6de527753e92511e21be539296a9aa38e572a5d5051c7d539

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
54c173de619065c86d50c5c7cf66097a

SHA1
58111b16ba2075c2fcfe30ddef29ea66108cf9ad

SHA256
30db6860833fe2f29801d604bda19e5a0d2a4b9f409caadce56dde13324078a7

SHA512
85ec2700ebbc18bfcbee25f3b025a9c1d3b32502f6b4313c2df124f454c0d9d098414bef0a8bf44f7e5b3eeeae6e3491106c2b477d69b94158b897ea6b0f5b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG19.PNG

Filesize
40KB

MD5
f4b1b9ae006f2e94ad42b436d63930eb

SHA1
078af4d2f9b9a45c55d3d56431b957c651f133ee

SHA256
ef87ee87501f2c30fd548f71cc6d02d39daba90c810403c682ae1aad6b33db6b

SHA512
3d0af3521d187491009c569c50197dc911c08b8ab0bae0185835fc74151e60dbbb5c3f59ac7b41432e03137ec6cb272ce38edb39b1ed0d1bf266872a940ae37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG

Filesize
438B

MD5
c2d61af0e799bbc8bcde7bb15564952b

SHA1
09bb6c51afcff1276a9ea2a795a9cf3e5ab4494a

SHA256
5ca45fb4679f8ec9671685874fe70871f1cb49e6b6f6210137864784888d070e

SHA512
edc12546dc237505c698092db968d04399a697c0bd9a10e56daec05340864d24f56939e182a052275f6a750aeb4a02f32b21cda0311278ed8e0bc758bb577743

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
8KB

MD5
b9dd2f7b10bcce97eba11359f4e53b4b

SHA1
a1060bd1a69f3c9277c337b1bf55cb69691eb47a

SHA256
f1dbbb4a7d3314512aefb3dcbf767bb3930a27e0e385af14fc586086c73e0d2d

SHA512
b74fdb426fa8cf2c4180a479aaee67d447f3f72680baf227246f8064054978c25302647037b9a33a89dccbf5a2c1fc925b38f06c815011b5d0e1912e96880ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
18KB

MD5
4fcf78c9425d9c8109a11c48aa3fb958

SHA1
cac1623cdb7c2a6a9f4816ec9aa530d28e275062

SHA256
35c5bc46437d4cb1f0491c214f506881338ff1f1129a399f8d875d4afedfd23a

SHA512
c22354e591335c9476a7660f502ccdbbbc5a8725bae6ecbf9c2941b287f3191b454e5e4f43c006ba3d9039cb2b4b19d0a1d98998c7088a875669da0aa5adac71

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF9849FC722873E709.TMP

Filesize
16KB

MD5
a9c50c7284a3cba020f37e4e6bfa3a3a

SHA1
486fa3d730cf2fa49f9bcc3cbe4e64ec782809f9

SHA256
a72f9f86e3366a9a54e9bbbc849bbb977f2df515fd106dc3c3a6a706f164c757

SHA512
1f0ced2ff6fb807011ea99080042e3fe805f668a24214228c44a7ccdf0f8c52447a7bd80f9e7a099d305376d633e5cd4beed99c4f92e3363789b4ca843c191d1

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
833512c89f1ab92c80131d415f89f442

SHA1
dd9953ddcc33278bb97502ffdc6e7462e8005680

SHA256
717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

SHA512
f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
baf26cf75bcc4e8d89ab634d96191627

SHA1
7b3acdb1ea5cc827b079cd2b5ebffcffedc1da9a

SHA256
81b942e871ef52c2fcd67c769f400e3f9f9bdd5921b4eb77f85c9653bf8715f0

SHA512
1162675a91229ce9c92161b17ab765693d455956f8217dc71ae916364a289a37bbebeef23415ffc5b6b8374321838dd259b26184d6aa3865c69d92a254068ec9

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG

Filesize
206B

MD5
19cc60490b1c2ff33fd88054ea0b08fa

SHA1
e0efb3ffe0e9de359922d134c68f67371d0fe21a

SHA256
49708851bdda2b324cbe7fa391af81ff3fab72de28c88b073035b1ec87fc5e57

SHA512
452fb6a1f9b7a908f6bfc7634a6f9de848adbe37fa080977060d5b2eea7da1207b87b1449b37a909d6be8e748fc39c6e7d30829546751f9c60c2490f2bf46aa6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG13.PNG

Filesize
40KB

MD5
03d58ac14d285020d8020a7b4a7ac818

SHA1
73b957485acf523bad27cf862cafb18f288a27aa

SHA256
bf4023f3007fc456c9debecea23323110f720a5d212c2469a691a6b89e3dded1

SHA512
a7c223f7336cef1841239d74296ef6aa31e201df4c8ec85af55fd8aa1f88c2ed78b99a6c2ee9015592376d02018757acc1749a474853c3826f04ac5e7f08fd25

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
1cde7f4b65d7915806fffa1dc22bb527

SHA1
fe0dce2a7ea338b44e1d264288379ac14289c430

SHA256
04079a342d1ada8ef6ae3ca5503a307a72637061c6d34cae90a3dfb342ff9727

SHA512
84bc5e70bbc6ac35a351e271796af476aaa7dc40edbb5adfc6b85978dc855787c1d20060792e9efdfe4e8aeb6f271efc4df4a757d79ee53d057bcac3d79587d7

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
aed347c1520185c3d1ca24604e5689e2

SHA1
d1a213e4df60376d3cd9c4c8d97051a74c5a42e3

SHA256
c6c1a74804e7ef24c8f0fe671f9776ffaa96fd78f8cf609be29394ec4b528580

SHA512
7b7ad53f205fce8c0b19c68a33affa41d79e780fa10a67fba11239bf3c06b7995764f237ba0dcce3d6f9fdbd9038c6ecb73f3c504066bd71f2dd4224d8d86aa5

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
29bacaeca4131335a6821277b65aec45

SHA1
050fbd5270b614c3ec14ae4609f91667922f5416

SHA256
20c7e42db9c1f0df908dcaf4fa7536ea9d236b747a30d55d1744a286ae8d9e06

SHA512
747b3cbbed596517c19eab89830a781ec4fc0f52cdae642250b1a941092dbc0f40e6096e423f496e6e267f99e164a97031359568d842691c432cc445af7410e6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
23KB

MD5
b2b0bc91de24aa3c87c5b8f2b1ffd261

SHA1
4b4974828e97eb9bfcb2eaf92cb0a54fa1c61820

SHA256
fdd2df8cec3463ec92db1180a85ed47bd526c55089bbe7fd141d2872a71575e6

SHA512
a3ba2173ecc5c4e095024c265789ef01db844bb9638a9a2eaf653e0c02ed112abfbaa19382119efa085a636a0a97345efdcae394575e662408516fb67aeba85a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
1309abb4d7695b135de1bccb3d0383bd

SHA1
6435990c33f357ecdad2f72f11da62a766c4abd8

SHA256
d705428077945f54aea3cb29ccf04123369634444a578cd9f01ab1b947d454c3

SHA512
05440cbc9f24a56083a4ad63b42cc02b782c46abecdf4b23de9f7d6f8f66b196bcc9fa21920575ba1899735bd2bf398166151e95d2a802288d637ae4ec2ec83a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\dependencies.json

Filesize
17KB

MD5
24817047786540dd5d8cbfb94132c84d

SHA1
ff45f1ae7748fab985e0580c5746b0327a4b59ac

SHA256
a5584b00241e6aa455dce9c0d584d61f8350a7bc07a4137e9289e23f46878721

SHA512
6e048803859517d052d88d8c96c382d481620c1d930e219051264cb2c4d096b5b68d8e8e66ba2244ef7343df99f120600f8763f67bcf060c3132743eca7934ef

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\resources.json

Filesize
17KB

MD5
8ab0113596cd48af76657e53d5d93e70

SHA1
3ab4244668932e0396022372d8f311c62ce1b89b

SHA256
b0a6157bb0f4da765f93d13ca167017144c5eb15955015b0b42f7d7c0b70599d

SHA512
55fb4d7ed644ae5e47ee376b00323199788baf596b493b4959ec4c88bdb37295ee59e34d3a7d4310fc9e35d776e1ae19fcead53c09d3a440dcfec8dc6736b170

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\appConfig.json

Filesize
3KB

MD5
a9bd1871a6a69e12bb017e1375b0a659

SHA1
0cc4c515fea150c982d02fa73acf73cfa68810e7

SHA256
f725e50dc4377a28b06589b028cd3cff58845d5ed882b22b17129c4413f8b9b3

SHA512
0595d54b19805f57a1b09a492c90c4c9f655d6a501179966b1a282b0aec90b27eeba634ee4a54fb9982f80ae046e6feb2b3e2097f14a0a3e051e80c162a83bd6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json

Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q0S363ND.txt

Filesize
512B

MD5
6e35541c6c757cb8a515429f80e1adc9

SHA1
c19d51828b0e0c4119160533b097ffd871dfc3e0

SHA256
890ffc00e8a8d7d26352c9a2c3c47534a863724c324ab2998f295b8c4cc09444

SHA512
f139da21a659e54b7090504555f5a84c1170f8cc03115f71ec832a43dfa7838040cafb8999bcb2ee628dea6cdd649962e91acc1e922cf38ca293c5579c2bc361

Download Submit
C:\Windows\Installer\f77131f.msi

Filesize
660KB

MD5
4afca17a0a4d54c04b8c3af40fb2a775

SHA1
96934a0657f09b25640b6ad18f26af6bd928d62f

SHA256
b15d3a450b7b3e5ce3194ab9e518796cc5f164c3e28762ffe36966990dcd2fe8

SHA512
ee76f5fcfdd9c1202fd5abdc2bbde8fb2543cee83265f6d2fb5458d1a086152ff6bdd4bf62a88150d325ea282bd2ecd66dd5f127bdd847cfa69cdb88985a8305

Download Submit
\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
af9bb57e1893112a57a47df0908bc3d1

SHA1
39f31da08004741fd4b9fb31b04e29368f1e317e

SHA256
1cf4f5e5d5bed48b7c989e34bb80507ca623cb1ac1fc1596f07cfd1dc7aec60e

SHA512
3a8cd6660a0147101f4898c20a6fec1192b4196ae8e46cd3e730dc43c8bd7feed9c576590b6aa79c7763e5942466ac9118d44177edbc2ff1ddf1af3da5234040

Download Submit
memory/296-3352-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1344-2218-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1464-3001-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1464-3010-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1464-3005-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/1700-3516-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1700-3514-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2060-3583-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2112-789-0x00000000013E0000-0x00000000017C9000-memory.dmp

Filesize
3.9MB

Download
memory/2112-687-0x0000000000370000-0x0000000000373000-memory.dmp

Filesize
12KB

Download
memory/2112-2215-0x00000000013E0000-0x00000000017C9000-memory.dmp

Filesize
3.9MB

Download
memory/2112-686-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2112-1546-0x0000000000370000-0x0000000000373000-memory.dmp

Filesize
12KB

Download
memory/2112-790-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2112-812-0x00000000013E0000-0x00000000017C9000-memory.dmp

Filesize
3.9MB

Download
memory/2112-810-0x00000000013E0000-0x00000000017C9000-memory.dmp

Filesize
3.9MB

Download
memory/2112-811-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2112-20-0x00000000013E0000-0x00000000017C9000-memory.dmp

Filesize
3.9MB

Download
memory/2344-3642-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2344-3754-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2344-3979-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/2344-3978-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/2344-3777-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2344-3776-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2344-3758-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2344-3755-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2344-3748-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2344-3719-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2344-3593-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2344-3627-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/2344-3626-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/2344-3628-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2344-3670-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2392-3394-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2392-3356-0x0000000002050000-0x000000000205A000-memory.dmp

Filesize
40KB

Download
memory/2392-3357-0x0000000002050000-0x000000000205A000-memory.dmp

Filesize
40KB

Download
memory/2392-3400-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2616-3497-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2620-3404-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/2620-3449-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2620-3405-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/2620-3442-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2620-3448-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2840-3272-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2956-16-0x0000000003550000-0x0000000003939000-memory.dmp

Filesize
3.9MB

Download
memory/2956-809-0x0000000003550000-0x0000000003939000-memory.dmp

Filesize
3.9MB

Download
memory/2956-6-0x0000000003550000-0x0000000003939000-memory.dmp

Filesize
3.9MB

Download
memory/2956-19-0x0000000003550000-0x0000000003939000-memory.dmp

Filesize
3.9MB

Download