9f0ffcd4852f9af353558f104dd8edf13e67971076341e87da304b8e6d8c5414

Resubmissions

25/06/2024, 20:58

240625-zr56qavgnn 7

25/06/2024, 20:52

240625-znv7casdpc 8

Analysis

max time kernel
294s
max time network
297s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.7.exe
Size

24.1MB
MD5

86fc2557f00baf9698715dc99a8cec41
SHA1

75f8f54eabd25749af37d21316f02d7d5868c398
SHA256

9f0ffcd4852f9af353558f104dd8edf13e67971076341e87da304b8e6d8c5414
SHA512

521e19cc02c996fc478fead4239cd3ab24b70a441df138ed955d349eb46e7a03ccc10a3d58d8dc726292f494d6bd6efd2a92f62d3f179cb2751fc725ea7d449e
SSDEEP

786432:lKxabBbJyM9irrKJBH5lFRqH0fYk/pUJ8a:lKcSMQPKJBZlCUfYSpUJ8

Score

8^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 24 IoCs

pid	Process
2016	irsetup.exe
1912	TLauncher.exe
1980	jre-8u51-windows-x64.exe
2544	installer.exe
2720	bspatch.exe
2092	unpack200.exe
2624	unpack200.exe
236	unpack200.exe
1832	unpack200.exe
2572	unpack200.exe
520	unpack200.exe
2524	unpack200.exe
1920	unpack200.exe
2744	javaw.exe
3020	javaws.exe
1596	javaw.exe
1628	jp2launcher.exe
1576	javaws.exe
1308	jp2launcher.exe
1824	javaw.exe
2648	javaw.exe
1100	TLauncher.exe
2468	javaw.exe
1076	jaureg.exe

Loads dropped DLL 64 IoCs

pid	Process
1168	TLauncher-Installer-1.4.7.exe
1168	TLauncher-Installer-1.4.7.exe
1168	TLauncher-Installer-1.4.7.exe
1168	TLauncher-Installer-1.4.7.exe
2016	irsetup.exe
2016	irsetup.exe
2016	irsetup.exe
1976	iexplore.exe
1252	Process not Found
1692	msiexec.exe
2720	bspatch.exe
2720	bspatch.exe
2720	bspatch.exe
2544	installer.exe
2092	unpack200.exe
2624	unpack200.exe
236	unpack200.exe
1832	unpack200.exe
2572	unpack200.exe
520	unpack200.exe
2524	unpack200.exe
1920	unpack200.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
852	Process not Found
852	Process not Found
2744	javaw.exe
2744	javaw.exe
2744	javaw.exe
2744	javaw.exe
2744	javaw.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
2544	installer.exe
852	Process not Found
852	Process not Found
3020	javaws.exe
1596	javaw.exe
1596	javaw.exe
1596	javaw.exe
1596	javaw.exe
1596	javaw.exe
3020	javaws.exe
1628	jp2launcher.exe
1628	jp2launcher.exe
1628	jp2launcher.exe
1628	jp2launcher.exe
1628	jp2launcher.exe
1628	jp2launcher.exe
1628	jp2launcher.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002f00000001454e-3.dat	upx
behavioral1/memory/2016-21-0x0000000000370000-0x0000000000759000-memory.dmp	upx
behavioral1/memory/2016-762-0x0000000000370000-0x0000000000759000-memory.dmp	upx
behavioral1/memory/2016-796-0x0000000000370000-0x0000000000759000-memory.dmp	upx
behavioral1/memory/2016-1515-0x0000000000370000-0x0000000000759000-memory.dmp	upx
behavioral1/memory/2016-1542-0x0000000000370000-0x0000000000759000-memory.dmp	upx
behavioral1/memory/2016-2201-0x0000000000370000-0x0000000000759000-memory.dmp	upx
behavioral1/files/0x000600000001872a-3024.dat	upx
behavioral1/memory/2720-3026-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2720-3029-0x00000000002B0000-0x00000000002C7000-memory.dmp	upx
behavioral1/memory/2720-3036-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_51\bin\jabswitch.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\amd64\jvm.cfg	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\task.xml	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\klist.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\rmid.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\zip.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\trusted.libraries	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfxwebkit.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunmscapi.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightItalic.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\fontmanager.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\ssvagent.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JavaAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jvm.hprof.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management-agent.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kinit.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\nashorn.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\dnsns.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfxswt.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2iexp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsdt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\ktab.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\README.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_TW.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\snmp.acl.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_MoveDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javafx.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\logging.properties	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\task64.xml	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\servertool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\classlist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_ja.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\release	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\classes.jsa	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\keytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\sunmscapi.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\accessibility.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_it.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\US_export_policy.jar	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jjs.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsound.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\resource.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\psfont.properties.ja	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\java.security	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\npt.dll	installer.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f78447b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID69B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f784470.msi	msiexec.exe
File created	C:\Windows\Installer\f784476.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f784476.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID521.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f784479.ipi	msiexec.exe
File created	C:\Windows\Installer\f784470.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CDB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f784473.ipi	msiexec.exe
File created	C:\Windows\Installer\f784479.ipi	msiexec.exe
File created	C:\Windows\Installer\f784473.ipi	msiexec.exe
File created	C:\Windows\Installer\f784475.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB7F.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 000107e041c7da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000009583c26e0e1f1efe3affaedd225ca1024b8e5ad737873e92331dc68d0cb418c3000000000e8000000002000020000000ef661313a3e9b76a84c55969d02720d9bbe74b84b03ddc1a861b1596613da319200000001168a50b62908cb90dc9d61e87fed64ea74467d9767f1b1a1dede138c18d26ee40000000927cd959b160f544fc780a210f16629a897ed1fc2ae04474e4fa89516b940e1c02df502d3032b7b9cfaf5cd08cec3ae4f1f2156631eacdf8287558d02eab988c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6091aaf141c7da01	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{186116D1-3335-11EF-AA16-D671A15513D2} = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000000a2018ef96267b66a94cfde9ad1e4d3664b7074a5949b3073707633e4a013450000000000e800000000200002000000056a1c8812d1778883df8bd841b01603410ec2500a0238f773dd999ef3fd051cb900000008a9522082c59992689714d0d542aa489454c7432bf2a54cba416f70e983f9790ae2ff167dfe8fdb98ef8db6407f1a3fcf4a39ee79bfb262167089a181a637dddcea98dd82335c8063120f9abf213b0807f6a98efd2743a7140f3796b99db8904f44eaad85b7a3bde112e9a4b593cd00a17d0854dc475cdc5ed21db09791ba3dab072b1ff9085169a53ef78657627d98440000000afdb58594daff04f8606f0c2c1244884bbc7bbca8b3b6aaf300a13229b5e85ff0cdeb9453aae911a16dc4f260592a34eb2ad54cf88e37b6b913d99a0899d4dd3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425510730"	iexplore.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2F	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_28"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0083-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_85"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_44"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0087-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0039-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_39"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_50"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0067-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_46"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0070-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0038-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0065-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_78"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0100-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0086-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_86"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0016-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0044-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.0_02"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_24"	installer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1628	jp2launcher.exe
1308	jp2launcher.exe
1692	msiexec.exe
1692	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeSecurityPrivilege	1692	msiexec.exe
Token: SeCreateTokenPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeLockMemoryPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeMachineAccountPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeTcbPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeSecurityPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeTakeOwnershipPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeLoadDriverPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeSystemProfilePrivilege	1980	jre-8u51-windows-x64.exe
Token: SeSystemtimePrivilege	1980	jre-8u51-windows-x64.exe
Token: SeProfSingleProcessPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeIncBasePriorityPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeCreatePagefilePrivilege	1980	jre-8u51-windows-x64.exe
Token: SeCreatePermanentPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeBackupPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1980	jre-8u51-windows-x64.exe
Token: SeShutdownPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeDebugPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeAuditPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeChangeNotifyPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeRemoteShutdownPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeUndockPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeSyncAgentPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeEnableDelegationPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeManageVolumePrivilege	1980	jre-8u51-windows-x64.exe
Token: SeImpersonatePrivilege	1980	jre-8u51-windows-x64.exe
Token: SeCreateGlobalPrivilege	1980	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1976	iexplore.exe
1976	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2016	irsetup.exe
2016	irsetup.exe
2016	irsetup.exe
2016	irsetup.exe
1976	iexplore.exe
1976	iexplore.exe
364	IEXPLORE.EXE
364	IEXPLORE.EXE
364	IEXPLORE.EXE
364	IEXPLORE.EXE
1628	jp2launcher.exe
1308	jp2launcher.exe
2468	javaw.exe
2468	javaw.exe
2468	javaw.exe
2468	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2016	1168	TLauncher-Installer-1.4.7.exe	28
PID 1168 wrote to memory of 2016	1168	TLauncher-Installer-1.4.7.exe	28
PID 1168 wrote to memory of 2016	1168	TLauncher-Installer-1.4.7.exe	28
PID 1168 wrote to memory of 2016	1168	TLauncher-Installer-1.4.7.exe	28
PID 1168 wrote to memory of 2016	1168	TLauncher-Installer-1.4.7.exe	28
PID 1168 wrote to memory of 2016	1168	TLauncher-Installer-1.4.7.exe	28
PID 1168 wrote to memory of 2016	1168	TLauncher-Installer-1.4.7.exe	28
PID 1912 wrote to memory of 1976	1912	TLauncher.exe	34
PID 1912 wrote to memory of 1976	1912	TLauncher.exe	34
PID 1912 wrote to memory of 1976	1912	TLauncher.exe	34
PID 1912 wrote to memory of 1976	1912	TLauncher.exe	34
PID 1976 wrote to memory of 364	1976	iexplore.exe	35
PID 1976 wrote to memory of 364	1976	iexplore.exe	35
PID 1976 wrote to memory of 364	1976	iexplore.exe	35
PID 1976 wrote to memory of 364	1976	iexplore.exe	35
PID 1976 wrote to memory of 364	1976	iexplore.exe	35
PID 1976 wrote to memory of 364	1976	iexplore.exe	35
PID 1976 wrote to memory of 364	1976	iexplore.exe	35
PID 1976 wrote to memory of 1980	1976	iexplore.exe	37
PID 1976 wrote to memory of 1980	1976	iexplore.exe	37
PID 1976 wrote to memory of 1980	1976	iexplore.exe	37
PID 1692 wrote to memory of 2544	1692	msiexec.exe	40
PID 1692 wrote to memory of 2544	1692	msiexec.exe	40
PID 1692 wrote to memory of 2544	1692	msiexec.exe	40
PID 2544 wrote to memory of 2720	2544	installer.exe	41
PID 2544 wrote to memory of 2720	2544	installer.exe	41
PID 2544 wrote to memory of 2720	2544	installer.exe	41
PID 2544 wrote to memory of 2720	2544	installer.exe	41
PID 2544 wrote to memory of 2720	2544	installer.exe	41
PID 2544 wrote to memory of 2720	2544	installer.exe	41
PID 2544 wrote to memory of 2720	2544	installer.exe	41
PID 2544 wrote to memory of 2092	2544	installer.exe	43
PID 2544 wrote to memory of 2092	2544	installer.exe	43
PID 2544 wrote to memory of 2092	2544	installer.exe	43
PID 2544 wrote to memory of 2624	2544	installer.exe	45
PID 2544 wrote to memory of 2624	2544	installer.exe	45
PID 2544 wrote to memory of 2624	2544	installer.exe	45
PID 2544 wrote to memory of 236	2544	installer.exe	47
PID 2544 wrote to memory of 236	2544	installer.exe	47
PID 2544 wrote to memory of 236	2544	installer.exe	47
PID 2544 wrote to memory of 1832	2544	installer.exe	49
PID 2544 wrote to memory of 1832	2544	installer.exe	49
PID 2544 wrote to memory of 1832	2544	installer.exe	49
PID 2544 wrote to memory of 2572	2544	installer.exe	51
PID 2544 wrote to memory of 2572	2544	installer.exe	51
PID 2544 wrote to memory of 2572	2544	installer.exe	51
PID 2544 wrote to memory of 520	2544	installer.exe	53
PID 2544 wrote to memory of 520	2544	installer.exe	53
PID 2544 wrote to memory of 520	2544	installer.exe	53
PID 2544 wrote to memory of 2524	2544	installer.exe	55
PID 2544 wrote to memory of 2524	2544	installer.exe	55
PID 2544 wrote to memory of 2524	2544	installer.exe	55
PID 2544 wrote to memory of 1920	2544	installer.exe	66
PID 2544 wrote to memory of 1920	2544	installer.exe	66
PID 2544 wrote to memory of 1920	2544	installer.exe	66
PID 2544 wrote to memory of 2744	2544	installer.exe	59
PID 2544 wrote to memory of 2744	2544	installer.exe	59
PID 2544 wrote to memory of 2744	2544	installer.exe	59
PID 2544 wrote to memory of 3020	2544	installer.exe	60
PID 2544 wrote to memory of 3020	2544	installer.exe	60
PID 2544 wrote to memory of 3020	2544	installer.exe	60
PID 3020 wrote to memory of 1596	3020	javaws.exe	61
PID 3020 wrote to memory of 1596	3020	javaws.exe	61
PID 3020 wrote to memory of 1596	3020	javaws.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe" "__IRCT:3" "__IRTSS:25232362" "__IRSID:S-1-5-21-39690363-730359138-1046745555-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2016

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:364
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\jre-8u51-windows-x64.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\jre-8u51-windows-x64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      -cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
      4⤵
      Executes dropped EXE
      PID:1824
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      -cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
      4⤵
      Executes dropped EXE
      PID:2648
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\AU\au.msi" ALLUSERS=1 /qn
      4⤵
      PID:1356
  - - C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
      "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.8.0_51-b16
      4⤵
      Executes dropped EXE
      PID:1076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Program Files\Java\jre1.8.0_51\installer.exe
  "C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" REPAIRMODE=0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2720
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2092
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2624
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:236
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1832
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2572
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:520
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2524
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1920
- - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2744
- - C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1596
  - - C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1628
- - C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    PID:1576
  - - C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91D97181E9C15E0FA6C0DCB74E9681A5
  2⤵
  PID:264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /c del "C:\Program Files\Java\jre1.8.0_51\installer.exe"
    3⤵
    PID:1920
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F838F432A906A1B6D02E29D72447EBDB
  2⤵
  PID:2532

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:1100
- C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f784474.rbs

Filesize
788KB

MD5
c35fc293ee8ffc16b9241b6423f45242

SHA1
6ff3c69a1df23af865ba01bef68bcc34fb4ecc15

SHA256
b7195aa588e80b72b0936ce3bf3261b2c74cc665f32ee199fde4cabe60fc2896

SHA512
acf400970345b9180d450a8e7cd28cf7dfddbe86aa0063c4d7b56e3b7b7cd73f70b22686bc5a86e791cd317b4bad4441b2d367829f7301263dcf1f6ab88c9e5b

Download Submit
C:\Config.Msi\f78447a.rbs

Filesize
8KB

MD5
98b5130767d0fcc6d2711763af0b3e60

SHA1
4501090c9adb9356f91d2ff9bd2d98fad9f55ff8

SHA256
f16b23c38f2d3aca0e1fdf8bf038b85451bfcba4f2919e4e4ce915c7288cf23e

SHA512
6d0fba95f71992fc991f2198c452656cce32e769caf175aa7c99fd3c01fa5e22c8a9d5beb41477705df65ef625003455eb4e3ae7f7c783c70d0424beb34a6a77

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll

Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe

Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe

Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack

Filesize
1.0MB

MD5
45288142b863dc4761b634f9de75e5e5

SHA1
9d07fca553e08c47e38dd48a9c7824e376e4ce80

SHA256
91517ff5c74438654956aae554f2951bf508f561b288661433894e517960c2ac

SHA512
f331cd93f82d2751734eb1a51cb4401969fb6e479b2e19be609e13829454ec27cec864c57bdc116bf029317c98d551e9feafc44386b899a94c242bc0464556d8

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack

Filesize
1.8MB

MD5
5cfc3a1b269312f7a2d2f1d7c0497819

SHA1
d048284db9ce7103156f8bbce988b4d9978786b7

SHA256
80ba80d2a6c20deef6e2f3973337e15e22eec30508899ae998bf191ba725db26

SHA512
8735af7c8bc5b48aac42120326a5dee21f98512ba31c57c77b6fc3906b7b1b98e5f22f57a31f26dc3e16abe63a6f15ef2e115c7fc17bbab35e846dc373da9c6b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack

Filesize
1.3MB

MD5
2ad7c3462a7494b29edbe3701ebeab4c

SHA1
7358ab9b0c4771efdc0d28764b90a46aac55e865

SHA256
7cdc489fa093e924649e82f4eb9689bc1bc0d28e20e37a0a94060efd5428c2db

SHA512
8b1f0f5932896f1876e5f8137dc8f74ff79f02b7708220b53ab2146fc742403ee952c68dddff9a92c786d4a534f7a266327934a8fe84a3c979c016cc8c93efdb

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack

Filesize
211KB

MD5
5a83bc9b3e4a7e960fd757f3ad7cd263

SHA1
f5f308aec7e93accb5d6714c178b8bf0840fb38d

SHA256
0a95ab97c85e534b72a369b3ee75200f8075cb14e6f226196b18fd43e6ba42f5

SHA512
b8e554bbf036d0500686e878597ffdefa8bcd091ab6533eae76fa04eda310cec7cac89b71911f1f81012f499c7bec890ac9032685945f7e5e6b68f7ad3f7430c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack

Filesize
150KB

MD5
168f72fd2f288a96ee9c4e845339db02

SHA1
e25b521b0ed663e2b050af2b454d571c5145904f

SHA256
5552e52e39c0e7ac423d6939eec367a0c15b4ca699a3a1954f2b191d48a034e6

SHA512
01cdf3d8d3be0b2458d9c86976cef3f5a21131d13eb2a1c6f816aeb2c384779b67d1b419fa9233aedd3bbd16970ec7c81689bf2e25a8bebadec5de8e9b5a19f1

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack

Filesize
482KB

MD5
538777ddaa33641aa2c17b8f71eed307

SHA1
ac7b5fdba952ce65b5a85578f2a81b37daed0948

SHA256
9948b1c18d71a790e7b5a82d773fea95d25ab67109843a3f3888f3f0ac9d1135

SHA512
7a5877e0eaef6424ea473a203184fedb902cd9d47df5d95d6f617ca4efa1162f0ffd418e9bc6b7492f938cb33fc6384907237487d6ad4f6d0d2d962402529d8b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\rt.pack

Filesize
13.1MB

MD5
f0177701b36068c9a2bb4924dd409fa5

SHA1
71e4b32c95e20dd565a6603d3de3819eb4f19d33

SHA256
93c1e08034b68e12d78005c2950145595327477c17c1f716248d3e16313b4eec

SHA512
8e198bf60dbb95f38bf5eca67c9b7cd4fe9920890ba3d569e08de59b38c1b00830a0a37168fd74c874df86b7ff0915c8b69adb1591432b42b5ff35e5885e6641

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\diff

Filesize
9.1MB

MD5
d417682702b140d7131851bae877f046

SHA1
aa78da727e8a62c839a9bb6f7a93b48d3a04be70

SHA256
3b3657c83e4f588f0e759cd46e99309cece2ebb54af2c377f9dc087ec764fda8

SHA512
9e107b7f61e42410807aa1e6761ac7adce412846f69ae8e2e21b147e39d1a95d41367e21624381750eb11c77322206c4d869a477e5442e8323405c85854c03cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
cbed24fd2b55aea95367efca5ee889de

SHA1
946f48b5c344fd57113845cd483fed5fb9fa3e54

SHA256
1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

SHA512
c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
8c9289a4638795df945a862c2210816b

SHA1
f596d448de5bbe298bf14f91bf5afaafd04a5973

SHA256
c987b9123ea293f4e4b0e4b423b786b43f46d31e939fe924ffb545b11429e0e1

SHA512
83067b8252db90fa0e931938ed93a27c4342502554fcff8afd7e46417dd5de305d0ca2d73afd38f63114fa768ee886875a3f34494daeaf09424e597f4cb02a49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE

Filesize
1KB

MD5
e7628aad27da06f77e1754928215e364

SHA1
65143820e245cc5fa067565b302b1c8919b72235

SHA256
52f545ac31755be5ca33648721b104f6bc429ae4e4eab66b9c5b7ea747bd1eb9

SHA512
4b72079db382e9c99f5669f9bc379d77f6bf4623f4200ec720b1d51b5c91cbb9a513a42d1c182384baac812834fd215985430da4cfe2ae3d8429ea1e0a17a0e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
1cbbd3252b442c1e194cc76159b9f835

SHA1
d58b2bbe9066fb8256433845f410bed9771d2e08

SHA256
b4cd9e4ef61a326f9ba7381bcaa41d4cc5f1379ecfa14d043245c990a6aa1822

SHA512
be8775f8aec192ebd0dafff9b68c44b4de288eeed129339a1f73d9e313f6a58f5ec88556baeeca3b34f32c1009f2ed19782eb06093d269acab777ac917c38f25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b57ad960fb1a79f0cd9e6a9e23acd053

SHA1
add9d60be94508a7ec961d30d882dac0811f2160

SHA256
83bcba93b6252146804685eb2edb903efc3e6515a7e671327fae8ed9922d6f4b

SHA512
d539150e51ac199643a3cbc9bab6e341c5f0bf12c9f7b995da9b195e442f619d461a59b75479fdc9d47331f5c24b8d473e79aa75206022ae86631d823d011933

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ae72d404fa4ef576dc7d491351a1262

SHA1
f824439a800274fa0f4c015ff61b950c43361e44

SHA256
1b90ba39edd6f3a90a7a226ecf9da9ff835b6241f7a90ada129a42801fdbc7c2

SHA512
cc936d97f44e7d7015e4f8e8e32b786134d259dcf2724bd5194616e05ae015827cac39e40c17f1b1ec1e95bc153aef87a21e2a2d783e1dc7be71d5eff6b56791

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
683294121fe6208fa9c4c61eb0acf10c

SHA1
9c54513119b77cb147a20d64f007f764cd41b019

SHA256
1ca6df251e7b4c45a79f6067c97f435f227caa5270d3a68711b6b6391fd3c635

SHA512
9f8ba581d3c07af09a3b9b20fed227e5b92dc93e03c079c5b9d2a10bd87d98422c05767137dad360ad18bb530f33bddfcffa2eb2d84b347e10bb9632f9fc82b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2aecaafa04b5a586f159685f5793cdf

SHA1
c50945517795fb675abed9ff244580f55e33d2c6

SHA256
4ce2191554aeeb965a562f48a5bf5a1fa653c53a4d6be00d48c668043b8bb551

SHA512
eab58302965ca84bbc6f7f10752d29f186e830b95ac117870d0f653a510832aadb1433efce48135866077618cf9fc233c18a85fafb106fc0cafef9242464f242

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b39a22010f6337ad7e141851a96dcc32

SHA1
66d1a055fb33cf20a57d32da37c6a291b8a4462e

SHA256
aa89ad192a6be9aac3de24bad813a36f10d627bbedaba00b6e14312ebdf038cd

SHA512
ca580cfa9184d8f35aebadad66e73b877c20b1219bedebfc3c629b127e0ae04e70bcc5227f9827e7848cb87e1318c4853cdec20bb4c8810322fcdd691d939780

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f3d57ad70d678e8f6a72bf9edda81d8

SHA1
610752f484f970fdcaa4b9a1ae508b5234b26bcc

SHA256
fa054333fe907ca8902aa186afa84e1705332ce5a92e0fcee2eb45a005d164ef

SHA512
fd064223dc0df45b93e1972ae343e5c4a704206897e6b2920a7b02976815231fcafae0c7d54d3fcbbc8f2b15ed01ab1aba176b25ce56333056fa744ef8c55177

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fa995aa56fde83e1903409dbb29f2d2

SHA1
4e9cb18693249c81c5ef330c3139bd9ce668a24a

SHA256
c6681d136eb50dc65ae4c8d0f4e1e2100b4413f08ac2c11c198f8b7b73b16380

SHA512
a99ceda902726e32dbe62b5dc70c02e8c4cb03a2221375be81d35df4af41db503b3122d01582a13f1ed5fa15ecb7a25f371b9fd9f4cba797bfa787343fc1098b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38ceec150eb8273ce7a1c86dacf16292

SHA1
272d73573b6aafd81fd6cbe108aa22adb38004b3

SHA256
d31aa7eb56e40574566b4ed6d58a52e643ccfa3877daa824dcb0d20c9d8b2a09

SHA512
c74aee7547c2d78abf76a0fdaf07bd0d0e15a1c6003e24618bdb1bdc3b39eea1fd8f1e4f342352da51714de2d306acbc0655d5089ca27a98904dd6f54d485444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
964c59eaec604569ddaf05136af37d41

SHA1
90205dc2431e63ba7622d2120627e9e809a2bae9

SHA256
4c8e79c97095153686c9a95fdec383d525f168e898792a30f987b07c7fe2bf07

SHA512
a72a93fb1f5d2796f6e4c8d9a5729865258b44eb3b589d7b07a0b9f78b49056829e2f3f0246f9e251255e6d8cb451b50642b8df90e35e5d23356d84b64933e16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8ad0b1383ff05b20dab7503712cb3c3

SHA1
74074a57cd9c66621259d61856d5fd95c4a4e29d

SHA256
7111c2945bf3ff51bc28a13e3a291b4d8816d95826a21aaaf2cf8fe8a9c3d995

SHA512
b0ccf5767277a49c9100b8728fd0f2d69a110ea1c1230baa5715e19865d204ba44ae33078ba792ded6b177a31a141ea7cb445bb4146eb19fb9838e7ee2b8003a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23ec3157088f89f5fd57de2c50715a58

SHA1
67103dc482de052cc01399098552af133d365e2e

SHA256
dbd49106077e3e877284bf194cb20e40e8a4c6894ffedc43f7bd47d09b1ffdc4

SHA512
26f30d58483171a26be07d3197ab311a8dde59e5c2faf1f44502cade6f705013b5b1601e48df0ba1033bd481a52ea5a5f607a88ca404e32101ac14b15c12ee6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
096e9091c66f92d7026d78499825435d

SHA1
3c7860d4c41f9930e43f6804f792e4af180844ac

SHA256
76a209fc2d5c724b29a46da9c01816a493131d74cf8b73511e0957486000b59e

SHA512
d192b8954172dbaaa4acfe98631002b93b5843e8020f60c9b0bbc2864bf60e27276a098a9f29c526dde0612c0a2a12d550bdc9f5f771017d9b471d63c174410c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05d07631c61d452cc4c81a71b9147e27

SHA1
ce74dfc94b5cdcfe8b06d929979e869875f95ba4

SHA256
764f45d750b82e9e53b119bed0cbf0ad2e66a156a12787b8e3aad3dd060cd8a3

SHA512
baa04690e0949d9b84cc25b33038d9d8c4c2e5f5f640cd9eed43e4310f73e7b17a99250c5667b0823ce7d922b7d45e6e0d216c887cc5bc340443565622e8595c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
415a9ca89426d9860db71a553f28a214

SHA1
8907a52a481bb52d5cbfc0a0fa4954de2890eaa0

SHA256
5df381270f172482f135c417104b64de514477319885df9c073e07e18bc16229

SHA512
25948079ad84712c3e88a4ab17c6bfef55c9d09c511054617ce3d7df3b22ef083899c64055b96e2b1a3dddf117dfc580a1df53f6aae7adf958427fa002f4426a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c90f8138ddc9d5e4146403662a49d5b7

SHA1
d21636a6325ae6ed83a9c3c0c7982c4688f80ea6

SHA256
c7e33eed3c31059e3528e69edf766000a8c78dbab3b7bc0b2f88228f726c4e7d

SHA512
d0776b9dae748a970d9e07a3ff1992130a970945d3182ccafdf52d7383f4d97fdba64b6af5b766dcefb4cfe382b150b18309b21819767e5c1b8a76d81b7597fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
507c8bf848f64e9b74b0bcee99371c6c

SHA1
7a3b30d3afea258528eceaa004505548c9ef6eec

SHA256
5fbe22b1813dde919f87038fe802f9ea9b146d5b9c91990efb52797b25fe4578

SHA512
901f2c26c221a2f5e36ea89ea3d9951788cd0a33e6ec5f692ed3d4b7fa95fda429740a150a361f8fa37837fa41eafa1c99aec0dbae600ffcbb951d0e2b1ba8bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e411890550ba04ee1e621571a27d034f

SHA1
cfb4693977eea619ee21958d575f03420bae55b7

SHA256
b87371d807b1e711aa97234c7974f455cb4fe474e85a463fa34cf816cc441421

SHA512
e408f54bc221ce16ed7cc1acb17a7e914f64c21d5840cc41d03fb2d53c2b529cfeb26d00b72824c5165f104c9db1d81f219ecd91b914de8d66c7f4298744187a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db507edb3264468f6510de9f18c54dbe

SHA1
7694cc4e6472b7a58ec2cfbd38274831181fd42c

SHA256
747f453153f2578cb53e9604e5105b7f62dd7d3987bbec0955a9e6a8bd04e298

SHA512
da2d5780bdd686c5c4c9c86f7f31f3edb02c90f0e3debcf6f23fb01739fadaf679cec74e4174801fd3ecad8e3a00f8baa00ad4cafe6812632a7da6d1770722a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dc176ee1b07b97eef3becac55fc7646

SHA1
6da8c304d80e7e88f0f4f3922cce717b4ecbd54c

SHA256
3a21979cb28b594ba0451cc3bf2949458fbd2a8e3e1f1fd2364dc75af99f1f06

SHA512
ba5420bb2598b40f6c5176ccf4c815f40aa7b98411752626aa29846b451f973b8d876acc9f7928f7acaaaed3886f522c8be9fe4a83829e7e754a27318cc96b8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6830efb78df560f7413638567bcb8f8

SHA1
e442aeee87906e471b7f4e9f990d874f37a52dbb

SHA256
5dc118f703186ce9d8b5868744f42d171a30295aadd82dbe79590dad2f1d0ccc

SHA512
c6534511af60f251db29ddd1caaea44c0984ee9a8bbd0deb4072e1580aa1e908bbddf920a4406206e0d0eea832da30382a485ebbe2207868ab35052d74f00314

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4974a36a270025abf12aeb6002d1fc3

SHA1
c95d8f1b383dbcca18cb490c1f72b62f3e9a58c8

SHA256
2cf64c2418a66b002d237aa22adc37a62e92056e993b78c8fa133f74284f3568

SHA512
3eeb7412a5f8281648411ad7df396a68a0479d2519213e69a687c2f9366cd81ca7d7237de17eb82245812b9450721508edb300a05280b21d51d77ecaf1c7fca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5255f792f1313a8df86221c00653c3a1

SHA1
1f6707179292445016c042c5f1f87a7fc5682e16

SHA256
33e60e94e1c4f272d0b6d68b813c6477155d6027bcaaa138f28ab0352cb9520a

SHA512
4f84889f4ddf976b3aca844661d7e533e956eb97dd2ee3d57cd26d7d95fadc6fb6e62a46fc7b73bfa7f8028be9084b71408ea553ca3d350630648a706133da27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab1b16c91927d47950da00c69d6362c6

SHA1
2d3dd3d15122e02dfc9c0baaeb4faa3ce727d1e8

SHA256
6f8079af0160c4239ba85bf7ffdc2e2b939f324ccc8d2edf53e7f140861d41e5

SHA512
ff559e0aae03f32e86c00b8a99eba02c5516f13b71d3815c94b672227ef5d03237e450fc0ee8ba43d149e48e09afcda034c00deacf1d544440900a0ab167e61a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
217548bd00b5677b9b6af46a584c9be3

SHA1
f00ef122094c500a65011fb064b392f417d34f24

SHA256
2bb454bf6cb4ec221281426e854cbab784bd839d66845704db53c95098dbf29c

SHA512
2537e926c993ccc8710495f439b764f1d73a6268e2d2a9e25928d7ce2ff2e003ab75ed5412908ab1fe3a0fb86327eb52daf54d6f45a87ed7686b061d6410c318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92c0733d64d6420b5c6c35b206b1e5ca

SHA1
d0fd2bc66d123de6a9a29896542e369300288944

SHA256
d5d8ec209be06fd6f250049b32e5bbab81df5241d0bcbf17b8c3915928bf7edc

SHA512
874684fd5c62dac5e13f7b95d575d9db3859c9c870527f71dca55e7d5d14c6a08edcf42ff79b5ea98d5e4f18dd07064f24a1626822df284219e4d6eb4be521c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7392cb47beac996a2453c81db86c855

SHA1
a4682137897b3e8f96658b2d61e82fa929ecb43b

SHA256
7b30b7d40390094c1c0de748cb88f0bc99933f4cf368d2babcbe2e60d4b489cf

SHA512
c386ac527be6e6e2d95b008772d03b417d64afd7786fddb674f4ef377c775d0da59248c459822d8ba25958757266ea201f40aa6bdb2ba9f9e99cfc9186a72925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c13c342f88101308ed8a6934d8a8087

SHA1
db3b2008e2b1c892505b8a1f2ca9d697c47a6894

SHA256
f8ba1100224f374f841f1b7e1032076f7ff48449f3108bb7b0add96d0df9d9fc

SHA512
497e11bd7b278c36c66863c52ccf6e07ad62382990ac7dfa8a27a034efa25075418cb4e01638611600ca79f3f7e35bdbe8a65567c15692014eed4641f3060cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
2196acfa5889d0b1c0590e133603ed7c

SHA1
95a5f63fd177b27edd3df7bfe0bd7f5ad4a9553c

SHA256
f39e84d5a744ca6a052b88c4db4c4c1e70ab80b6afb7880128357c5833d489c8

SHA512
7ab1281a0730f69a422346dce4be1d003088dabdcdca356daaf7ac5dc6e72ec246e7afa1c7675a2af93eded45274e3129f017981ba067b8a3814a9299578c092

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
fbd8255b5a031f473b9b261f26ddfbdc

SHA1
0e9d992f4bf156e2fff8b176733de7fd07bb3e9e

SHA256
295c7102f5823bd2be4c1ea46855ab9dc70e34e36013ad57f0622df08a54f3a9

SHA512
b8ee3a34c6bef4ec85542e8fc31bb4f400b51e7b8eb70d1990aa2d8498a6818d89ccd5c37c8d773afed6a1cdb9cdf01fc3081c6dd6cb3cf7b1868aac72ae81e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE

Filesize
402B

MD5
c43c188775fbf7c2181b7e79970f6efa

SHA1
4460f8e6cf4dc3a8d85dbd5f6c5822d41c4868c8

SHA256
30ae5b81fc4ffd544eb4a6d31d8b619cf6d77bfa35f1322747fd2756a0c6214e

SHA512
a6055896cae0576bf3f028f878cf21e177749b4537f7ed6ba9859f5f91311ca21a350bbcbb4c756b571fed63aa6960184c482bfe4cd86939a1e06f4d279f8cdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
5ee5ab9f822c17a7df59b7f657d69e18

SHA1
35d04efae46ebc4e2e00c93a2cfb9db72106d9dc

SHA256
aca20026c392e903fac2c67bed3d8367c95eab8d747ad60564ab620cf49356a9

SHA512
83a4220ec88cd2ad2f101a371ca69f42dd28de3a6a1003030a98e00a1d8a4d361fb70c01e2c124607280322bb20cb849fe9d7f936fda9669889fe10de6ff7ea6

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
948c6e724254fad7d2fb707936eab6c3

SHA1
d4562d679af816cc38daad56a56e08ae5eb5fbe0

SHA256
bd421d7146b77e8c49e8839ec2fe54ffc976ef0b618b56d2ad6cdf167c8b7161

SHA512
612014c05be8b4440dde0333264d8893aef831a37adf0abee8acb242130b7cc9f602b9b26908ecc8247229e3763660e965345731f790e960dadca89feda6144e

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi

Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\jre-8u51-windows-x64.exe.txytwxj.partial

Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab97B0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar97D3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
803866e63e1b433eafa31ddf1819d88a

SHA1
e5cbdf988d8711b831981c9cc5c2695e44ecd963

SHA256
3cff2eae4bc6ef69c72d163d41c4f387e8cc3413772024062d093583069fc6f1

SHA512
d494faf98f9179111f0a1e6ba8261d6b0924172c57663ae26efc4aa3022c1420dfc980705ca5579169a33a68baa299bdf3c38b8f322fbf2e54ed0f36198aff98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
4c8bb522e8cf8c27b8e7fc318c7ab17b

SHA1
3071a7f9b977d6a27e9ab0777456b3c13753568a

SHA256
3eccb1386194744d6596a9c3abf854ea591e12742d789518e90afb99fa370871

SHA512
d112bbbcaed8b8ec04bf52fa0f2a320c04dc4962c862e383e27b6f4f8bff621ee201b982140f84b6de527753e92511e21be539296a9aa38e572a5d5051c7d539

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
54c173de619065c86d50c5c7cf66097a

SHA1
58111b16ba2075c2fcfe30ddef29ea66108cf9ad

SHA256
30db6860833fe2f29801d604bda19e5a0d2a4b9f409caadce56dde13324078a7

SHA512
85ec2700ebbc18bfcbee25f3b025a9c1d3b32502f6b4313c2df124f454c0d9d098414bef0a8bf44f7e5b3eeeae6e3491106c2b477d69b94158b897ea6b0f5b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG

Filesize
438B

MD5
c2d61af0e799bbc8bcde7bb15564952b

SHA1
09bb6c51afcff1276a9ea2a795a9cf3e5ab4494a

SHA256
5ca45fb4679f8ec9671685874fe70871f1cb49e6b6f6210137864784888d070e

SHA512
edc12546dc237505c698092db968d04399a697c0bd9a10e56daec05340864d24f56939e182a052275f6a750aeb4a02f32b21cda0311278ed8e0bc758bb577743

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
9KB

MD5
be9b17ed7f4f7f5eee5fc956f469ef36

SHA1
0fa13f1f888001303fb4fa79bb6b8ae446721da5

SHA256
a0ab923b6e56374e9d7bbb1953aeb0e1dcecb407e66980638c2e50181626f4ae

SHA512
f8835de5262c04f96931f56799fd2bb91cddd3a69915d47e7534e82c38ffbc91e04502db80d464777e95d61d359e0b4ddb7673129d27831be000334ae48659f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
18KB

MD5
534b25bc487ff88ee5cc2fdf36ed0707

SHA1
ad6ee2286cc98e2e22e4e6dc62c512163d7820cc

SHA256
74b5acb4a81f97510f3c1884d2cfb3a73659e514c0e3acbaf68e326114b74b97

SHA512
cd39fa1276110fd985a7331082b598e4c0395261bcbee7fa863792a6112bc69a7ea2a1bc7cb4bb7e07f44f746be5eef876ab081bd317737647c1b595e2d283e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF909A798CB15B8060.TMP

Filesize
16KB

MD5
567d7aa6c9f0ecd5aeeba467eeae0343

SHA1
e9fe33b0e31da53f449eee6b512db8cb8dac49ee

SHA256
8308f3fdb66ca14b4d0dc77567e04b8db7be3d192d187df9004d3ec31afd2e53

SHA512
9934534aef075b56b3006743fd4f44bf30e4e56fe14abfa60b86e03331e11062ba7863715f5386d7488749bfa0dfb87d8f7eff31ac76eda996639cd7f849b148

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
833512c89f1ab92c80131d415f89f442

SHA1
dd9953ddcc33278bb97502ffdc6e7462e8005680

SHA256
717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

SHA512
f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
baf26cf75bcc4e8d89ab634d96191627

SHA1
7b3acdb1ea5cc827b079cd2b5ebffcffedc1da9a

SHA256
81b942e871ef52c2fcd67c769f400e3f9f9bdd5921b4eb77f85c9653bf8715f0

SHA512
1162675a91229ce9c92161b17ab765693d455956f8217dc71ae916364a289a37bbebeef23415ffc5b6b8374321838dd259b26184d6aa3865c69d92a254068ec9

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG

Filesize
206B

MD5
19cc60490b1c2ff33fd88054ea0b08fa

SHA1
e0efb3ffe0e9de359922d134c68f67371d0fe21a

SHA256
49708851bdda2b324cbe7fa391af81ff3fab72de28c88b073035b1ec87fc5e57

SHA512
452fb6a1f9b7a908f6bfc7634a6f9de848adbe37fa080977060d5b2eea7da1207b87b1449b37a909d6be8e748fc39c6e7d30829546751f9c60c2490f2bf46aa6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
1cde7f4b65d7915806fffa1dc22bb527

SHA1
fe0dce2a7ea338b44e1d264288379ac14289c430

SHA256
04079a342d1ada8ef6ae3ca5503a307a72637061c6d34cae90a3dfb342ff9727

SHA512
84bc5e70bbc6ac35a351e271796af476aaa7dc40edbb5adfc6b85978dc855787c1d20060792e9efdfe4e8aeb6f271efc4df4a757d79ee53d057bcac3d79587d7

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
aed347c1520185c3d1ca24604e5689e2

SHA1
d1a213e4df60376d3cd9c4c8d97051a74c5a42e3

SHA256
c6c1a74804e7ef24c8f0fe671f9776ffaa96fd78f8cf609be29394ec4b528580

SHA512
7b7ad53f205fce8c0b19c68a33affa41d79e780fa10a67fba11239bf3c06b7995764f237ba0dcce3d6f9fdbd9038c6ecb73f3c504066bd71f2dd4224d8d86aa5

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
29bacaeca4131335a6821277b65aec45

SHA1
050fbd5270b614c3ec14ae4609f91667922f5416

SHA256
20c7e42db9c1f0df908dcaf4fa7536ea9d236b747a30d55d1744a286ae8d9e06

SHA512
747b3cbbed596517c19eab89830a781ec4fc0f52cdae642250b1a941092dbc0f40e6096e423f496e6e267f99e164a97031359568d842691c432cc445af7410e6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
23KB

MD5
70dada7eccc59e431736237d3b88d1e5

SHA1
b5b5439fa021b1489151cb43a9a97ce531421231

SHA256
f919dd280e7b02fd21ae2424913f683f8283ea2369080b950245709a4d933cd9

SHA512
7f06f8bf6bc27053f2fe26ad966b65daf10e7e53eae26790e56c43cb3fd3762580fc2c2bb6b3b02527c84fc6e2a96a6ad1b3fb7a96a93008a94d29596fd31300

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
3KB

MD5
95124c42d92dcf85a4720c1b0acee595

SHA1
e5e32693541d0dfaddf7b393245fbbb693117cb0

SHA256
38c9e46f09a36251fe5dd6df6e1bea79145c7326b816a140eeec3ee9a0d87b82

SHA512
3e84650caaf06f968f60d7468f2e0b7ff657fbb19747438ab450272cf20df5dabb7efc11111d38f389cbf05415d01bded36e79d503c3acc55cc381f1cd99e631

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
dbe7abb06b3b42b57e6f90601360fa50

SHA1
ffafe08c1f0d0aee80149d3875d8543a7d393323

SHA256
1cc1be116ae120a477b52c51559341b7c963640569cd7ee403c4c920e7f0753d

SHA512
c52126153b97082a3d8f8e56b31b12e1fa6ea56ce02e5f7bf9c9d857ea6204b75bfe663f5894932f777a6026d0462e81afb5b7328335a0ebeb46084d224a6964

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\dependencies.json

Filesize
17KB

MD5
24817047786540dd5d8cbfb94132c84d

SHA1
ff45f1ae7748fab985e0580c5746b0327a4b59ac

SHA256
a5584b00241e6aa455dce9c0d584d61f8350a7bc07a4137e9289e23f46878721

SHA512
6e048803859517d052d88d8c96c382d481620c1d930e219051264cb2c4d096b5b68d8e8e66ba2244ef7343df99f120600f8763f67bcf060c3132743eca7934ef

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\resources.json

Filesize
17KB

MD5
8ab0113596cd48af76657e53d5d93e70

SHA1
3ab4244668932e0396022372d8f311c62ce1b89b

SHA256
b0a6157bb0f4da765f93d13ca167017144c5eb15955015b0b42f7d7c0b70599d

SHA512
55fb4d7ed644ae5e47ee376b00323199788baf596b493b4959ec4c88bdb37295ee59e34d3a7d4310fc9e35d776e1ae19fcead53c09d3a440dcfec8dc6736b170

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\appConfig.json

Filesize
3KB

MD5
a9bd1871a6a69e12bb017e1375b0a659

SHA1
0cc4c515fea150c982d02fa73acf73cfa68810e7

SHA256
f725e50dc4377a28b06589b028cd3cff58845d5ed882b22b17129c4413f8b9b3

SHA512
0595d54b19805f57a1b09a492c90c4c9f655d6a501179966b1a282b0aec90b27eeba634ee4a54fb9982f80ae046e6feb2b3e2097f14a0a3e051e80c162a83bd6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json

Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\COPYRIGHT

Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ADDITIONAL_LICENSE_INFO

Filesize
51B

MD5
494903d6add168a732e73d7b0ba059a0

SHA1
f85c0fd9f8b04c4de25d85de56d4db11881e08ca

SHA256
0a256a7133bd2146482018ba6204a4ecc75836c139c8792da53536a9b67071d4

SHA512
b6e0968c9fd9464623bfa595bf47faf8f6bc1c55b09a415724c709ef8a3bcf8a954079cce1e0e6c91d34c607da2cecc2a6454d08c370a618fb9a4d7d9a078b24

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ASSEMBLY_EXCEPTION

Filesize
46B

MD5
c62a00c3520dc7970a526025a5977c34

SHA1
f81a2bcb42ccbf898d92f59a4dc4b63fef6c2848

SHA256
a4b7ad48df36316ddd7d47fcecc1d7a2c59cbfe22728930220ef63517fd58cb0

SHA512
60907d1910b6999b8210b450c6695b7cc35a0c50c25d6569cf8bb975a5967ca4e53f0985bee474b20379df88bb0891068347ecf3e9c42900ed19a1dcbc2d56ec

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\LICENSE

Filesize
35B

MD5
f815ea85f3b4676874e42320d4b8cfd7

SHA1
3a2ddf103552fefe391f67263b393509eee3e807

SHA256
01a4ebd2a3b2671d913582f1241a176a13e9be98f4e3d5f2f04813e122b88105

SHA512
ddf09f482536966ac17313179552a5efc1b230fa5f270ebde5df6adebf07ee911b9ef433dfbfcb4e5236922da390f44e355709ecaf390c741648dd2a17084950

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0JDR0ARS.txt

Filesize
512B

MD5
e507e7b759cd8784e766340c84f61111

SHA1
52d9af9ee41bf319473dceccef4b69c35482b327

SHA256
6b6d401ed9c2c84fc919c5800b4e351b5a667b661691ca9927caf1ef91bf253a

SHA512
e387731bbdca60e62618587abe05fd269695f461359e0a797020832933777ba67ebd950f0874ee7bb31ab401c491782171f1b9176a8b5ec95a40efe3837d3240

Download Submit
C:\Windows\Installer\f78447b.msi

Filesize
660KB

MD5
4afca17a0a4d54c04b8c3af40fb2a775

SHA1
96934a0657f09b25640b6ad18f26af6bd928d62f

SHA256
b15d3a450b7b3e5ce3194ab9e518796cc5f164c3e28762ffe36966990dcd2fe8

SHA512
ee76f5fcfdd9c1202fd5abdc2bbde8fb2543cee83265f6d2fb5458d1a086152ff6bdd4bf62a88150d325ea282bd2ecd66dd5f127bdd847cfa69cdb88985a8305

Download Submit
\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
af9bb57e1893112a57a47df0908bc3d1

SHA1
39f31da08004741fd4b9fb31b04e29368f1e317e

SHA256
1cf4f5e5d5bed48b7c989e34bb80507ca623cb1ac1fc1596f07cfd1dc7aec60e

SHA512
3a8cd6660a0147101f4898c20a6fec1192b4196ae8e46cd3e730dc43c8bd7feed9c576590b6aa79c7763e5942466ac9118d44177edbc2ff1ddf1af3da5234040

Download Submit
memory/1100-3542-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1168-6-0x0000000002D00000-0x00000000030E9000-memory.dmp

Filesize
3.9MB

Download
memory/1168-16-0x0000000002D00000-0x00000000030E9000-memory.dmp

Filesize
3.9MB

Download
memory/1168-18-0x0000000002D00000-0x00000000030E9000-memory.dmp

Filesize
3.9MB

Download
memory/1168-15-0x0000000002D00000-0x00000000030E9000-memory.dmp

Filesize
3.9MB

Download
memory/1308-3433-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/1308-3432-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/1308-3468-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1308-3473-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1308-3477-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1596-3380-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1628-3422-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1628-3387-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1628-3428-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1628-3386-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1824-3528-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1824-3522-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1824-3524-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1912-2204-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2016-688-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2016-1542-0x0000000000370000-0x0000000000759000-memory.dmp

Filesize
3.9MB

Download
memory/2016-21-0x0000000000370000-0x0000000000759000-memory.dmp

Filesize
3.9MB

Download
memory/2016-763-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2016-762-0x0000000000370000-0x0000000000759000-memory.dmp

Filesize
3.9MB

Download
memory/2016-796-0x0000000000370000-0x0000000000759000-memory.dmp

Filesize
3.9MB

Download
memory/2016-797-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2016-1515-0x0000000000370000-0x0000000000759000-memory.dmp

Filesize
3.9MB

Download
memory/2016-689-0x0000000000340000-0x0000000000343000-memory.dmp

Filesize
12KB

Download
memory/2016-2201-0x0000000000370000-0x0000000000759000-memory.dmp

Filesize
3.9MB

Download
memory/2468-3588-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2468-3591-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3749-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3744-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3754-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3755-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3782-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3781-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3709-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3702-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3667-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3634-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3606-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3742-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-3589-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2468-3562-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2468-5619-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2468-4448-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2468-4449-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2648-3551-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2720-3036-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2720-3029-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download
memory/2720-3030-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download
memory/2720-3032-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download
memory/2720-3026-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2744-3300-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download