d896da5d7f9f64d5375d41081a29f93dce7bf14c1974c9cde8979ee7a98b522f

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 18:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.8.exe
Size

24.1MB
MD5

ff77de2eb5a4366f68735e22ce263d3c
SHA1

8758fe1d1ab6359e3011a41e35529185f75a0b99
SHA256

d896da5d7f9f64d5375d41081a29f93dce7bf14c1974c9cde8979ee7a98b522f
SHA512

30ef806a6dd951ae33e05e40f99577675bc4dfab0a8fe6d239ebbb46e026899484e140af36e41959ea29886e54d49022cbe5c7e4dcdaffcdab67ae85f7976e60
SSDEEP

786432:WKqHyU7V5bJmM9irrKJBH5lFRqH0fYk/pUJ8a:WKay+sMQPKJBZlCUfYSpUJ8

Score

8^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 24 IoCs

pid	Process
2144	irsetup.exe
2716	TLauncher.exe
2856	jre-8u51-windows-x64.exe
1948	installer.exe
2888	bspatch.exe
1980	unpack200.exe
1572	unpack200.exe
1564	unpack200.exe
1736	unpack200.exe
1592	unpack200.exe
2112	unpack200.exe
1704	unpack200.exe
1192	unpack200.exe
480	javaw.exe
1176	javaws.exe
1300	javaw.exe
2260	jp2launcher.exe
972	javaws.exe
1984	jp2launcher.exe
2136	javaw.exe
2140	javaw.exe
2904	jaureg.exe
1104	TLauncher.exe
2876	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
2368	TLauncher-Installer-1.4.8.exe
2368	TLauncher-Installer-1.4.8.exe
2368	TLauncher-Installer-1.4.8.exe
2368	TLauncher-Installer-1.4.8.exe
2144	irsetup.exe
2144	irsetup.exe
2144	irsetup.exe
2364	iexplore.exe
1356	Process not Found
1140	msiexec.exe
2888	bspatch.exe
2888	bspatch.exe
2888	bspatch.exe
1948	installer.exe
1980	unpack200.exe
1572	unpack200.exe
1564	unpack200.exe
1736	unpack200.exe
1592	unpack200.exe
2112	unpack200.exe
1704	unpack200.exe
1192	unpack200.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
856	Process not Found
856	Process not Found
480	javaw.exe
480	javaw.exe
480	javaw.exe
480	javaw.exe
480	javaw.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
1948	installer.exe
856	Process not Found
856	Process not Found
1176	javaws.exe
1300	javaw.exe
1300	javaw.exe
1300	javaw.exe
1300	javaw.exe
1300	javaw.exe
1176	javaws.exe
2260	jp2launcher.exe
2260	jp2launcher.exe
2260	jp2launcher.exe
2260	jp2launcher.exe
2260	jp2launcher.exe
2260	jp2launcher.exe
2260	jp2launcher.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000155f7-3.dat	upx
behavioral1/memory/2144-19-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/memory/2144-789-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/memory/2144-1536-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/memory/2144-2204-0x0000000000FD0000-0x00000000013B9000-memory.dmp	upx
behavioral1/files/0x00060000000191dd-2989.dat	upx
behavioral1/memory/2888-2991-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2888-3000-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_51\bin\tnameserv.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\net.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\classlist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\cursors.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_MoveNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfxwebkit.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\jvm.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\servertool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr\profile.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\installer.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\THIRDPARTYLICENSEREADME-JAVAFX.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jjs.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_fr.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunpkcs11.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\java.security	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_de.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsoundds.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\[email protected]	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\msvcr100.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\LINEAR_RGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\content-types.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jce.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\CIEXYZ.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javafx.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jdwp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\pack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\verify.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunec.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\glib-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\zip.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\sRGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javacpl.cpl	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\accessibility.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\javaws.policy	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jaas_nt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsound.dll	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\task.xml	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\j2pcsc.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_font.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_it.properties	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_font_t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\sunmscapi.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fontconfig.bfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\bci.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\rmid.exe	installer.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f77377b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77377b.msi	msiexec.exe
File created	C:\Windows\Installer\f773778.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f773778.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8512.tmp	msiexec.exe
File created	C:\Windows\Installer\f773775.msi	msiexec.exe
File created	C:\Windows\Installer\f77377a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8454.tmp	msiexec.exe
File created	C:\Windows\Installer\f77377e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f773775.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B1F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI70D1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI833A.tmp	msiexec.exe
File created	C:\Windows\Installer\f773780.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77377e.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 40998f5079cdda01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 401b4a5f79cdda01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c22757b5845d0c47b1cb94cf46bf38bf000000000200000000001066000000010000200000005b8d32a2671c7200a64b819871c482c2162cb36e2c251ddfbb6bb61917ea1942000000000e800000000200002000000013c0e93d7982bb05c7365116af778f61c327cf4f1081f635dd403692a0ce2f302000000008dbecd1228c7e68e4bdf84b7cf68749caf886445f2d98bbbb604faaf232e1e2400000003868861d46f4b3bad990e4e0a93cb0c2d9bde9763c55ef09e311be9577a177f5bbfc6b1acd2ee203be4bcc9b7501661f0201fed62765aad9c10bc68576ae4a7b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c22757b5845d0c47b1cb94cf46bf38bf00000000020000000000106600000001000020000000aa9c99ad7b2106dcda8dfc8d61284c2e87970df7f6388586e99d97a965e08b14000000000e8000000002000020000000d2e8d8a8ad40ca799473143644ced76a4fee28561f6b66ae12ee89af218ee92a90000000cbf409b2a39c7ef629598c7b7f6b2d4cd799c7beb52bd30f31051f18f5a0a11b644ff71e6108424b5ffc58cc82014e4b717858d7289e0c9b20661aa3afab1d9005ed1ad9c67d9cf3c60c8e8ca70324960a6cf09d16b7ae6d58576b3244688ac6e0ed8d45c48ac135d600386588fb898a74393c35f7eaf740ae27c35c7868c3f41f0c5c6e8cc1ebb3003c54a2f69142e34000000022a4885016133d9ea0b719fc777b84d75719606e4b5b3cc8fbd76e62e3588ed342b1cf64bbe2faa4c9b1fda4db7a216448836635732358057770559f81c48317	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426194246"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{88CC7A81-396C-11EF-9066-F6F8CE09FCD4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_45"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_11"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_40"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_74"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0022-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_06"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.11512\CLSID\ = "{5852F5ED-8BF4-11D4-A245-0080C6F74284}"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0046-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_20"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_25"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_13"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0100-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0084-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_03"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_61"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2260	jp2launcher.exe
1984	jp2launcher.exe
1140	msiexec.exe
1140	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeSecurityPrivilege	1140	msiexec.exe
Token: SeCreateTokenPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeLockMemoryPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeMachineAccountPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeTcbPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeSecurityPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeTakeOwnershipPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeLoadDriverPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeSystemProfilePrivilege	2856	jre-8u51-windows-x64.exe
Token: SeSystemtimePrivilege	2856	jre-8u51-windows-x64.exe
Token: SeProfSingleProcessPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeIncBasePriorityPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeCreatePagefilePrivilege	2856	jre-8u51-windows-x64.exe
Token: SeCreatePermanentPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeBackupPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	2856	jre-8u51-windows-x64.exe
Token: SeShutdownPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeDebugPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeAuditPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeChangeNotifyPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeRemoteShutdownPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeUndockPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeSyncAgentPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeEnableDelegationPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeManageVolumePrivilege	2856	jre-8u51-windows-x64.exe
Token: SeImpersonatePrivilege	2856	jre-8u51-windows-x64.exe
Token: SeCreateGlobalPrivilege	2856	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2364	iexplore.exe
2364	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2144	irsetup.exe
2144	irsetup.exe
2144	irsetup.exe
2144	irsetup.exe
2364	iexplore.exe
2364	iexplore.exe
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2260	jp2launcher.exe
1984	jp2launcher.exe
2876	javaw.exe
2876	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2144	2368	TLauncher-Installer-1.4.8.exe	28
PID 2368 wrote to memory of 2144	2368	TLauncher-Installer-1.4.8.exe	28
PID 2368 wrote to memory of 2144	2368	TLauncher-Installer-1.4.8.exe	28
PID 2368 wrote to memory of 2144	2368	TLauncher-Installer-1.4.8.exe	28
PID 2368 wrote to memory of 2144	2368	TLauncher-Installer-1.4.8.exe	28
PID 2368 wrote to memory of 2144	2368	TLauncher-Installer-1.4.8.exe	28
PID 2368 wrote to memory of 2144	2368	TLauncher-Installer-1.4.8.exe	28
PID 2716 wrote to memory of 2364	2716	TLauncher.exe	33
PID 2716 wrote to memory of 2364	2716	TLauncher.exe	33
PID 2716 wrote to memory of 2364	2716	TLauncher.exe	33
PID 2716 wrote to memory of 2364	2716	TLauncher.exe	33
PID 2364 wrote to memory of 2596	2364	iexplore.exe	34
PID 2364 wrote to memory of 2596	2364	iexplore.exe	34
PID 2364 wrote to memory of 2596	2364	iexplore.exe	34
PID 2364 wrote to memory of 2596	2364	iexplore.exe	34
PID 2364 wrote to memory of 2596	2364	iexplore.exe	34
PID 2364 wrote to memory of 2596	2364	iexplore.exe	34
PID 2364 wrote to memory of 2596	2364	iexplore.exe	34
PID 2364 wrote to memory of 2856	2364	iexplore.exe	36
PID 2364 wrote to memory of 2856	2364	iexplore.exe	36
PID 2364 wrote to memory of 2856	2364	iexplore.exe	36
PID 1140 wrote to memory of 1948	1140	msiexec.exe	39
PID 1140 wrote to memory of 1948	1140	msiexec.exe	39
PID 1140 wrote to memory of 1948	1140	msiexec.exe	39
PID 1948 wrote to memory of 2888	1948	installer.exe	40
PID 1948 wrote to memory of 2888	1948	installer.exe	40
PID 1948 wrote to memory of 2888	1948	installer.exe	40
PID 1948 wrote to memory of 2888	1948	installer.exe	40
PID 1948 wrote to memory of 2888	1948	installer.exe	40
PID 1948 wrote to memory of 2888	1948	installer.exe	40
PID 1948 wrote to memory of 2888	1948	installer.exe	40
PID 1948 wrote to memory of 1980	1948	installer.exe	42
PID 1948 wrote to memory of 1980	1948	installer.exe	42
PID 1948 wrote to memory of 1980	1948	installer.exe	42
PID 1948 wrote to memory of 1572	1948	installer.exe	44
PID 1948 wrote to memory of 1572	1948	installer.exe	44
PID 1948 wrote to memory of 1572	1948	installer.exe	44
PID 1948 wrote to memory of 1564	1948	installer.exe	46
PID 1948 wrote to memory of 1564	1948	installer.exe	46
PID 1948 wrote to memory of 1564	1948	installer.exe	46
PID 1948 wrote to memory of 1736	1948	installer.exe	48
PID 1948 wrote to memory of 1736	1948	installer.exe	48
PID 1948 wrote to memory of 1736	1948	installer.exe	48
PID 1948 wrote to memory of 1592	1948	installer.exe	50
PID 1948 wrote to memory of 1592	1948	installer.exe	50
PID 1948 wrote to memory of 1592	1948	installer.exe	50
PID 1948 wrote to memory of 2112	1948	installer.exe	52
PID 1948 wrote to memory of 2112	1948	installer.exe	52
PID 1948 wrote to memory of 2112	1948	installer.exe	52
PID 1948 wrote to memory of 1704	1948	installer.exe	54
PID 1948 wrote to memory of 1704	1948	installer.exe	54
PID 1948 wrote to memory of 1704	1948	installer.exe	54
PID 1948 wrote to memory of 1192	1948	installer.exe	56
PID 1948 wrote to memory of 1192	1948	installer.exe	56
PID 1948 wrote to memory of 1192	1948	installer.exe	56
PID 1948 wrote to memory of 480	1948	installer.exe	58
PID 1948 wrote to memory of 480	1948	installer.exe	58
PID 1948 wrote to memory of 480	1948	installer.exe	58
PID 1948 wrote to memory of 1176	1948	installer.exe	59
PID 1948 wrote to memory of 1176	1948	installer.exe	59
PID 1948 wrote to memory of 1176	1948	installer.exe	59
PID 1176 wrote to memory of 1300	1176	javaws.exe	60
PID 1176 wrote to memory of 1300	1176	javaws.exe	60
PID 1176 wrote to memory of 1300	1176	javaws.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.8.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.8.exe" "__IRCT:3" "__IRTSS:25232442" "__IRSID:S-1-5-21-3627615824-4061627003-3019543961-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2144

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2596
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8SMSNTG\jre-8u51-windows-x64.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8SMSNTG\jre-8u51-windows-x64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      -cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
      4⤵
      Executes dropped EXE
      PID:2136
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      -cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
      4⤵
      Executes dropped EXE
      PID:2140
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\AU\au.msi" ALLUSERS=1 /qn
      4⤵
      PID:1240
  - - C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
      "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.8.0_51-b16
      4⤵
      Executes dropped EXE
      PID:2904

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Program Files\Java\jre1.8.0_51\installer.exe
  "C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" REPAIRMODE=0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2888
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1980
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:1572
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1564
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1736
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1592
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2112
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1704
- - C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1192
- - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:480
- - C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1300
  - - C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2260
- - C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    PID:972
  - - C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5624E954F1DCDF38BAA727275215B781
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /c del "C:\Program Files\Java\jre1.8.0_51\installer.exe"
    3⤵
    PID:2008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F83027C149EF4DCFC45FD45CEEEE24FC
  2⤵
  PID:2296

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:1104
- C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f773779.rbs

Filesize
788KB

MD5
c6861d10a91a1d5a50aad72035946108

SHA1
6dab6be1abb4d7be92c79def9b9cd2d00fa7ad87

SHA256
e539252e134806455c612dce915f776d6e0becd429b7cd8984ccfa455dcf5ca0

SHA512
8c6390633a1b2e6eac2505f15c7c42758376dee4c8aa4dd0dbd91531df4d9cea391002d2d65fcd192db0384f4fadf33b97a3ed767c97b6a80609a2b4950794d6

Download Submit
C:\Config.Msi\f77377f.rbs

Filesize
8KB

MD5
2d32ac6195e22cb9362de509fc54d094

SHA1
64bac08cea2b11673fc3e6ca23c13088db865e3c

SHA256
807d4d9576836a7e7aff4d46a6751224c77d31bf0bbebca430e1a17c4bf99f14

SHA512
9b199b23afe12a5edae2be6b7b6ef58b914a2e2c42b8dbad342a94dff1a565338c51c3fd3f048246ce94e4285d6aa68b312f750eb7a7e07dda1a279c5dba4b00

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\MSVCR100.dll

Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll

Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe

Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe

Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack

Filesize
1.0MB

MD5
45288142b863dc4761b634f9de75e5e5

SHA1
9d07fca553e08c47e38dd48a9c7824e376e4ce80

SHA256
91517ff5c74438654956aae554f2951bf508f561b288661433894e517960c2ac

SHA512
f331cd93f82d2751734eb1a51cb4401969fb6e479b2e19be609e13829454ec27cec864c57bdc116bf029317c98d551e9feafc44386b899a94c242bc0464556d8

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack

Filesize
1.8MB

MD5
5cfc3a1b269312f7a2d2f1d7c0497819

SHA1
d048284db9ce7103156f8bbce988b4d9978786b7

SHA256
80ba80d2a6c20deef6e2f3973337e15e22eec30508899ae998bf191ba725db26

SHA512
8735af7c8bc5b48aac42120326a5dee21f98512ba31c57c77b6fc3906b7b1b98e5f22f57a31f26dc3e16abe63a6f15ef2e115c7fc17bbab35e846dc373da9c6b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack

Filesize
211KB

MD5
5a83bc9b3e4a7e960fd757f3ad7cd263

SHA1
f5f308aec7e93accb5d6714c178b8bf0840fb38d

SHA256
0a95ab97c85e534b72a369b3ee75200f8075cb14e6f226196b18fd43e6ba42f5

SHA512
b8e554bbf036d0500686e878597ffdefa8bcd091ab6533eae76fa04eda310cec7cac89b71911f1f81012f499c7bec890ac9032685945f7e5e6b68f7ad3f7430c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack

Filesize
150KB

MD5
168f72fd2f288a96ee9c4e845339db02

SHA1
e25b521b0ed663e2b050af2b454d571c5145904f

SHA256
5552e52e39c0e7ac423d6939eec367a0c15b4ca699a3a1954f2b191d48a034e6

SHA512
01cdf3d8d3be0b2458d9c86976cef3f5a21131d13eb2a1c6f816aeb2c384779b67d1b419fa9233aedd3bbd16970ec7c81689bf2e25a8bebadec5de8e9b5a19f1

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack

Filesize
482KB

MD5
538777ddaa33641aa2c17b8f71eed307

SHA1
ac7b5fdba952ce65b5a85578f2a81b37daed0948

SHA256
9948b1c18d71a790e7b5a82d773fea95d25ab67109843a3f3888f3f0ac9d1135

SHA512
7a5877e0eaef6424ea473a203184fedb902cd9d47df5d95d6f617ca4efa1162f0ffd418e9bc6b7492f938cb33fc6384907237487d6ad4f6d0d2d962402529d8b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\rt.pack

Filesize
13.1MB

MD5
f0177701b36068c9a2bb4924dd409fa5

SHA1
71e4b32c95e20dd565a6603d3de3819eb4f19d33

SHA256
93c1e08034b68e12d78005c2950145595327477c17c1f716248d3e16313b4eec

SHA512
8e198bf60dbb95f38bf5eca67c9b7cd4fe9920890ba3d569e08de59b38c1b00830a0a37168fd74c874df86b7ff0915c8b69adb1591432b42b5ff35e5885e6641

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\diff

Filesize
9.1MB

MD5
d417682702b140d7131851bae877f046

SHA1
aa78da727e8a62c839a9bb6f7a93b48d3a04be70

SHA256
3b3657c83e4f588f0e759cd46e99309cece2ebb54af2c377f9dc087ec764fda8

SHA512
9e107b7f61e42410807aa1e6761ac7adce412846f69ae8e2e21b147e39d1a95d41367e21624381750eb11c77322206c4d869a477e5442e8323405c85854c03cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
a0af4d81b2b19a99a3d01be89d5f99d9

SHA1
4725c1a810005f860ede9dace7f1e5a20e5230d6

SHA256
de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a

SHA512
eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
d031e6e3531d236601f652da30eb2607

SHA1
4fb6818d793055cb9508f017761dd44cc0ff2c6c

SHA256
86e8db450fd28064f5850345601b975cce9a916c73155266474046531bdd8d3c

SHA512
a346f0ceec342b98324bb4f0c648ffa10880fe528680650e3b4419b4a111828e28b27d2d165e9bf8d95243b12f9aaeee62dc64772cb0d7dfcf05fa905b84c0b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE

Filesize
1KB

MD5
c483ab8958277b00881a1f685726b3d7

SHA1
13f8fc65ac3901f6103afc8e333268b4a16da5b6

SHA256
80b1cc1c74b6933be902eef671498c657ba4e5d0f590c0c954d53814cb8ae6e9

SHA512
c773613fe9ddb1ac0881a2453988c869b9f4a4506c1443ca9df3ad83eef75e799535708a5783e19b3a32517e6605b32e5afe696b39bfbfdb8dbb925fcbe55226

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
afc085bced00f1229b444786a220f0e4

SHA1
16721d1792bb928961b086880914f2ef375f4f5a

SHA256
3241b1857564ea9a6d6573a150880b1a3e9d0867a3ab7fa72d1ce62505456fb8

SHA512
e1f243006526b8cd6a7afd516eb8544816c9c3bea13dd9c24d03e0298928364880b7a689c8c57d21f6d8f350ab938c05832b9ca77d31eff2a0d13fee57ce1270

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
53e2bb0e743b116907a0d30bae9fb3a7

SHA1
047e2fba63c9e7302a454deada72bd2d0b994f3a

SHA256
6594aaa6337398fa50f6eeb6dcfb1dffa1ee9408e77cf852347909ab43e0181d

SHA512
f603b2e000d3d4a3e0ef33e36bfcacc92eaf9fc1d906b66ce224d967ad39eb6c84e92c351e2d5bb39cee22b3bf1ec9d287882427f06032f09d45d2c45d59094e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8402145c118a8a261e49388c384f311

SHA1
31d7433df3b3e21e170443013d4f47d4cbd09ca3

SHA256
988147b971913823ce723b7b17f100a76ec54e03a7b56d070c03ee0fc1be6e68

SHA512
49572515c595544900e6cb208c9a8273190d6a52bc7f3a7849e54a1e668966cde352b9ad39818efcfbbc9797a26a3e05f8d6e6f999edeb56fed0fd536fdd7167

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27f074c5e594f36cab311cdfde1cbed9

SHA1
0807d482ffd45046959df0762a925232b1cee8fd

SHA256
1ed53565d055fef5fc4185dda3775d9a38c1731ba154f157a03a09e8ac64cd84

SHA512
6ee1962b16c74d36ce7bb3ea4013d79a99c85ec86fbcded0bb31179af2fb47576035ffe82269e15075ada2181f7664ed3bc989f8c8ad0eaeaf54c633bc0035b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6852344f0111511ada54324e6010b22

SHA1
e18c6748f0e390377d327a93e79511da1c3be288

SHA256
fa6ccc116ea08e2582b29e02233a8d108c1df0e4f3361e2872e5ce49c3dbfa61

SHA512
5c2f43405b803c93604d97c43ba3fd20ff9a778bcc29d0c422d3ddd532eb74f7bd3e474d0b5887481461f32207539215fc1a6fec647b95842628df9fd22dc372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cad4ffa7fefa916d1ffcf5f1ffa1711

SHA1
c0791efb79995dd85632e3c16ef86d7e928b660b

SHA256
15d1f60a469c523fdf392e2f0b45148a8143dc956430cea9588f7a471dc0d802

SHA512
e32a5173d9cb0acfadb3f2ce48cccbe76698d2b83252718c765c1d54cb0bfcadab613690e4ecbb60a76748dc9a7694d9373664740eb4023830da3e321844176c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
757bf55a2b4412a19aff8bba795fb848

SHA1
be4b116243ed00d77e1fd4dfbd4426d71c7c554f

SHA256
722bad3253bce8d937c464156abfe6ad1251284335ea920c223e1e588de56e09

SHA512
fba4cd2c90d38164daa9bb32e2fcc258ddfda625811419099dafc2892f984e4bbddad56fb9d671dc98ecd0e4ef8b8d104e8fc254f38249f24eb776eceb36e058

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9834bc7aed1099943e482702af3e038b

SHA1
a766ee4fdc943fdf4a947b9f7fb21bb7314aac10

SHA256
eb4dd94d602c39091c5042dccbf026104ef62879412f1707b1fb3576bed036b1

SHA512
0fa9ffece76d7430a0e03f42894b24dc5349718cf524c6233700bbb7048d5b11a77a781f6fa88d17ac9fd90fcafce7133e5d99b559ea00f1751e54116457fe1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac35892f8134cf509226effaf06f670a

SHA1
0ac2fc3a8ef2245e0f9e79475fe568a6407e6f84

SHA256
018cc2f3b073e2996b35d70a2335da34a1aea4aaa1df8554c6536987834425f7

SHA512
21d39bedbe538e59025e6fc6199edf135b252a41defac2a8d488eacc7488d4b2a1f2800ad5037e18f1ebacd57cf43abe53fac860352e2d5686eb55c45de97f21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9131dfbd4741a51110b744acc439788a

SHA1
3e7a54235448549d97e3a40ae96be0c7f51bc411

SHA256
8b983aa09bfeffbdbfc5887d097b255f26c7e11ce11640b35ddbffb90dfbc8c7

SHA512
203d829156981032c1219fc7bbb1fc592d91ccc97dc1b7669f8bd76aed83abf8477372df953ff453a52d03a95bf29691e93c13db34960bc10599efe7031a5f08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
181b1d1ee598cd4ffef6b491dcdc7187

SHA1
d843566cf6cfce31bf6c6155b87b164e0dca646f

SHA256
74533d0f17eeeb11429e47dfa6a53b2b1ef1e60ee0c9aac7e36ff14f3aa42b71

SHA512
2e390cd0e41da17c7a73f1cc99ac24fdc6a51f7db25b3692b8d8eff7a2ee553d2b047eb1aedbf79c56b4006a49becb1ac562d8e1013f2af4935cc3efb4f6eaa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
078cf789ac91286a995b723eaa669b09

SHA1
d2f0ddaf8974ed1ed81527d6bb06aa72fe32bbbf

SHA256
f8d007fc337117de5c934565af494e91613da09210beed05b4dece6999a1b3cb

SHA512
52d68358476d5b807f59be434628fb6837c10f489c9c1688f143287219bf58ad3c6f7de59e783f3ec32c94cb087d34e5a0351eb2023b057ab50f44951c152e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68b3f7e159c33d027c010b9d5df2447a

SHA1
6083599a2e8e163849d706a9774840e8594aafd1

SHA256
caa66816b70b98e1b93ce9b7c8dd44c861907a61dad10360c3ce056acd296804

SHA512
c53c74e6ae248f7b96587d13b99a4b1805396410f3da2c22df7166122ffb98cca5d313ce66d2b3ecceb2e991c36866c105f30239a558c04c72b4589233fb7450

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9ac60ec9c0f74025beb3274e2565d82

SHA1
84de58c49a813fac77c8f608333abb042791cdf7

SHA256
816b16ee9ccd4cf42638701704d2ae351cf37af5464149698b06af1af47f3f0e

SHA512
8deb5f3181217f4c25042c2432687fafa280651286aa0e5dfd049663c08ea55391d22bd5a4667c67de5ffe524bb9a5087da5b693865b921c5e8145a755cc57fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ba6d11d7e18960c81fc901b1286026c

SHA1
b863c5a27f3f6173d0b0a2138486c802310323f0

SHA256
7b9cbb323e7d874240e1ee115618922a89403384bb20039bcea84ff2b6588ef5

SHA512
db80fc932968f26668dd4b95c9c238cbe9042b3c244709f4e1d545ad1770f3f2af036e3bc37e03ba09fa396e1d95fd17a6418e8ca2e95b79d885169f527e2741

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac7e20d83ea2a551c0860bce83cf652d

SHA1
b4d04a76d1338c2d37e240d6409d88ee5ad2ca50

SHA256
c416302127e3449f1dacd11a8b058907de41056a719a5af6afd7aa7cbd97ddbc

SHA512
b7d4055b8dc6d37e28e839ced015b7d98b763a0d17c9555fd890f2300357ae7b5ed5ecab2dc002e0f02d77309dfb0c3cb97b5e61d95f70d1304be347c7b8f915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2dc2014cf96fcdde08ff75a6e6b5996

SHA1
fe1713c0c1a356c0b67ef846d78d1a392918c8d5

SHA256
cb103e4956e1db160dc3fee982d14da25b5fb95c06b26348bbac5214b067c2d5

SHA512
0f77724d8d0ce589b08dbb338e992129c08a7157bbdc48bd197257e7ab1df825d30dfd3d1c24583c1d85f1f2ab7aa20a72858a2720c1f78d6e4dd047fea52424

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdea04b9523ba2353b52cd38ca32cd02

SHA1
59b8daab7e07f08fb78338432c82e9adc8d00836

SHA256
9da7e0567247dd3a89f5f6b6bce72bf38140c65835228b857a4b83a778dabdd4

SHA512
8a32f6fb81cb36203cf201ca63d5d5baefa9d37bd63c372b9a258a929d92338654f4f7ba7c06dfd385dc5562b84b12fb487231815f98561269305e2de8ef9c1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fdaf312c2584e126c17d57cf9f5a15f

SHA1
dae2e5ed9500543901bf16caabf0f2738f52727a

SHA256
69bec8366fab36a932a796236a8b29b883a93c8b7fab692f71570b42a6a54418

SHA512
a3f5b3d53616d59af182aaf820bf0f345fbab5ea0898bbcd2aea8bf4b471c53974a3165f5ee285a0170b0d03be35929c6b68b90a3e4eea6dd04c62f170d6fc30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78be517c6fac70723f7eeca5cc80ef00

SHA1
701f0b75062a0c8a570890256a964384b0177515

SHA256
ca00f7bc5a0f7afc9cdea56be4646aa520d3e6dbfc2453f9f0da92e3255e2fd1

SHA512
c0cca974de7d5d1474b5ee902305cd4e6b39f85273463f29e61b6038b70d518ba5994b9e30654a94a629cc679050bd8ce98352a034d925b5120e09ff184adc6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83e3d17e9405a1db57bfe5e5be542cd3

SHA1
4a567abfe1294844a13380727da385620b0515e0

SHA256
9de7f706c8f0214794722c900786ca126f2f07472e741940b76863c7d44b6388

SHA512
158521a16c4f279cc434b4f1254699fd19d123adb7bcd23fd03fe5bf02f36f8c3ce891a181fec004ddd8600b666b03f9e0a3164c788d073cea82bedbc8273a38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
352eee081f7a8fd49d7743befaf9991a

SHA1
1c950b8b75dad524c4220d8cdd6baea9924d6acc

SHA256
ba7ca9a3b22158d53ae0b5ced7a300a82e0785399caf3274177b927b91a066ef

SHA512
a4eeca92bd70d01b94172016c2b281845d9d4d39b28ea7eee31d00fcdf99183c225d6506783d38e1406e8ef0d9dbf91a54825c4cb6014b506a1fc32f7aa306a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5cce080bbb00896a20eef18c0141deb

SHA1
ae952378e2d0ec8577082fa1702f5cadb0e2abf0

SHA256
4f59eb2f5de7341aee671cb01a91b240dcc2b6cc7bf3bfa27a38497d7b65c19a

SHA512
40baf367906c9461af4d83845de4ecaeb1d780ba99ae9ddecc5adab6aca0f45cb12913e23f329a402bbed5d305ed7427187da7b60888f9f06f7d59a2e2e75411

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
375239023ed3709cfe5197cbe6ee1197

SHA1
81ce8b81b235c2911519d0d9bec461f9e951f1e3

SHA256
b1f2cfd453cbb8c19c396b3dd805051dc51348b707822c95bb0a7b196bf84515

SHA512
8a48f6371c6e26056ed71ad9c6944f3342a6d1bddeedb4160a41ada6c47d224b626d2145c6052634cb7a8721c04764f5a80388abd28e74c7b43e88c2bf6a2c48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
cddb2c48b7042a201623d77896d53bb9

SHA1
acdaebcc84197a6808ba41ed421a1f14956386ce

SHA256
a31d45345c5388e953b0ad03783c0b15f5bae720b84b81ca49e7d97520277f73

SHA512
2926c99784535e36f9939a1516bccdbc30fc0fe1060f8fe5e0aae9a8560f5e9d66de01eda10e2427ecfe25b8e50eeaf617ebf557770ba32680b1c679c57072e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE

Filesize
402B

MD5
fb764a2ce10728a3bc625077c9fd9bbe

SHA1
e96686997a4dd3d2e1845de5f5963238eea8a161

SHA256
c48cf6603489873f5f1b8e9d8f1866d345e26e51b8c43f50b794a55d9c323fb4

SHA512
2fea1fb4f14afa08b8fa658391068d736d436e0fa7a93849fba78dfc1866a3deb5290ee5e59be44525beb9b0ce564285cec8bf1d50c866b22d47ff4e89e0301c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e1a151a676bd5842b2c404cbe4ef7994

SHA1
e8f75de7d33e10240acd66273c44cc0946de89b6

SHA256
bd5d0d6bafb122e10669e69e7aef69493b3ed9f8011870748352e72700e7ec21

SHA512
90f48b12462592e3d4b2750ca3345f91873448c3fdffc5fe6acff11dd67d372a05dc66c34400888fab9dcae24f849522ac55a4d33bf0c8ec32abd1a4ae8a23d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
967a4a47c647576e5a00aedba87b19f0

SHA1
71054887ecb67b33bb5f81f4c7ec6e63e8a8e264

SHA256
931c901af5e2162d4cd116c5b2a821b8285542604cc0d58623c50f893f0fb3d3

SHA512
f5f9be65aa0edfbca32b2d5fcd47c5d64b34f55258cbe4d3d8d46885f9ec1462afaf705182e847f8bc23f03cd490ecac54b0a57708439842985176a38e7ffc65

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
1KB

MD5
b17628786a50cb2f9cd998ae84649c6c

SHA1
16a83625e05acf591f195c566654a0b4e4913a30

SHA256
c7abc24508950f4a4fc71e40a3ba1ad58fa6d3bc8752ca5cea424232b135866e

SHA512
8eff262d2176d5de55c7cdb44acba25331a859deb23d8fbf6ced00ea8832de8e27910516a92a8cbf2a3a37bccec114adb71a31542664daebaef3fa167daf2e89

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi

Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8SMSNTG\jre-8u51-windows-x64.exe.52ve6xq.partial

Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar25CF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
92a58d4723329aef02eca2b8a6e93024

SHA1
dc8d96efd202343e40a12a1b51adcc8328b436fc

SHA256
7d75bce82c63370307200c2528783b8b6e460ad7f2386c82faf23e028896620b

SHA512
3a7824203b4a12d6257a4a54f8ffeebe11f81b964a6fbd373efa01dddb6d3b80f159dad385f454a5ebab257d0aa7621f19f367b2987407b9206859c159483104

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
1468502e3f45c3c0a2ffe773591382be

SHA1
be58257e0f5142e6410a22546cc1b6ac0ef0ebc5

SHA256
4845843e4d406900aee87be95ddf84a9272d6660d294f8166b6012657b7a5849

SHA512
2e7f3b52a75d961c39fca45f0a8d2868374f3a543419a4d15fea5b874553ae15052740aa93e04e1a5966c97b4d182ff5171e4237b4e283304af819ab771408d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
10435cc0577cbd746d1855b1d0941e2e

SHA1
61c54d525919dc92540157fb856253d22514a46f

SHA256
d67c14da63fbf4e571195999898f593becb59783f7b9360417d890c2edf3cbef

SHA512
35d1aa70cdc8f791d1f327bcd2b51d3a88448f338762fc87ff97459c7c1a5860127e8bc66ad9cf5f5f4fc9a5bf752b8749c88c86eee13817d24a5a615bc26ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG

Filesize
438B

MD5
c62000dc4b635684ceca46116344bcd8

SHA1
9202be85e22535f2312b7db7c77707a05e803336

SHA256
dd7f7f45410e999f2bc0147dc120974c574028a1507ddb14eaeaccb49479bdf1

SHA512
dcce6fa45ac77a99e52079308972d8f44c79cb8c036efb25171ff04b09e52af8cb99830391acbe2f5ee7b5c1240215432b1f88e82f6332a297cdd953bf6a74cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
9efe061789c576a36407bb949e477369

SHA1
ebd872dff8ddb5bd277d6da8c78e678838a4b6ec

SHA256
774d929e18dc9b323088138249e1776ca81cd4389e949019234d944a49cb36cf

SHA512
fe29e707381f6a15c9daf97740f682f9414287f7ef539789e669276ec7dff55d3682292139670cc71a36228ea8ba209e85d4cc5a6fe85d974c60d3cbafca25a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
4b0e2e21a6bddc5fc07d991d252e2ff3

SHA1
f837d87f5cd887691fa71c9fdfeaced16693a466

SHA256
f284081c6a2d5d463453d8b0333fc53f3847b07d58a28a67d13414b54be9b54a

SHA512
297a846e44de595806a2d116b8e1598112ac3e66404d0afc4b44d53864a5df65fe088d149d3ae62e09ef2d0feba64183d38f4353fcfb4b161e0cfa224e496382

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
18KB

MD5
94f76dd2d8009cf558d7d8f40c8d109c

SHA1
6aa2425b2fa4925f8b2895adda639c3e4a92cb4e

SHA256
457d275166c2966eb555bc51a8792429bc8d2103f0ac9c12109d84d75fb86753

SHA512
0b21927ecf193b1ffbcecaf2ab55588e4deb841e4b4853386ca3e1e5640f1c8b2fe8578220fe09118ac1091ecdb8284070a9c29f407c428ef20276934b479111

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
833512c89f1ab92c80131d415f89f442

SHA1
dd9953ddcc33278bb97502ffdc6e7462e8005680

SHA256
717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

SHA512
f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
75271ec49105bb1ad1f2808eff816b2f

SHA1
3f5d1487b681fca37f61c136b5a82b601a9cee24

SHA256
8ce00af9dafad204fe53683a468465b18d6659ff2f2b067b481da2f1a519ec0d

SHA512
5cbf55741a58fb476712b27a321243f1b0d4bd445386bfded6a115eacff488691d7dd482f17849942da00d19e8f2afc3c922a7606dbef7fb345ad467e58f969b

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG

Filesize
206B

MD5
bdb247c44cbe2d5f63ac51a2378734f3

SHA1
024844330b6cc23986de94e2b80bc3c2e32c08de

SHA256
53f406badad3465d216d3f0b6f5a87adddec77b04f0bdc585d2de1e786d0aa13

SHA512
23bc82934d62081f6e662624990f2e823da11938d407ab1c0d1c00f4e0377527160ac82cce036b8804f8e76b0505ab7664bce2bfbe96e480baa466ab772820a0

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
36c744011f2c71f2caa553236b339d03

SHA1
1739c336922e03a8a138999d8247668a279c6d95

SHA256
a7eab595e57de5a17cfe132117b4fef50234dc9a15e452d900b63f9c377f6aa1

SHA512
b1b236dbaf45c78fbdfc5441ec05f95fbf4a64be45d07baf30a70a0c962921d436137e8d618ee872662476615740e88f05cc18d45f0af48511a886c2c165a3a8

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
c4aba50a1fac1d4d5e13c5bcd9e852c9

SHA1
9c74e687194c16c8853298b75f1e859392280a1d

SHA256
09aee04971d4f9bb30f0b9fd17b0c6c17fd8a2d3d0a78d9a9b580bc73f1b7f2e

SHA512
88c1b12eb8d915386ecb1145fcd913e3648fc881adaed7264a7ed41ef4993b3d69fb09466464955a93895a65957a6e77e68cc0d808e8f1bca97e362c3b104bbf

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
6ac0e4f3277501ec673ea0c50869f7ee

SHA1
7a469e8fb0f7cbbf9a3dd605c265961e8b939676

SHA256
e1f08449a822c655b834b5cb8cea3e1e78e1aab14d5f9b20743f1fb36a0a3759

SHA512
1b03065fa39fcc84c6bef735e7ce357960f7df29a64d72350ee54af34b5b3de579d00ec9b8f2297bcf48fd9f1d27834a1cb1bc5590afb39a148980740a4df121

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
23KB

MD5
0f27fe92ec2071693fc68dbb871bc20d

SHA1
3aed60be45bd557abbd15547b1f6f30ef5640dd7

SHA256
f2b7d1d2cdd764fa52c5e9fe0a6be0e32915c6c3a166df2cd3fbcb9b1a878236

SHA512
0e155026925d8e47ec8d9c870f961ed8a189971e8d49cf4c86c4b1fac912c80001484d6a82ed3de22badbf7a32f631a9a2a055c80945149edff2953d7e57dfe5

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
1309abb4d7695b135de1bccb3d0383bd

SHA1
6435990c33f357ecdad2f72f11da62a766c4abd8

SHA256
d705428077945f54aea3cb29ccf04123369634444a578cd9f01ab1b947d454c3

SHA512
05440cbc9f24a56083a4ad63b42cc02b782c46abecdf4b23de9f7d6f8f66b196bcc9fa21920575ba1899735bd2bf398166151e95d2a802288d637ae4ec2ec83a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\dependencies.json

Filesize
17KB

MD5
24817047786540dd5d8cbfb94132c84d

SHA1
ff45f1ae7748fab985e0580c5746b0327a4b59ac

SHA256
a5584b00241e6aa455dce9c0d584d61f8350a7bc07a4137e9289e23f46878721

SHA512
6e048803859517d052d88d8c96c382d481620c1d930e219051264cb2c4d096b5b68d8e8e66ba2244ef7343df99f120600f8763f67bcf060c3132743eca7934ef

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\resources.json

Filesize
17KB

MD5
8ab0113596cd48af76657e53d5d93e70

SHA1
3ab4244668932e0396022372d8f311c62ce1b89b

SHA256
b0a6157bb0f4da765f93d13ca167017144c5eb15955015b0b42f7d7c0b70599d

SHA512
55fb4d7ed644ae5e47ee376b00323199788baf596b493b4959ec4c88bdb37295ee59e34d3a7d4310fc9e35d776e1ae19fcead53c09d3a440dcfec8dc6736b170

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\appConfig.json

Filesize
3KB

MD5
a9bd1871a6a69e12bb017e1375b0a659

SHA1
0cc4c515fea150c982d02fa73acf73cfa68810e7

SHA256
f725e50dc4377a28b06589b028cd3cff58845d5ed882b22b17129c4413f8b9b3

SHA512
0595d54b19805f57a1b09a492c90c4c9f655d6a501179966b1a282b0aec90b27eeba634ee4a54fb9982f80ae046e6feb2b3e2097f14a0a3e051e80c162a83bd6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json

Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LZ5U3ALX.txt

Filesize
511B

MD5
c892882006594a492f172ba570216a53

SHA1
4ec7deb7341ac962732a43f2f6756b2be2567bbc

SHA256
45262cae89c065290dcf841c5e95e4e2b2630584b0e52298f192e61bb60b7ac6

SHA512
a451c89aa1b0e05914b5134b1c7ece4a547d198f628082d58ef07fb689d3fa7acbfad3e7e1e4eda8dc234f04fcb1a4ffc4af9096f8f34e8f339f06c0f33b8e5b

Download Submit
C:\Windows\Installer\f773780.msi

Filesize
660KB

MD5
4afca17a0a4d54c04b8c3af40fb2a775

SHA1
96934a0657f09b25640b6ad18f26af6bd928d62f

SHA256
b15d3a450b7b3e5ce3194ab9e518796cc5f164c3e28762ffe36966990dcd2fe8

SHA512
ee76f5fcfdd9c1202fd5abdc2bbde8fb2543cee83265f6d2fb5458d1a086152ff6bdd4bf62a88150d325ea282bd2ecd66dd5f127bdd847cfa69cdb88985a8305

Download Submit
\Program Files\Java\jre1.8.0_51\bin\unpack200.exe

Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
b5043eda3b89c980a4957f3667d7d53b

SHA1
2c0a4c924a255e57cd00dc65ff5fe2db45050d49

SHA256
6041dcdad508a9063d182479cf2f25d75b4bc38cb3f0c6f2067843a6b7dcfa08

SHA512
b3b85f7d023b6b59409721d5c4016d436319dee693d036d4498dc68d46a778bdefc7b35aee661a9a1e179ac2fa469dc47c4d5cc45c17df3893b5404eccafbd71

Download Submit
memory/480-3262-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1104-3573-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1300-3342-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1984-3439-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1984-3433-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1984-3395-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1984-3394-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2136-3487-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2140-3504-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2140-3506-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2144-19-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2144-1537-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2144-2204-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2144-2205-0x0000000000200000-0x0000000000203000-memory.dmp

Filesize
12KB

Download
memory/2144-1536-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2144-687-0x0000000000200000-0x0000000000203000-memory.dmp

Filesize
12KB

Download
memory/2144-686-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2144-790-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2144-789-0x0000000000FD0000-0x00000000013B9000-memory.dmp

Filesize
3.9MB

Download
memory/2260-3347-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/2260-3346-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/2260-3384-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2260-3390-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2368-6-0x0000000003330000-0x0000000003719000-memory.dmp

Filesize
3.9MB

Download
memory/2368-18-0x0000000003330000-0x0000000003719000-memory.dmp

Filesize
3.9MB

Download
memory/2368-16-0x0000000003330000-0x0000000003719000-memory.dmp

Filesize
3.9MB

Download
memory/2368-1547-0x0000000003330000-0x0000000003719000-memory.dmp

Filesize
3.9MB

Download
memory/2716-2208-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2876-3618-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-3693-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-3721-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-3725-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-3727-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-3728-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-3732-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-3742-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-3632-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-3744-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-3616-0x0000000001CA0000-0x0000000001CAA000-memory.dmp

Filesize
40KB

Download
memory/2876-3615-0x0000000001CA0000-0x0000000001CAA000-memory.dmp

Filesize
40KB

Download
memory/2876-3705-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-3583-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2876-4400-0x0000000001CA0000-0x0000000001CAA000-memory.dmp

Filesize
40KB

Download
memory/2876-4401-0x0000000001CA0000-0x0000000001CAA000-memory.dmp

Filesize
40KB

Download
memory/2888-2995-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/2888-3000-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2888-2996-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/2888-2991-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download