8535bf7f8914c54823a1b57e5977c84add0caebfc967567dcf13f8fd843b8b1d

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.9.exe
Size

24.1MB
MD5

79673d0cd668ac6e4ecfc7dcc4db5b23
SHA1

0a576f857765e759f582126f099b0c04c6c6349e
SHA256

8535bf7f8914c54823a1b57e5977c84add0caebfc967567dcf13f8fd843b8b1d
SHA512

a9d1c9d47cf67bf80a60c6250cd84151551e549a1ff179faa62381260d03d531dbd5b1df2bc83a43f71ab5a699aaf593ba6606416e3c8957b6c2fa8e3863f8c9
SSDEEP

786432:+KAWuabJBM9irrKJBH5lFRqH0fYk/pUJ8a:+KDMQPKJBZlCUfYSpUJ8

Score

7^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 18 IoCs

pid	Process
2860	irsetup.exe
2972	BrowserInstaller.exe
1692	irsetup.exe
1588	jre-windows.exe
2404	jre-windows.exe
2356	installer.exe
1156	javaw.exe
2700	ssvagent.exe
2788	javaws.exe
2676	jp2launcher.exe
1328	javaws.exe
2992	jp2launcher.exe
1344	javaw.exe
676	javaw.exe
2084	TLauncher.exe
1608	javaw.exe
2936	TLauncher.exe
1976	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
1496	TLauncher-Installer-1.4.9.exe
1496	TLauncher-Installer-1.4.9.exe
1496	TLauncher-Installer-1.4.9.exe
1496	TLauncher-Installer-1.4.9.exe
2860	irsetup.exe
2860	irsetup.exe
2860	irsetup.exe
2860	irsetup.exe
2860	irsetup.exe
2860	irsetup.exe
2860	irsetup.exe
2860	irsetup.exe
2972	BrowserInstaller.exe
2972	BrowserInstaller.exe
2972	BrowserInstaller.exe
2972	BrowserInstaller.exe
1692	irsetup.exe
1692	irsetup.exe
1692	irsetup.exe
2860	irsetup.exe
1588	jre-windows.exe
1244	Process not Found
1244	Process not Found
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
2644	msiexec.exe
2356	installer.exe
2356	installer.exe
2356	installer.exe
860	Process not Found
860	Process not Found
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe
1156	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2244	icacls.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016433-3.dat	upx
behavioral1/memory/1496-14-0x00000000033C0000-0x00000000037A9000-memory.dmp	upx
behavioral1/memory/2860-18-0x00000000009F0000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/2860-764-0x00000000009F0000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/2860-803-0x00000000009F0000-0x0000000000DD9000-memory.dmp	upx
behavioral1/files/0x000400000001e030-829.dat	upx
behavioral1/memory/1692-858-0x0000000000C80000-0x0000000001069000-memory.dmp	upx
behavioral1/memory/1692-920-0x0000000000C80000-0x0000000001069000-memory.dmp	upx
behavioral1/memory/2860-1654-0x00000000009F0000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/2860-1672-0x00000000009F0000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/2860-1843-0x00000000009F0000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/2860-2603-0x00000000009F0000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/2860-2816-0x00000000009F0000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/2860-3671-0x00000000009F0000-0x0000000000DD9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
27	2644	msiexec.exe
28	2644	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\local_policy.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259572965\java.exe	installer.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\dcpr.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxwebkit.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll	msiexec.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2CE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E6B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB85.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB98D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBFA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f78b390.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB843.tmp	msiexec.exe
File created	C:\Windows\Installer\f78b38a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB738.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB45.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC41.tmp	msiexec.exe
File created	C:\Windows\Installer\f78b390.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f78b387.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB6BA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8B1.tmp	msiexec.exe
File created	C:\Windows\Installer\f78b38d.msi	msiexec.exe
File created	C:\Windows\Installer\f78b392.msi	msiexec.exe
File created	C:\Windows\Installer\f78b387.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA0B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f78b38c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f78b38a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f78b38d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E0B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB92F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB777.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher-Installer-1.4.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BrowserInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0213-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_213"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0066-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0193-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\JavaSoft\DeploymentProperties\deployment.roaming.profile = "false"	jp2launcher.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_43"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0363-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_363"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0216-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0115-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0286-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0232-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0393-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0071-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0095-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0146-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0064-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0174-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0244-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0229-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_23"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0160-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0180-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0334-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0110-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_110"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0198-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_198"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0208-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0128-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0133-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0068-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0411-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0026-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_26"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0207-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0190-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_78"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0040-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0271-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0337-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0207-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0146-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_78"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0407-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0071-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0367-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_37"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0278-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0175-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0339-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0213-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0154-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_154"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0142-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0357-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0323-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0144-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0303-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_07"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0200-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0308-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0334-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0270-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_270"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0020-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0077-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_77"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_63"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_37"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0202-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0085-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_85"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0083-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0292-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0351-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0126-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_126"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0321-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0401-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0062-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_62"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0111-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0200-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_51"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0126-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0334-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_334"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0164-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0398-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0077-ABCDEFFEDCBB}	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBA}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0157-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0066-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0358-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0145-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0087-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_87"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0110-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0147-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_39"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1692	irsetup.exe
1692	irsetup.exe
2644	msiexec.exe
2644	msiexec.exe
2788	javaws.exe
2676	jp2launcher.exe
1328	javaws.exe
2992	jp2launcher.exe
2644	msiexec.exe
2644	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2404	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2404	jre-windows.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeSecurityPrivilege	2644	msiexec.exe
Token: SeCreateTokenPrivilege	2404	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2404	jre-windows.exe
Token: SeLockMemoryPrivilege	2404	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2404	jre-windows.exe
Token: SeMachineAccountPrivilege	2404	jre-windows.exe
Token: SeTcbPrivilege	2404	jre-windows.exe
Token: SeSecurityPrivilege	2404	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2404	jre-windows.exe
Token: SeLoadDriverPrivilege	2404	jre-windows.exe
Token: SeSystemProfilePrivilege	2404	jre-windows.exe
Token: SeSystemtimePrivilege	2404	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2404	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2404	jre-windows.exe
Token: SeCreatePagefilePrivilege	2404	jre-windows.exe
Token: SeCreatePermanentPrivilege	2404	jre-windows.exe
Token: SeBackupPrivilege	2404	jre-windows.exe
Token: SeRestorePrivilege	2404	jre-windows.exe
Token: SeShutdownPrivilege	2404	jre-windows.exe
Token: SeDebugPrivilege	2404	jre-windows.exe
Token: SeAuditPrivilege	2404	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2404	jre-windows.exe
Token: SeChangeNotifyPrivilege	2404	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2404	jre-windows.exe
Token: SeUndockPrivilege	2404	jre-windows.exe
Token: SeSyncAgentPrivilege	2404	jre-windows.exe
Token: SeEnableDelegationPrivilege	2404	jre-windows.exe
Token: SeManageVolumePrivilege	2404	jre-windows.exe
Token: SeImpersonatePrivilege	2404	jre-windows.exe
Token: SeCreateGlobalPrivilege	2404	jre-windows.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2860	irsetup.exe
2860	irsetup.exe
2860	irsetup.exe
2860	irsetup.exe
1692	irsetup.exe
1692	irsetup.exe
2404	jre-windows.exe
2404	jre-windows.exe
2404	jre-windows.exe
2404	jre-windows.exe
2676	jp2launcher.exe
2992	jp2launcher.exe
1608	javaw.exe
1608	javaw.exe
1976	javaw.exe
1976	javaw.exe
1976	javaw.exe
1976	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2860	1496	TLauncher-Installer-1.4.9.exe	30
PID 1496 wrote to memory of 2860	1496	TLauncher-Installer-1.4.9.exe	30
PID 1496 wrote to memory of 2860	1496	TLauncher-Installer-1.4.9.exe	30
PID 1496 wrote to memory of 2860	1496	TLauncher-Installer-1.4.9.exe	30
PID 1496 wrote to memory of 2860	1496	TLauncher-Installer-1.4.9.exe	30
PID 1496 wrote to memory of 2860	1496	TLauncher-Installer-1.4.9.exe	30
PID 1496 wrote to memory of 2860	1496	TLauncher-Installer-1.4.9.exe	30
PID 2860 wrote to memory of 2972	2860	irsetup.exe	32
PID 2860 wrote to memory of 2972	2860	irsetup.exe	32
PID 2860 wrote to memory of 2972	2860	irsetup.exe	32
PID 2860 wrote to memory of 2972	2860	irsetup.exe	32
PID 2860 wrote to memory of 2972	2860	irsetup.exe	32
PID 2860 wrote to memory of 2972	2860	irsetup.exe	32
PID 2860 wrote to memory of 2972	2860	irsetup.exe	32
PID 2972 wrote to memory of 1692	2972	BrowserInstaller.exe	33
PID 2972 wrote to memory of 1692	2972	BrowserInstaller.exe	33
PID 2972 wrote to memory of 1692	2972	BrowserInstaller.exe	33
PID 2972 wrote to memory of 1692	2972	BrowserInstaller.exe	33
PID 2972 wrote to memory of 1692	2972	BrowserInstaller.exe	33
PID 2972 wrote to memory of 1692	2972	BrowserInstaller.exe	33
PID 2972 wrote to memory of 1692	2972	BrowserInstaller.exe	33
PID 2860 wrote to memory of 1588	2860	irsetup.exe	35
PID 2860 wrote to memory of 1588	2860	irsetup.exe	35
PID 2860 wrote to memory of 1588	2860	irsetup.exe	35
PID 2860 wrote to memory of 1588	2860	irsetup.exe	35
PID 1588 wrote to memory of 2404	1588	jre-windows.exe	36
PID 1588 wrote to memory of 2404	1588	jre-windows.exe	36
PID 1588 wrote to memory of 2404	1588	jre-windows.exe	36
PID 2644 wrote to memory of 1976	2644	msiexec.exe	39
PID 2644 wrote to memory of 1976	2644	msiexec.exe	39
PID 2644 wrote to memory of 1976	2644	msiexec.exe	39
PID 2644 wrote to memory of 1976	2644	msiexec.exe	39
PID 2644 wrote to memory of 1976	2644	msiexec.exe	39
PID 2644 wrote to memory of 2356	2644	msiexec.exe	40
PID 2644 wrote to memory of 2356	2644	msiexec.exe	40
PID 2644 wrote to memory of 2356	2644	msiexec.exe	40
PID 2356 wrote to memory of 1156	2356	installer.exe	41
PID 2356 wrote to memory of 1156	2356	installer.exe	41
PID 2356 wrote to memory of 1156	2356	installer.exe	41
PID 2356 wrote to memory of 2788	2356	installer.exe	43
PID 2356 wrote to memory of 2788	2356	installer.exe	43
PID 2356 wrote to memory of 2788	2356	installer.exe	43
PID 2788 wrote to memory of 2676	2788	javaws.exe	44
PID 2788 wrote to memory of 2676	2788	javaws.exe	44
PID 2788 wrote to memory of 2676	2788	javaws.exe	44
PID 2356 wrote to memory of 1328	2356	installer.exe	45
PID 2356 wrote to memory of 1328	2356	installer.exe	45
PID 2356 wrote to memory of 1328	2356	installer.exe	45
PID 1328 wrote to memory of 2992	1328	javaws.exe	46
PID 1328 wrote to memory of 2992	1328	javaws.exe	46
PID 1328 wrote to memory of 2992	1328	javaws.exe	46
PID 2644 wrote to memory of 1752	2644	msiexec.exe	47
PID 2644 wrote to memory of 1752	2644	msiexec.exe	47
PID 2644 wrote to memory of 1752	2644	msiexec.exe	47
PID 2644 wrote to memory of 1752	2644	msiexec.exe	47
PID 2644 wrote to memory of 1752	2644	msiexec.exe	47
PID 2644 wrote to memory of 1748	2644	msiexec.exe	51
PID 2644 wrote to memory of 1748	2644	msiexec.exe	51
PID 2644 wrote to memory of 1748	2644	msiexec.exe	51
PID 2644 wrote to memory of 1748	2644	msiexec.exe	51
PID 2644 wrote to memory of 1748	2644	msiexec.exe	51
PID 2644 wrote to memory of 1748	2644	msiexec.exe	51
PID 2644 wrote to memory of 1748	2644	msiexec.exe	51
PID 2644 wrote to memory of 1756	2644	msiexec.exe	52

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.9.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.9.exe" "__IRCT:3" "__IRTSS:25232289" "__IRSID:S-1-5-21-2172136094-3310281978-782691160-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1709878" "__IRSID:S-1-5-21-2172136094-3310281978-782691160-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1692
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\jds259563620.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds259563620.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2404
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
        5⤵
        Executes dropped EXE
        
        PID:1344
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
        5⤵
        Executes dropped EXE
        
        PID:676
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2936
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 31A7D9F3B6C1A1387DE90E05128615F5
  2⤵
  - Loads dropped DLL
  PID:1976
- C:\Program Files\Java\jre-1.8\installer.exe
  "C:\Program Files\Java\jre-1.8\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre-1.8\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={71024AE4-039E-4CA4-87B4-2F64180401F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1156
- - C:\Program Files\Java\jre-1.8\bin\ssvagent.exe
    "C:\Program Files\Java\jre-1.8\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2700
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2676
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2992
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding D08CC9B2717DC781965620F04FF551E9 M Global\MSI0000
  2⤵
  PID:1752
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9130A2FC1CA0184D81F1075E6352DCEC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1748
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E7F45F6D0EDF9CC0A4AD7654F989BAC1 M Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1756

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1608
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f78b38b.rbs

Filesize
962KB

MD5
50db29852be26e8175e29aa3dd240abd

SHA1
c34f37b7782578cc32a2eaecc342e2238f4a6a2c

SHA256
d7efd0a6c2997ed122efc80b29ac4496af9f6b63ad7a0f92dd1eec866975a8b3

SHA512
5ccac9376ceb2530e5d7834b2f9c7d42981498e7acd30c5483d68ddfdb08d2df67e4066ee7f8719908f74b6b84abe3713ecb5aa84e510e82dcf0a6a0b1874510

Download Submit
C:\Config.Msi\f78b391.rbs

Filesize
7KB

MD5
bdfe4bf6e4ec8bc5580906740c4be841

SHA1
0775d12dee94599c97c2aa3bb530acac2967093d

SHA256
4fc810f41025c3d136fdd7f0453cf2ff84dfc9924a4ce7f76f5a6d5143f2b3ca

SHA512
841552220becf53e0c00d46cf7a2653dc48249f769c5d73a2bd9abfc1ab2148fa0b1232a4ed5e17a1b9d5c419315bdabf8fefdbfde549cb00d2388d2a2df4292

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk

Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
177B

MD5
6684bd30905590fb5053b97bfce355bc

SHA1
41f6b2b3d719bc36743037ae2896c3d5674e8af7

SHA256
aa4868d35b6b3390752a5e34ab8e5cba90217e920b8fb8a0f8e46edc1cc95a20

SHA512
1748ab352ba2af943a9cd60724c4c34b46f3c1e6112df0c373fa9ba8cb956eb548049a0ac0f4dccff6b5f243ff2d6d210661f0c77b9e1e3d241a404b86d54644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
6d5d7d3589c3daa08221c99cf53e6ad0

SHA1
46faf66d2adca6683e94b9b4cf379850ae5b28f4

SHA256
d6671565f0b32d97c621d13e4236282881348561bda753043d70ed39cfca1ce5

SHA512
4ffca8f3089592e689b0226d93f8eddf1ef3f9118927085dc160782467c9ee9410d19467279cd468e172dc1bd1577b0c3b75341208052032300780eebb097504

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29d352f1dbba53ebe58628e13826d4c6

SHA1
916fe4e39076912b1aef81bff0cfba59c3b979eb

SHA256
27d83092e77fa768661d392219fa75050a0d48118b3c9ad0c65d278ff7588905

SHA512
e2dfe0e201d37e0aa9730045d34cb00cc0f50558aba7c933164c305bfb7f13b07b581a960dac34b6d0ba88188d0eafdfdbb25a0ffda365c5d43377f32c41a744

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
297b5536b0a450c949c0ebd8c41dea8c

SHA1
f727133d34fc699f0d8edd7db3f1c090baddf440

SHA256
b03d6a2744b64d0566b833147414edaced3a7e9bcbd3715cf2c985f086abbf96

SHA512
1655be37700f7caa64fc1f9026437e1989fcaf489ae0b7fbf90f35227ef2d00672b6b0200a4ba22a3d53b91e829c4f8f5a00478d6ba3f1a982c4522879df327c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a58bfe455b86e788f33d3a8cb314c09a

SHA1
daada8754e154f878544dae6e91c1a4fe517a110

SHA256
306a4db0ce0ea87cd01616e85c249b98258b99decd81a49f33ae1fc6f3136907

SHA512
75d67d27ed6b0135237e2eb47dd369e79559999e6f5eb72d25d4d2da9482347d6a319b6d74da698e9653ca8e79aa2386ff15afa2d56813f0240a8018014d04c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
8ed1c8f17a77dcd2c566357c6089eefe

SHA1
901fdd788a230f37587cb106d5c2189b7f93c7f7

SHA256
84c9c2d55639cc8fd37285b120518dbbebb0eb36873056b38e455df9cad96339

SHA512
715fd7ec37fa4922a5da130e634b5a62a494e820ecd2eb5a73be7bb378d98e266fbf7e0eabdc9a3fba4c626287f66debdbfd4066e63b6cd37410129a01a99e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\l10n[1]

Filesize
4KB

MD5
1fd5111b757493a27e697d57b351bb56

SHA1
9ca81a74fa5c960f4e8b3ad8a0e1ec9f55237711

SHA256
85bbec802e8624e7081abeae4f30bd98d9a9df6574bd01fe5251047e8fdaf59f

SHA512
80f532e4671d685fa8360ef47a09efcb3342bcfcf929170275465f9800bfbfffc35728a1ba496d4c04a1fdefb2776af02262c3774f83fea289585a5296d560b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\masthead_fill[1]

Filesize
1KB

MD5
91a7b390315635f033459904671c196d

SHA1
b996e96492a01e1b26eb62c17212e19f22b865f3

SHA256
155d2a08198237a22ed23dbb6babbd87a0d4f96ffdc73e0119ab14e5dd3b7e00

SHA512
b3c8b6f86ecf45408ac6b6387ee2c1545115ba79771714c4dd4bbe98f41f7034eae0257ec43c880c2ee88c44e8fc48c775c5bb4fd48666a9a27a8f8ac6bcfdcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GE5J41S2\common[1]

Filesize
1KB

MD5
f5bb484d82e7842a602337e34d11a8f6

SHA1
09ea1dee4b7c969771e97991c8f5826de637716f

SHA256
219108bfef63f97562c4532681b03675c9e698c5ae495205853dbcbfd93faf1a

SHA512
a23cc05b94842e1f3a53c2ea8a0b78061649e0a97fcd51c8673b2bcb6de80162c841e9fdde212d3dfd453933df2362dcb237fe629f802bafaa144e33ca78b978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLOK2QLQ\host[1]

Filesize
1KB

MD5
a752a4469ac0d91dd2cb1b766ba157de

SHA1
724ae6b6d6063306cc53b6ad07be6f88eaffbab3

SHA256
1e67043252582aea0e042f5a7be4a849b7cd01b133a489c3b2e67c10ade086f3

SHA512
abc2899705a23f15862acf3d407b700bb91c545722c02c7429745ab7f722507285c62614dcb87ea846f88fc0779345cb2e22dc3ad5f8113f6907821505be2c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLOK2QLQ\layout[1]

Filesize
2KB

MD5
cc86b13a186fa96dfc6480a8024d2275

SHA1
d892a7f06dc12a0f2996cc094e0730fe14caf51a

SHA256
fab91ced243da62ec1d938503fa989462374df470be38707fbf59f73715af058

SHA512
0e3e4c9755aa8377e00fc9998faab0cd839dfa9f88ce4f4a46d8b5aaf7a33e59e26dbf55e9e7d1f8ef325d43302c68c44216adb565913d30818c159a182120fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLOK2QLQ\masthead_left[1]

Filesize
4KB

MD5
b663555027df2f807752987f002e52e7

SHA1
aef83d89f9c712a1cbf6f1cd98869822b73d08a6

SHA256
0ce32c034dfb7a635a7f6e8152666def16d860b6c631369013a0f34af9d17879

SHA512
b104ed3327fed172501c5aa990357b44e3b31bb75373fb8a4ea6470ee6a72e345c9dc4bcf46a1983c81adb567979e6e8e6517d943eb204c3f7fac559cd17c451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8I3CVQY\rtutils[1]

Filesize
244B

MD5
c0a4cebb2c15be8262bf11de37606e07

SHA1
cafc2ccb797df31eecd3ae7abd396567de8e736d

SHA256
7da9aa32aa10b69f34b9d3602a3b8a15eb7c03957512714392f12458726ac5f1

SHA512
cc68f4bc22601430a77258c1d7e18d6366b6bf8f707d31933698b2008092ba5348c33fa8b03e18c4c707abf20ce3cbcb755226dc6489d2b19833809c98a11c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8I3CVQY\runtime[1]

Filesize
42KB

MD5
5d4657b90d2e41960ebe061c1fd494b8

SHA1
71eca85088ccbd042cb861c98bccb4c7dec9d09d

SHA256
93a647b1f2cadcbdb0fe9c46b82b2b4baf7685167de05933811549145c584ee0

SHA512
237738c0a6cb25efe29effc9c3637245e3e2397207ed51e67bae5a1b54749f88e090de524f7868d964debbb29a920a68205ccbd2dfceed4a1f3cd72d08b16fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB0FA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB11D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG10.PNG

Filesize
206B

MD5
ce98fbb31a48add445b91dea01249599

SHA1
aa2496a5a093c852e93dd7bcb85c60a3a5a261d2

SHA256
3b67e9de2c970d408662c6f82aa0f4d65545eab6ade30213668580b5d5bdc361

SHA512
e2495bc7c106484f25c43c99db1a31c492c6a90abaa761bd67cfc3cc95d3cfa255202d6829bb0fb8834d17a6a5dc29540ba0647a0ec7703c318e1e12521681c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
2c514bd7dfd4f27367eef795df2be8b1

SHA1
7f01317b1be248a599279a0772153feb570b8535

SHA256
709f42f77d52118942c68932ffff7cc6db58a5b31a2b9098e0ed68a377a44d0a

SHA512
828ca614a82210205be9d03fab21393b57071de49a40c979f666d8aa492cfe62ac7827a63fc11ee955ee03f5adbbb3906da630b9058da530acb615429261b026

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
79e5cf49ee3a4909162476b3995d2f19

SHA1
d92481b1b7d44afbbd6f3b5eb676eb30dd62016b

SHA256
99c3d263f71af8b914aa9ddda9285f950b9393685c8d7d4dac93aba27e3b3114

SHA512
8eb4fcf894c7ac1e581d24b28d617cf5ffdd7f32ee11e997193a31d7a7bf035f2bbfcb4bd57ae29fa984d2ec4f3e4b97b23084bc2ed12a9bc222cdc6c9f157e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
3385b6d8085d360e3f5089ebf3617f5b

SHA1
56689fea821642bbc64d4b0c7fd033a9b0607376

SHA256
3d1b359ab9e72ffc36722803b921d6a08f730c9003c25d7ffda393621803aea2

SHA512
013efb3b0d9b8be6eff13eb05d56d0b0062cbd1a958a17b00748e1a0a7424d281fa8033c55f31d6bd18037e60063ef1999d57136fe45595edc87741bed6bdbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
151KB

MD5
c2be5f72a6cb93af45f70fcd786149a6

SHA1
91a3250d829e7019c7b96dc2886f1d961169a87f

SHA256
f616ad0cc12e4c8c01b1af5dd208aae46a5fdb1b02e8a192dfe84283e1161ca6

SHA512
522b82e48fc4d6c94236f6598352ef198500ef83f2b8d890dd14901173b35d179c567e9540908a9bf145f2492043fa6848182634ee4c58956418884449f223bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
f668216d5155e9ba3d31eaaa78866635

SHA1
e1913f954a3b0e0248e03d67154b0a0d12f4ea4b

SHA256
1ea0a627b59c62fac2fc3426595cd5cea570a7b50ab8eac43de7bf15b10274a8

SHA512
e2b5e6db2e50e6cf2d6cf1ff8cf08dc6fdd527c3eda60513064523e3a5174d9d3d1ab876f45a34dfdb6171516d7118d5ed122ea0b6516b2a2a199972953e8d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
476cdc7ce11c6927a0a4543d13eca99d

SHA1
5ae90d841d13203e3d4be9c986873a93f80e0cad

SHA256
a6a25f7804c6729bba15f30c02f6d5b7b97a396312ae301685de55a578780415

SHA512
b48c742708ac0a33725aab67da8db77e88b539892beb67e7329d047ae3000b136056c809bd473aa79230fde6479dc1cca8cea1eb97e8029543da7fa655018ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
23KB

MD5
e7c02fb8898d4bd7de1573433a3ed7b5

SHA1
3fdc9f8485ac865b9d5d3b98c97b045810e71f96

SHA256
f6e38df66a8ce589f7b7ef957a7ed7baf82bf541f131bbce4c1c158f0fd31174

SHA512
a9a64abe78f8e1c5b98eac285e2be0e0bb08c162d5a6176d4bdec054ac54fb9c70a9bae239676e4948b1f36e9be7a39b075ccf6a4dc0ffa5e1b2c4a24a9bf094

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
751B

MD5
4c2424642aa7aec558c0c66390e0f5e9

SHA1
520f366f5c7ba5c74b15db4cb897f388d889231f

SHA256
95a52205e2568a117ef2a01a9088eb4c487a23ba3de5571ce7af0f0421e6a6d9

SHA512
29309d16360ed4e7346e3b74b804cba20729922d026f5590c5f9aecf64f00de3993efe09087d38fc6abd3919e54aeabeb9fef6d9364242fabf5585606f7642cb

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
833512c89f1ab92c80131d415f89f442

SHA1
dd9953ddcc33278bb97502ffdc6e7462e8005680

SHA256
717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

SHA512
f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
66f6065f9f54487aa740e0dcaa2951b4

SHA1
6ee958852ac17dd5e7ad2614f697e61dd72c2d80

SHA256
2264bcdf6498620779f0c4b8fe23da78c7f7773d9649e0d8efd38e6df0cca232

SHA512
4694bea262f6c516d51581a1c652163d9fdafbdfb7540b12b8a972cf2faa612dcf849c56b9b74d4247324e78f9ca5561205fc3ba1542c3104c1fa0986e3c5731

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG12.PNG

Filesize
22KB

MD5
0f35a9a97a16daa0192234e5d16a0059

SHA1
b6cf13bdb41e1302267cc0b01a842d82e68c32a4

SHA256
520ec8af70bf3e6b44becbdb52366c1fe02f6f2b7603fa6bddf0caff641ef027

SHA512
8272f78159126ece15c7a1ff7671608a8a5d7738ff1a53879c409be6430eb031a6c8002f3c6b0da5dd66fddda3117f4ba6f9099abf326b69bdbe865e8636489c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
9d63685a0c391d721ebcf87310b25f39

SHA1
c9ae79e1db7e17107186d61c306f46d1aeacf064

SHA256
55e9b3abdcc91a9981fa413b594d8c243c0947bc5cdb98f50c3edc322a78f044

SHA512
f34bffe9451fa2c99804fc7cbd3c9662a5536ca50603f1fd9fe5bf38b426231ea66888993ea9696fbaafb892cfa6cef1d33d5ade4743ffbcd5b330adffb5f19d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
23f0faf72cf4bb8bb8e98e48826df4ab

SHA1
e20a505f97e77c62cc81e76fc73c0e196d6c067d

SHA256
97d8f85e825e532d18b6d8d7666d1f939c86397b5a91b809ef5f3f0731de52f6

SHA512
6c34b366a54bf34891f16cbf17b1c8f11ec57d6e50473aa60bd5ee4c034056573d948328d6f87c8cabff11d60601efe31e0f4df0b5d6ddd20e8fcca5a818ebb0

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
befea87e5bb3fbb2e93fd23f812a7e8e

SHA1
3dfa6cfd8556f86907f62ce14cf09c99548bae64

SHA256
7e4cf8dc3fe613b14f317ea00a365841bf8a2178a691726e557f314072ae603d

SHA512
1ee90b045bffd717730f89c6169f2024b79091b1ee22cd22a6bf65d9a30c94181b12ce817c629e464bc41a38247ba709b12d0ec20e7ef8f64d5ba3e7c7c92d28

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG9.PNG

Filesize
438B

MD5
bcbf4818ea003315d9c0c4f6fca2838c

SHA1
379eedbbf160ef73047a54948c816a9f2bc6dcfb

SHA256
97b8e3dac4668d6f745f778b54e6031166d39f73fc893ccdca34e60b2681a4bb

SHA512
c1373ea355e33507f034562683795b7d80ed57d4ac2f3d7f09d980039fd632236079be950fa4b6249bf81d0b85f8049ad3621194de8d2d0b0d0f082241ca3125

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
1309abb4d7695b135de1bccb3d0383bd

SHA1
6435990c33f357ecdad2f72f11da62a766c4abd8

SHA256
d705428077945f54aea3cb29ccf04123369634444a578cd9f01ab1b947d454c3

SHA512
05440cbc9f24a56083a4ad63b42cc02b782c46abecdf4b23de9f7d6f8f66b196bcc9fa21920575ba1899735bd2bf398166151e95d2a802288d637ae4ec2ec83a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
23KB

MD5
5add4e198ae82d49a80dce851ae88363

SHA1
b45cfd9008b16bb36c44f2466cdfcd9f7e56b5cd

SHA256
b41803063e5b3eb0fd8ac66312dd5476373d7a565e76a8237f5760541d6b4970

SHA512
9ef63d9168b7c08a7e9aed860d2fe83cb074ed49f00a0f7c5d063b218eac26fe58657da436b88e94d1ca01ce1e624133d7caec654bae637ca4ff9c6ea264e4de

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\NOT_RUN_TLAUNCHER.txt

Filesize
2KB

MD5
7e1f99bbaeab34cb3bbaf61bb56836fa

SHA1
30cca493f09b496fec5f3c83cd31113ee1683c52

SHA256
94df1e31e53e0bd37d0bc1e5df637c7bbf4a1f14b41a7603b8ccf05f61b697ea

SHA512
c5500ebde9754f376d7e4445230af79bdb03bafb48fd72cd5bd02558e93e524ba2f90c670ec1fe0717733d94bd99c89b35e004d23785358a107820a1a4b0b766

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\bootstrapper.jre_removed.json

Filesize
2KB

MD5
5e2f3f4a6d81d9370769128b16218fa1

SHA1
54bc3d355ee4c76da90bde7f290a20af1762b938

SHA256
66347d46051d314f0b02fc594e5a9c4e06f21e3adfa3ea36e593cba63afb313c

SHA512
b952c46efa6c32a9b4b77c8b48cfdc6d5aa5d24ab060f9313c1df792bc18913d286c148277c34c8ea7c9c8bd5a3d332509078f89583bee3ad847398b3a7272c1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\bootstrapper.libraries_removed.json

Filesize
13KB

MD5
656afe320bf34a8a79617a9740821eff

SHA1
88dd7d0e1331f159881458ccab29a81b93e11785

SHA256
4ae1e18c84222293da3912b6fc06dd66abb20612c984f915607bb90026718f1c

SHA512
532be539066de0b3124ea36f06c197de34cf056878c124f393f7f7ae6b32a80401f325a99c0ce282f468a83f4e9b9c8747018b2bac100e0bff70b49065c8a01e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.924\dependencies.json

Filesize
17KB

MD5
63efc497f38e113390292117062cbba6

SHA1
be942f92cce4876068f8100e0c2f791cfb2d7acb

SHA256
ebc5231524854028e6b4a34bedbb91dbe311e4f40802e88c4ea340c3459db661

SHA512
f6850f315cc1f5507ff194b2a2588cfbb3314947b973afe369f75d0435f3a30c2de7086c0796cedb2b156002b2ba5c4c12e3d4dc099f3e5e15cc32a02ea05bb6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.924\resources.json

Filesize
17KB

MD5
39ce244fc02a8306645263bc762c3f68

SHA1
8a7466cdea0b463346fd9a24928d8c0cfcc6eddf

SHA256
d870c69c8a8cc0f64c0c5cc599cad6e64675fd68b80a1d1b6fbcfc5f8945d2e3

SHA512
4274215a1ae01d93c0baf46881c4fc1507b20315f8058b587b693da8791c18da318dfd35a1e4ba8bb908b38da935d117d3204dda56a511d0f50dbf411f4ad6aa

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\appConfig.json

Filesize
3KB

MD5
bbe6c940b1257b9c5b2c153ad15d577e

SHA1
68adad71094b3ba44c29ac094d1a3302109897d4

SHA256
4b41c9415d9c8657f02c30533824db8c08cfade715a1c558b3838c4e9f89d2a7

SHA512
97268f256526280f2e2a7021460210724c87216dd863809233eca8b5c12023b276a3d4ff2f6be05d3bd0652c05a06e106c3d2c4b0cfa28689e45243066ae4602

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json

Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-lang3-3.4.jar

Filesize
424KB

MD5
8667a442ee77e509fbe8176b94726eb2

SHA1
5fe28b9518e58819180a43a850fbc0dd24b7c050

SHA256
734c8356420cc8e30c795d64fd1fcd5d44ea9d90342a2cc3262c5158fbc6d98b

SHA512
b1b556692341a240f8b81f8f71b8b5c0225ccf857ce1b185e7fe6d7a9bb2a4d77823496cd6e2697a20386e7f3ba02d476a0e4ff38071367beb3090104544922d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-graphics-17.0.0.1-win.jar

Filesize
5.5MB

MD5
70572dde1929e135369fcd160f16a996

SHA1
54a0beb140a8f9b351a2a0ea53c4546d3cf9a08f

SHA256
83a077938d70c356041ec86183503acb4950519a2fed438679402b35e4831170

SHA512
56102b0ca3e4123216ae48d13b7a1c6bd86047025a3c3efce1c9a59403f8d2c47eb7b902a3d9435a5c98e931e673e747c0022fc31a9a36655eaa70b2c71b233c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\fix_log4j\1.12.json

Filesize
304B

MD5
c0aa9a1b0900982f72e072f6f85a0ce1

SHA1
922c8819eea3221d2c0d36071558707168d36fcb

SHA256
cf2131de69ea20ba705838999ff20a5e94dd888ec08c3230f90b09b7e5d1801b

SHA512
ebb26772bf7cb67297653f9dbda5478cb43f9c0575cb730797023374e6cb8b8b683fa8d11fc28b2bd09d4c33adc67203b92741e96d91e5a4010fb6f432da8527

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\fix_log4j\1.7.10.json

Filesize
300B

MD5
33386dab73eb261523775cbcac309300

SHA1
dfd076b6e8492a83e39c00fcdea9dbe282e3dba7

SHA256
9eab2926a13dc0e6d4889c0aa4d1f3b8f1df6c02f2ee087b5fcecb7a4f780c87

SHA512
445e1a1eee477d68c4bccd5ca942985d4485138622e4a2f48b3a1fc11fa70c4d9a7abf5f403a2989f78662de04fd3a38c0c6376fa0cd10bfd0ca1dcf5082267c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\COPYRIGHT

Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ADDITIONAL_LICENSE_INFO

Filesize
51B

MD5
494903d6add168a732e73d7b0ba059a0

SHA1
f85c0fd9f8b04c4de25d85de56d4db11881e08ca

SHA256
0a256a7133bd2146482018ba6204a4ecc75836c139c8792da53536a9b67071d4

SHA512
b6e0968c9fd9464623bfa595bf47faf8f6bc1c55b09a415724c709ef8a3bcf8a954079cce1e0e6c91d34c607da2cecc2a6454d08c370a618fb9a4d7d9a078b24

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ASSEMBLY_EXCEPTION

Filesize
46B

MD5
c62a00c3520dc7970a526025a5977c34

SHA1
f81a2bcb42ccbf898d92f59a4dc4b63fef6c2848

SHA256
a4b7ad48df36316ddd7d47fcecc1d7a2c59cbfe22728930220ef63517fd58cb0

SHA512
60907d1910b6999b8210b450c6695b7cc35a0c50c25d6569cf8bb975a5967ca4e53f0985bee474b20379df88bb0891068347ecf3e9c42900ed19a1dcbc2d56ec

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\LICENSE

Filesize
35B

MD5
f815ea85f3b4676874e42320d4b8cfd7

SHA1
3a2ddf103552fefe391f67263b393509eee3e807

SHA256
01a4ebd2a3b2671d913582f1241a176a13e9be98f4e3d5f2f04813e122b88105

SHA512
ddf09f482536966ac17313179552a5efc1b230fa5f270ebde5df6adebf07ee911b9ef433dfbfcb4e5236922da390f44e355709ecaf390c741648dd2a17084950

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\removedFolders.txt

Filesize
703B

MD5
66f2bf2a3cfc55320fdcbeadef07c78c

SHA1
2c34e9fdd3cc033a31b26d443b76c643013f0565

SHA256
342732fd5c95d6735b2567ca3638f53842ee19444fd7f36c2f2c437a835d5f1f

SHA512
fcb5d465f37de84bbcb0843e915c9f0ad1f661e2de1b5924d8274d19713754621d806a6bd49679459bf9c87a368efbcee7cff82a1c400b4cefb6c3b063ad6dfe

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\signatures.json

Filesize
8KB

MD5
1c836d1767b58a864ec401f0966914a0

SHA1
6014275288006534525ffa75ce1a1b66438e036a

SHA256
a19b7acbe605085ddee8df50268e1f9284c75ed9584e924f1474916d09d848b8

SHA512
dd43b3222a6398f69c71603762ca595d8a84d47b28d10b5ec0dc8da8fbf9d07deae656791f665de4a2df806a66203bb8ccd3bdf4f29d2596937b17e2c30eee3c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\tl_dependencies.json

Filesize
1KB

MD5
107d05532cf0a58577ae6de603276a42

SHA1
54c12373677ab04e84cc2e7cb1930649ba38a952

SHA256
b32a5f902b1387192c76cc2d48540dc2b26534caab2d59b2fa054fd48c94a871

SHA512
0812455aae0d77692b903861ecdc1052d7106c387ce28adbfe4e8bca0841fe2d3865be3b16db4c9168ddcfc859370ce2402e2c5181ff34baaaeb9622bce74772

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\НЕ_ЗАПУСТИЛСЯ_TLAUNCHER.txt

Filesize
3KB

MD5
4ddbbef4c1a0a004b853ee4ed7533601

SHA1
d12b2ab682eecc5e3a3b63618fd1c95e2ecbfc87

SHA256
04204513df6f55bd1d47893e0b041ca5284b45c514eda457f3622cd2b3136f4c

SHA512
d30709a61b85914947d89b1438888a29c9467f97171d7a617b36fe417c42e407d7837c9325a3c814690c8a5afdffd13c5de4e0bf26fa1a969f63e9ab0fb79f04

Download Submit
C:\Windows\Installer\MSIB6BA.tmp

Filesize
953KB

MD5
64a261a6056e5d2396e3eb6651134bee

SHA1
32a34baf051b514f12b3e3733f70e608083500f9

SHA256
15c1007015be7356e422050ed6fa39ba836d0dd7fbf1aa7d2b823e6754c442a0

SHA512
d3f95e0c8b5d76b10b61b0ef1453f8d90af90f97848cad3cb22f73878a3c48ea0132ecc300bfb79d2801500d5390e5962fb86a853695d4f661b9ea9aae6b8be8

Download Submit
C:\Windows\Installer\f78b38d.msi

Filesize
1.0MB

MD5
d7390d55b7462787b910a8db0744c1e0

SHA1
b0c70c3ec91d92d51d52d4f205b5a261027ba80c

SHA256
4a2f7d9d33e4ad643bf72722587f2b268d92dab3bb1d9bc56af316672e34728a

SHA512
64f3837dd6099561ce9be97d6fae0b11f3f6cc08281f1a3266d5a6f3ca8baf13bbd780735ef62b449b577d62d086f942b48519671226c60f0e1480f9dbdde434

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
f3b300079862aff353b412d490bf5abc

SHA1
b61ad13daa7d39a02aa1329788ece0737390a45d

SHA256
c052cb74d9b0ce37efba9c018b5bcf74c51cfbdcaf990ae53cb9772ea318945a

SHA512
d6e02701ec0990fd9a4b0e82ce69048a35ac114e7515ed2ed6a445ec9f8ad9f98287491e087a269b3e973fb55da360e2df1a516a9fa850c68cfcfaadacb2fbb6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.2MB

MD5
07552732fa64db456300880d52e81b2f

SHA1
9a653ea405f5f26ec0c2d9a0bc9bcb11ba010efc

SHA256
94bc1aa272183daf13f24594493eea40e02cb9861c76f9de3711c139f5315226

SHA512
47e97e300330ec1523f4af6e87b9866fae2e90cd9b59fc4d02e53e29b223691f980daf1f221f5286dbc1a9a9ddf6e01e7a597c5cf763710c51d84c8d5bac60b0

Download Submit
memory/676-2909-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/676-2907-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1156-2415-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1344-2891-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1344-2896-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1496-766-0x00000000033C0000-0x00000000037A9000-memory.dmp

Filesize
3.9MB

Download
memory/1496-14-0x00000000033C0000-0x00000000037A9000-memory.dmp

Filesize
3.9MB

Download
memory/1496-15-0x00000000033C0000-0x00000000037A9000-memory.dmp

Filesize
3.9MB

Download
memory/1608-4588-0x0000000002020000-0x000000000202A000-memory.dmp

Filesize
40KB

Download
memory/1608-3675-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1608-3683-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1608-4587-0x0000000002020000-0x000000000202A000-memory.dmp

Filesize
40KB

Download
memory/1608-3760-0x0000000002020000-0x000000000202A000-memory.dmp

Filesize
40KB

Download
memory/1608-3759-0x0000000002020000-0x000000000202A000-memory.dmp

Filesize
40KB

Download
memory/1692-858-0x0000000000C80000-0x0000000001069000-memory.dmp

Filesize
3.9MB

Download
memory/1692-920-0x0000000000C80000-0x0000000001069000-memory.dmp

Filesize
3.9MB

Download
memory/1976-5596-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/1976-4597-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1976-3797-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1976-3684-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2084-3000-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2404-2758-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download
memory/2676-2599-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2676-2633-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2676-2586-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2676-2602-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2676-2627-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2860-803-0x00000000009F0000-0x0000000000DD9000-memory.dmp

Filesize
3.9MB

Download
memory/2860-1674-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/2860-18-0x00000000009F0000-0x0000000000DD9000-memory.dmp

Filesize
3.9MB

Download
memory/2860-686-0x0000000000390000-0x0000000000393000-memory.dmp

Filesize
12KB

Download
memory/2860-685-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2860-765-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2860-764-0x00000000009F0000-0x0000000000DD9000-memory.dmp

Filesize
3.9MB

Download
memory/2860-2817-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2860-2603-0x00000000009F0000-0x0000000000DD9000-memory.dmp

Filesize
3.9MB

Download
memory/2860-2816-0x00000000009F0000-0x0000000000DD9000-memory.dmp

Filesize
3.9MB

Download
memory/2860-3671-0x00000000009F0000-0x0000000000DD9000-memory.dmp

Filesize
3.9MB

Download
memory/2860-1843-0x00000000009F0000-0x0000000000DD9000-memory.dmp

Filesize
3.9MB

Download
memory/2860-1672-0x00000000009F0000-0x0000000000DD9000-memory.dmp

Filesize
3.9MB

Download
memory/2860-768-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2860-1673-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2860-1654-0x00000000009F0000-0x0000000000DD9000-memory.dmp

Filesize
3.9MB

Download
memory/2860-769-0x0000000000390000-0x0000000000393000-memory.dmp

Filesize
12KB

Download
memory/2860-814-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/2936-3287-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2972-854-0x0000000003280000-0x0000000003669000-memory.dmp

Filesize
3.9MB

Download
memory/2972-850-0x0000000003280000-0x0000000003669000-memory.dmp

Filesize
3.9MB

Download
memory/2972-842-0x0000000003280000-0x0000000003669000-memory.dmp

Filesize
3.9MB

Download
memory/2992-2676-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2992-2692-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2992-2647-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2992-2660-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2992-2663-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2992-2664-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download