2aab5f27a6947ef86868c5118a09743e54123444f8e846064b05277f51060723

Resubmissions

13/09/2024, 19:09

240913-xt8nhstgkg 8

13/09/2024, 19:02

240913-xp3xgashrq 8

Analysis

max time kernel
103s
max time network
105s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.5.1.exe
Size

24.1MB
MD5

f245d48c03c913315a2ddef555484f0f
SHA1

8b15789d7ea71a80e57d745531376fb9b778d750
SHA256

2aab5f27a6947ef86868c5118a09743e54123444f8e846064b05277f51060723
SHA512

0f6baf1e5180e82b59a91cb3079d07bfaf1520fa974ca94bed9bec2cc0bf681d5081b880fa3aacfa59add88d5bae7980cfc4d5aa95aa1ab9d8f46e66c7892a96
SSDEEP

786432:NKgLCOrD1bJkM9irrKJBH5lFRqkd4zUcjc+orlG:NKHjMQPKJBZlCkOQcrorl

Score

8^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 19 IoCs

pid	Process
2400	irsetup.exe
932	BrowserInstaller.exe
1012	irsetup.exe
2908	jre-windows.exe
2384	jre-windows.exe
576	installer.exe
1580	javaw.exe
2056	ssvagent.exe
2212	javaws.exe
3004	jp2launcher.exe
2036	javaws.exe
2180	jp2launcher.exe
904	MSICB36.tmp
800	TLauncher.exe
592	javaw.exe
1076	javaw.exe
2392	javaw.exe
1356	TLauncher.exe
3172	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
2100	TLauncher-Installer-1.5.1.exe
2100	TLauncher-Installer-1.5.1.exe
2100	TLauncher-Installer-1.5.1.exe
2100	TLauncher-Installer-1.5.1.exe
2400	irsetup.exe
2400	irsetup.exe
2400	irsetup.exe
2400	irsetup.exe
2400	irsetup.exe
2400	irsetup.exe
2400	irsetup.exe
2400	irsetup.exe
932	BrowserInstaller.exe
932	BrowserInstaller.exe
932	BrowserInstaller.exe
932	BrowserInstaller.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
2400	irsetup.exe
2908	jre-windows.exe
1216	Process not Found
1216	Process not Found
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
3012	msiexec.exe
576	installer.exe
576	installer.exe
576	installer.exe
856	Process not Found
856	Process not Found
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe
1580	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2312	icacls.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016c53-3.dat	upx
behavioral1/memory/2100-6-0x0000000003360000-0x0000000003749000-memory.dmp	upx
behavioral1/memory/2400-18-0x0000000000190000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/2400-765-0x0000000000190000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/2400-786-0x0000000000190000-0x0000000000579000-memory.dmp	upx
behavioral1/files/0x000400000001e0c3-829.dat	upx
behavioral1/memory/1012-839-0x0000000000020000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2400-1418-0x0000000000190000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/1012-1428-0x0000000000020000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2400-2164-0x0000000000190000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/2400-2180-0x0000000000190000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/2400-2567-0x0000000000190000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/1012-3079-0x0000000000020000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2400-3111-0x0000000000190000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/1012-3221-0x0000000000020000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2400-3355-0x0000000000190000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/2400-3555-0x0000000000190000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/2400-4666-0x0000000000190000-0x0000000000579000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
36	3012	msiexec.exe
37	3012	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 12 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	rundll32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\java.exe	rundll32.exe
File created	C:\Windows\system32\javaw.exe	rundll32.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	rundll32.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\javaws.exe	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\glass.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2iexp.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cayenne	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dt_shmem.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CST6CDT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_sv.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_it.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Louisville	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javafx-font.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\zip.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Fortaleza	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zurich	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UCT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\trusted.libraries	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Moncton	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\GRAY.pf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\jmxremote.password.template	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Vancouver	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\nio.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_ja.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\rt.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Niue	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baku	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bishkek	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\accessibility.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md	msiexec.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6B88.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7071.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7767cb.ipi	msiexec.exe
File created	C:\Windows\Installer\f776a18.ipi	msiexec.exe
File created	C:\Windows\Installer\f7767c8.msi	msiexec.exe
File created	C:\Windows\Installer\f7767cd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB38E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB36.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D51.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6FC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E.tmp	msiexec.exe
File created	C:\Windows\Installer\f776a1a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CF2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EDA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6EF.tmp	msiexec.exe
File created	C:\Windows\Installer\f7767cb.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB35.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBA4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f776a18.ipi	msiexec.exe
File created	C:\Windows\Installer\f7767d0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7767d0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6BF7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C74.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E5C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI718B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6ACC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI215.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f776a15.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7767c8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6DDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB38F.tmp	msiexec.exe
File created	C:\Windows\Installer\f776a15.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher-Installer-1.5.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BrowserInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "19"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0156-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0146-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0178-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_178"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0370-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_52"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0189-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0180-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0222-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0032-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0304-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_304"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0092-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_92"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0247-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_64"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0059-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0341-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0270-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0393-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 11.401.2"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0134-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0256-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_256"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0272-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_41"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_58"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0057-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0149-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_149"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0167-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0158-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0375-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0148-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_148"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_07"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0123-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_123"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0231-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0389-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_389"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0132-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0053-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0021-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0251-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0035-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0379-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0091-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0266-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0392-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0306-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0041-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_45"	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0193-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0365-ABCDEFFEDCBC}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0019-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0120-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBA}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0084-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0059-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0089-ABCDEFFEDCBA}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0275-ABCDEFFEDCBA}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0345-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0032-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0152-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBA}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ = "Java(tm) Plug-In SSV Helper"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0003-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0048-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0075-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0392-ABCDEFFEDCBA}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0353-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0276-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_276"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0023-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0270-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0146-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0335-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0391-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBC}\INPROCSERVER32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0397-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0020-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0077-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0156-ABCDEFFEDCBA}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0119-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0184-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0392-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0260-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0368-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0070-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0320-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_43"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0283-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0285-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_285"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0057-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_57"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0214-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0050-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0014-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0126-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0242-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0044-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBC}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0194-ABCDEFFEDCBB}	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1012	irsetup.exe
1012	irsetup.exe
3012	msiexec.exe
3012	msiexec.exe
2212	javaws.exe
3004	jp2launcher.exe
2036	javaws.exe
2180	jp2launcher.exe
904	MSICB36.tmp
3012	msiexec.exe
3012	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2384	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2384	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2384	jre-windows.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeSecurityPrivilege	3012	msiexec.exe
Token: SeCreateTokenPrivilege	2384	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2384	jre-windows.exe
Token: SeLockMemoryPrivilege	2384	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2384	jre-windows.exe
Token: SeMachineAccountPrivilege	2384	jre-windows.exe
Token: SeTcbPrivilege	2384	jre-windows.exe
Token: SeSecurityPrivilege	2384	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2384	jre-windows.exe
Token: SeLoadDriverPrivilege	2384	jre-windows.exe
Token: SeSystemProfilePrivilege	2384	jre-windows.exe
Token: SeSystemtimePrivilege	2384	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2384	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2384	jre-windows.exe
Token: SeCreatePagefilePrivilege	2384	jre-windows.exe
Token: SeCreatePermanentPrivilege	2384	jre-windows.exe
Token: SeBackupPrivilege	2384	jre-windows.exe
Token: SeRestorePrivilege	2384	jre-windows.exe
Token: SeShutdownPrivilege	2384	jre-windows.exe
Token: SeDebugPrivilege	2384	jre-windows.exe
Token: SeAuditPrivilege	2384	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2384	jre-windows.exe
Token: SeChangeNotifyPrivilege	2384	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2384	jre-windows.exe
Token: SeUndockPrivilege	2384	jre-windows.exe
Token: SeSyncAgentPrivilege	2384	jre-windows.exe
Token: SeEnableDelegationPrivilege	2384	jre-windows.exe
Token: SeManageVolumePrivilege	2384	jre-windows.exe
Token: SeImpersonatePrivilege	2384	jre-windows.exe
Token: SeCreateGlobalPrivilege	2384	jre-windows.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe
Token: SeRestorePrivilege	3012	msiexec.exe
Token: SeTakeOwnershipPrivilege	3012	msiexec.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
2384	jre-windows.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2400	irsetup.exe
2400	irsetup.exe
2400	irsetup.exe
2400	irsetup.exe
1012	irsetup.exe
1012	irsetup.exe
2384	jre-windows.exe
2384	jre-windows.exe
2384	jre-windows.exe
2384	jre-windows.exe
3004	jp2launcher.exe
2180	jp2launcher.exe
592	javaw.exe
592	javaw.exe
3172	javaw.exe
3172	javaw.exe
3172	javaw.exe
3172	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2400	2100	TLauncher-Installer-1.5.1.exe	30
PID 2100 wrote to memory of 2400	2100	TLauncher-Installer-1.5.1.exe	30
PID 2100 wrote to memory of 2400	2100	TLauncher-Installer-1.5.1.exe	30
PID 2100 wrote to memory of 2400	2100	TLauncher-Installer-1.5.1.exe	30
PID 2100 wrote to memory of 2400	2100	TLauncher-Installer-1.5.1.exe	30
PID 2100 wrote to memory of 2400	2100	TLauncher-Installer-1.5.1.exe	30
PID 2100 wrote to memory of 2400	2100	TLauncher-Installer-1.5.1.exe	30
PID 2400 wrote to memory of 932	2400	irsetup.exe	33
PID 2400 wrote to memory of 932	2400	irsetup.exe	33
PID 2400 wrote to memory of 932	2400	irsetup.exe	33
PID 2400 wrote to memory of 932	2400	irsetup.exe	33
PID 2400 wrote to memory of 932	2400	irsetup.exe	33
PID 2400 wrote to memory of 932	2400	irsetup.exe	33
PID 2400 wrote to memory of 932	2400	irsetup.exe	33
PID 932 wrote to memory of 1012	932	BrowserInstaller.exe	34
PID 932 wrote to memory of 1012	932	BrowserInstaller.exe	34
PID 932 wrote to memory of 1012	932	BrowserInstaller.exe	34
PID 932 wrote to memory of 1012	932	BrowserInstaller.exe	34
PID 932 wrote to memory of 1012	932	BrowserInstaller.exe	34
PID 932 wrote to memory of 1012	932	BrowserInstaller.exe	34
PID 932 wrote to memory of 1012	932	BrowserInstaller.exe	34
PID 2400 wrote to memory of 2908	2400	irsetup.exe	37
PID 2400 wrote to memory of 2908	2400	irsetup.exe	37
PID 2400 wrote to memory of 2908	2400	irsetup.exe	37
PID 2400 wrote to memory of 2908	2400	irsetup.exe	37
PID 2908 wrote to memory of 2384	2908	jre-windows.exe	38
PID 2908 wrote to memory of 2384	2908	jre-windows.exe	38
PID 2908 wrote to memory of 2384	2908	jre-windows.exe	38
PID 3012 wrote to memory of 2524	3012	msiexec.exe	41
PID 3012 wrote to memory of 2524	3012	msiexec.exe	41
PID 3012 wrote to memory of 2524	3012	msiexec.exe	41
PID 3012 wrote to memory of 2524	3012	msiexec.exe	41
PID 3012 wrote to memory of 2524	3012	msiexec.exe	41
PID 3012 wrote to memory of 576	3012	msiexec.exe	42
PID 3012 wrote to memory of 576	3012	msiexec.exe	42
PID 3012 wrote to memory of 576	3012	msiexec.exe	42
PID 576 wrote to memory of 1580	576	installer.exe	43
PID 576 wrote to memory of 1580	576	installer.exe	43
PID 576 wrote to memory of 1580	576	installer.exe	43
PID 576 wrote to memory of 2212	576	installer.exe	45
PID 576 wrote to memory of 2212	576	installer.exe	45
PID 576 wrote to memory of 2212	576	installer.exe	45
PID 2212 wrote to memory of 3004	2212	javaws.exe	46
PID 2212 wrote to memory of 3004	2212	javaws.exe	46
PID 2212 wrote to memory of 3004	2212	javaws.exe	46
PID 576 wrote to memory of 2036	576	installer.exe	47
PID 576 wrote to memory of 2036	576	installer.exe	47
PID 576 wrote to memory of 2036	576	installer.exe	47
PID 2036 wrote to memory of 2180	2036	javaws.exe	48
PID 2036 wrote to memory of 2180	2036	javaws.exe	48
PID 2036 wrote to memory of 2180	2036	javaws.exe	48
PID 3012 wrote to memory of 2792	3012	msiexec.exe	49
PID 3012 wrote to memory of 2792	3012	msiexec.exe	49
PID 3012 wrote to memory of 2792	3012	msiexec.exe	49
PID 3012 wrote to memory of 2792	3012	msiexec.exe	49
PID 3012 wrote to memory of 2792	3012	msiexec.exe	49
PID 3012 wrote to memory of 2912	3012	msiexec.exe	50
PID 3012 wrote to memory of 2912	3012	msiexec.exe	50
PID 3012 wrote to memory of 2912	3012	msiexec.exe	50
PID 3012 wrote to memory of 2912	3012	msiexec.exe	50
PID 3012 wrote to memory of 2912	3012	msiexec.exe	50
PID 3012 wrote to memory of 904	3012	msiexec.exe	52
PID 3012 wrote to memory of 904	3012	msiexec.exe	52
PID 3012 wrote to memory of 904	3012	msiexec.exe	52

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.1.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.1.exe" "__IRCT:3" "__IRTSS:25259921" "__IRSID:S-1-5-21-312935884-697965778-3955649944-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1709878" "__IRSID:S-1-5-21-312935884-697965778-3955649944-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\jds259479785.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds259479785.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2384
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
        5⤵
        Executes dropped EXE
        
        PID:1076
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
        5⤵
        Executes dropped EXE
        
        PID:2392
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1356
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3172

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 99244205436EA4B24DF4AA7631C4E9C1
  2⤵
  - Loads dropped DLL
  PID:2524
- C:\Program Files\Java\jre-1.8\installer.exe
  "C:\Program Files\Java\jre-1.8\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre-1.8\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={71024AE4-039E-4CA4-87B4-2F64180401F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1580
- - C:\Program Files\Java\jre-1.8\bin\ssvagent.exe
    "C:\Program Files\Java\jre-1.8\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2056
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3004
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2180
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding C147172E2949E98174A424C05DB1537B M Global\MSI0000
  2⤵
  PID:2792
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 71275FF8B78EE751277FDC63121C8C15
  2⤵
  PID:2912
- C:\Windows\Installer\MSICB36.tmp
  "C:\Windows\Installer\MSICB36.tmp" C:\Program Files\Java\jre7\;C;2
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:904
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint
  2⤵
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1260
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5C0FD99678589FF95E38E6AF8EFC8FBB
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8CC7D866321F3D74D7DB1B9D6FBCF46 M Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:800
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:592
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7767cc.rbs

Filesize
962KB

MD5
85aea8b759d23af1ea44940ae37f7548

SHA1
62d126cf3935111055a301d3e7c747ce65b8a6c2

SHA256
aacae6ef5936ae48f8df63e6052732e8e4de32b59b8264f1942a8da5c85b3cbc

SHA512
173da964c40f95177dd8100d55c619eb31c7c01067f5ac08cf395c6b0f8f4bce287999ea412cd3816ee7b64633d27b4ea3f7217c8559077b0ff95da3de25f8e6

Download Submit
C:\Config.Msi\f7767d1.rbs

Filesize
113KB

MD5
9da5426db09a6e84ce869319695a99be

SHA1
e6d71cfa6c7a0118ab4362603d440c0f21dfd1ad

SHA256
7ff0d1a5fdd6a5dc0a4ce473c09bf03b4d5f5a8ceac7b7c0d9e9e79fd1ccc0d9

SHA512
8e05346767703f18e9987dbb1e555ca25bf0ac575dae7be9eed3e008630e0ba9f4fa821d391829fc870571d04139a7029da0f0f74718f1ca332b71603b8d1b97

Download Submit
C:\Config.Msi\f776a19.rbs

Filesize
7KB

MD5
233da3f885e04b8c4f08acc6d484f39a

SHA1
a9f9cf9ff4a5d48beb3a29c42564b36d400272b1

SHA256
59b58c17c9854b6ac55147ab0115938207561f548a2ebfc3c636780ee89c38fc

SHA512
2318fcd4c0d2f6ac05bb2b6f302351f100a915df6ba5e5d479589b742e1626a666126a0e0feecc07e783b1c8bba8c1cdc6bfa427df5ec8ab1ece5a63d8f1c13e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
177B

MD5
6684bd30905590fb5053b97bfce355bc

SHA1
41f6b2b3d719bc36743037ae2896c3d5674e8af7

SHA256
aa4868d35b6b3390752a5e34ab8e5cba90217e920b8fb8a0f8e46edc1cc95a20

SHA512
1748ab352ba2af943a9cd60724c4c34b46f3c1e6112df0c373fa9ba8cb956eb548049a0ac0f4dccff6b5f243ff2d6d210661f0c77b9e1e3d241a404b86d54644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
942dcef7c379600292af98b4633f28af

SHA1
a7017ffcec3c0cfb6c496016d93df64bedb6c3ef

SHA256
0dd71c8f26a5fdd40b514b951f0b695ecdc74eefa0a430cddc6cf9373f70d0c5

SHA512
f26a9d3b8f0d0535cddaf466f38acc11b467004c1bfcc8f62b6c8788527fc0b0ec13e520ac5ed2e126dd188a87dce8c8b483dc2935c2000eb02a6c2a86294ba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
8d1ef379c4bb6fc7ad1d5796343e84cf

SHA1
04941f1cae43d2d5ab4714afe66c16cd2d7dac43

SHA256
1e1f485d024a6daeff0be35dac0198bc00a891635569fc6accdd0f416f88b173

SHA512
edcc5f10733801e59ba39e10884607ba817ffade4500460868667c873d5179e1144e510cafbaf493da13453b54152bfa4a368b63d9228d098f1c9754cd0972a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6945047678fb79bee456ebb1cb830dd

SHA1
0868dcc2606a2ebdde22c64e74773783fcad10e7

SHA256
7f108e6ac8884ae238f24c0db65365550a0b3d28ce151a843d13b67e11c7a81d

SHA512
ad87643846e9bfee5f632befeeee9221107cbd5200ffd21329f60e4eca0bf088a540973e7c0f18063db7a093f79e5e987b0f9848cae301274bd6a5b55543b8e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
547db56e772cc7d34b7b66db02b358ec

SHA1
0cc19f184267fd3442d59d8994732743582d6044

SHA256
39c082635223df0fa1c1afea35214b0cfcf844a8ef387cd661886bc74a542ad3

SHA512
1f37fc48941d205b156640733bf766cbacee8bdd41f7e09a15d10cb2e150390fefb879a2ca340fc65841d77710f2429ab2eb7c4753a9e6773c391d26655a4a86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0dd43b581be22544acabe4b0c8ad5641

SHA1
2232c8e78dc88223546b30ea202dfdd10b915993

SHA256
b61b0f23e322bfce354076d9729c623c9cc5a73ead454ea95625e43226d82db1

SHA512
5b61f89d55cafd7290cef98ee752243afbba09e58ff51d5ef010f6e923ab15b0bc1264548734ebf19d5e59da2f26ae97bb7d77f651103018a6c4afce9c462399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
229200b7a44206209d6e5e238b0b0a7a

SHA1
e9fbaf1b605dd5b27df2ce31a7d4e070b4c92ddd

SHA256
9fd325ecde7d20423e2bc22498aa82c721ab021204e71254948eed7b06da0b39

SHA512
f9f2233a6bb5d8e491326f87411928413443cd105754cb47cab7d73b69da2ffc20b7705178e44d1fe375045382ce34b17dd2a84e20d4f5d6d8b2c4dfbaa79cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\rtutils[1]

Filesize
244B

MD5
c0a4cebb2c15be8262bf11de37606e07

SHA1
cafc2ccb797df31eecd3ae7abd396567de8e736d

SHA256
7da9aa32aa10b69f34b9d3602a3b8a15eb7c03957512714392f12458726ac5f1

SHA512
cc68f4bc22601430a77258c1d7e18d6366b6bf8f707d31933698b2008092ba5348c33fa8b03e18c4c707abf20ce3cbcb755226dc6489d2b19833809c98a11c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\host[1]

Filesize
1KB

MD5
a752a4469ac0d91dd2cb1b766ba157de

SHA1
724ae6b6d6063306cc53b6ad07be6f88eaffbab3

SHA256
1e67043252582aea0e042f5a7be4a849b7cd01b133a489c3b2e67c10ade086f3

SHA512
abc2899705a23f15862acf3d407b700bb91c545722c02c7429745ab7f722507285c62614dcb87ea846f88fc0779345cb2e22dc3ad5f8113f6907821505be2c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\layout[1]

Filesize
2KB

MD5
cc86b13a186fa96dfc6480a8024d2275

SHA1
d892a7f06dc12a0f2996cc094e0730fe14caf51a

SHA256
fab91ced243da62ec1d938503fa989462374df470be38707fbf59f73715af058

SHA512
0e3e4c9755aa8377e00fc9998faab0cd839dfa9f88ce4f4a46d8b5aaf7a33e59e26dbf55e9e7d1f8ef325d43302c68c44216adb565913d30818c159a182120fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\masthead_left[1]

Filesize
4KB

MD5
b663555027df2f807752987f002e52e7

SHA1
aef83d89f9c712a1cbf6f1cd98869822b73d08a6

SHA256
0ce32c034dfb7a635a7f6e8152666def16d860b6c631369013a0f34af9d17879

SHA512
b104ed3327fed172501c5aa990357b44e3b31bb75373fb8a4ea6470ee6a72e345c9dc4bcf46a1983c81adb567979e6e8e6517d943eb204c3f7fac559cd17c451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\common[1]

Filesize
1KB

MD5
f5bb484d82e7842a602337e34d11a8f6

SHA1
09ea1dee4b7c969771e97991c8f5826de637716f

SHA256
219108bfef63f97562c4532681b03675c9e698c5ae495205853dbcbfd93faf1a

SHA512
a23cc05b94842e1f3a53c2ea8a0b78061649e0a97fcd51c8673b2bcb6de80162c841e9fdde212d3dfd453933df2362dcb237fe629f802bafaa144e33ca78b978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\runtime[1]

Filesize
42KB

MD5
5d4657b90d2e41960ebe061c1fd494b8

SHA1
71eca85088ccbd042cb861c98bccb4c7dec9d09d

SHA256
93a647b1f2cadcbdb0fe9c46b82b2b4baf7685167de05933811549145c584ee0

SHA512
237738c0a6cb25efe29effc9c3637245e3e2397207ed51e67bae5a1b54749f88e090de524f7868d964debbb29a920a68205ccbd2dfceed4a1f3cd72d08b16fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\l10n[1]

Filesize
4KB

MD5
1fd5111b757493a27e697d57b351bb56

SHA1
9ca81a74fa5c960f4e8b3ad8a0e1ec9f55237711

SHA256
85bbec802e8624e7081abeae4f30bd98d9a9df6574bd01fe5251047e8fdaf59f

SHA512
80f532e4671d685fa8360ef47a09efcb3342bcfcf929170275465f9800bfbfffc35728a1ba496d4c04a1fdefb2776af02262c3774f83fea289585a5296d560b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\masthead_fill[1]

Filesize
1KB

MD5
91a7b390315635f033459904671c196d

SHA1
b996e96492a01e1b26eb62c17212e19f22b865f3

SHA256
155d2a08198237a22ed23dbb6babbd87a0d4f96ffdc73e0119ab14e5dd3b7e00

SHA512
b3c8b6f86ecf45408ac6b6387ee2c1545115ba79771714c4dd4bbe98f41f7034eae0257ec43c880c2ee88c44e8fc48c775c5bb4fd48666a9a27a8f8ac6bcfdcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC8ED.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
27KB

MD5
c61e8a29afd9eaf9fe86f42f1477e04a

SHA1
da615fd02ae4340f3e109cb46a34e0b98f15e645

SHA256
6998c6b1037132c6e61bdd0d8e4c58f5c3e8a87d6ef386cfd0c1c3b74c25ce00

SHA512
a6d4d56dcf5c948bb963b893e4cc81c83482648feb74cfbaf94445b6b4d0421e361191175120e3db2b0cc3e17cfb940f8e215feaaf159945fe6d8e6b6360bebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC90F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG10.PNG

Filesize
206B

MD5
be71b13401dc222cf12705a494d6d869

SHA1
88a1c0ba9183ff7c5737554f1fdfcec7f0a3cd9b

SHA256
18613a50bf66f04846476b7af071dcaab66fe0f5674b912155e1d5d8863d7e45

SHA512
686a8a0c2c54f5fc09817ac7d657b8f18b1b273142689a9ba9415cecd31e0ded4839e64ce51d0b4da29a2f541594c458b7b2187275f31cc9731875d2301ec213

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
8a85341b0188798599ce0927cf9fe146

SHA1
464460dfea299841de85e5e16efb8e941c3d4ee5

SHA256
42626231c6d33fc1fee765b86f912a9e689751f608a1983767ff3408293935da

SHA512
6e515bd4ff706d9cf3d2bbc83e3fcd1a2efcaaf6ddb9a750946f17bd80656f6fbe8b91faf95eb334fc35a838f75a3062d1f78e3f87fd4afca0ddf639e1d46716

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
fb752bccf189b74f7f2c3e62bd619458

SHA1
58540838022baeb105cd3ee8f86178e8590871c4

SHA256
eb81a1aef2e49e389d2964afb0323fe5f86bdb9db122c158623484dd2f8b1348

SHA512
df459f70d69d905b09c64ffe02f2a932989dbd7ef71c85f38d97ee73d0c2f3fe6c8521b9ac1dcd043cfb600b25a8a42ea3f3e1eff8db2cf68fd1b50a7eee7004

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
04abb0c449e2f1e40a86eb86e605a4d8

SHA1
2cb8730881dd5b4e71b4f791de1ce056bd67ae94

SHA256
e68ff0aa4edfa947871fc39adc802c83c92eaa10ff4c6a94609fc4ef578213a5

SHA512
f4ce2adfdfdef6e7799ba666168cf3c82198b693255bda3ec1745a229fdce3ff80385a87e7239fc66b2eec46354bbf04b2f33402243620270b377409cf0c1693

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
151KB

MD5
c2be5f72a6cb93af45f70fcd786149a6

SHA1
91a3250d829e7019c7b96dc2886f1d961169a87f

SHA256
f616ad0cc12e4c8c01b1af5dd208aae46a5fdb1b02e8a192dfe84283e1161ca6

SHA512
522b82e48fc4d6c94236f6598352ef198500ef83f2b8d890dd14901173b35d179c567e9540908a9bf145f2492043fa6848182634ee4c58956418884449f223bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
5KB

MD5
515c45d9da4c615f7aa931fe67941121

SHA1
71582470022487dc37cbcae8395bf9614ee8b365

SHA256
251c6dcbaff7129aba535ab84bba4e4828f2eacee8172d6b07acb4db2714c6c9

SHA512
587c416a401848ee7306a26c8a3100f778e71ccf1cbccdb04be9b405f85201120c2a1aac7551d6d119153d52b464eace7bf78fd4b0a81b8952700d30cb44f06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
ea0cba6daa63dcce962a6da896eb048b

SHA1
65020512754913617963f4a75a931a563f44fb54

SHA256
2df7c76631552c939f676ebbc5b39dd6aef1680ae2f08b50d7ff2be61ae71548

SHA512
a006c18a0f004afeaf909232e999eb24bdeb3230f1f7ba9262628c0dfe84a67f0b7c8e96c13b6417fdc1f9863cb33e5bad29a0ed816a946e692423bf02116fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
6b21e8be354170d923fecc712d3eb37e

SHA1
6682e01aab53896957406081253c2f3abef1efab

SHA256
db8a6bc21a6394d526053e266c7593f6302575edaa6370f5ff00c01135d69454

SHA512
d069eb008ef1c89f1b7f8cbb86277c7eaaca3d5a3823bf042df68f6b04aaef23521deb44215c3d63faeabafe3e345755c84f29de6e0708d24c0ffdb9a2da00a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
24KB

MD5
59c56db4b287d0cac8fec4ff9200285d

SHA1
a278392031ad4aa88424f92e2354ed3729180566

SHA256
15bdf5e3c7bda73bfec1b64a3c84aa2e395c11aa72ba4c9282cf51e133f612c5

SHA512
cb5710261261f10a8e7fbe61396ab9c2ba1d2878020ee48ae90279e5d5399605960a1a319b05cd84860121971d9671a53fad2f0a6907480cabcb874316375c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
750B

MD5
8c2d318c3e4257153ffcb55591d7babc

SHA1
f7749358760ede08a08cf28c109ad96e9bec5adc

SHA256
1ce1ee19f2cb985dab9d18c425a1d3ef798177b2950888c0e7182fb089d29c93

SHA512
455b3962310734240e658791eb99fd64068a06b0b8cd78d06cec3bdcbdc5aa0c192f4b48be65e46f87b24e6d505d38751163e73137467249685fb94c099f391c

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
3fd8ea8955585f1867dfe40bcebe4f6a

SHA1
e79885c300af3111f15e56544d4dab7f5187dab0

SHA256
4a57d4e4de95e922353d327b318ef70de5431d57254f23487af9a87a2bd5d346

SHA512
42d8f094eb5b534303e90534d0bad4e4de9f72d002fffb75b7d905d7f921fc12a15451671b71017de9ffb00c5d21e34909b34e4b3e13ca6897d6971ba969c029

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
bb4e23b158ae7c30af4f853b3c9549e4

SHA1
0b89279b32eb997bbf40c6b16ea41838fbd60455

SHA256
3c1b91e8138e076eae0b3f59fb986d0315fd0afa4e91f19fcd3415c725714ccb

SHA512
29692c12ae7fabc031ed1c04f6c35ae119f3eab7ff007352f01ebfc9b0d98f8f5e5b948b7629dd0882cebd72723c950379ab8e21fc5edbf170cfa711c3a63723

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG12.PNG

Filesize
22KB

MD5
c4a4a535e40b5c286a1481c8b6be82f1

SHA1
577e9101f22f0a07b5c67be1d92c482f8d5a359c

SHA256
fb7b42f197d11f34892cb4544205ece7ba4569f2be24020a6e432ff2541b4348

SHA512
2ce6b36f8c4b71054dc13d2258fe0495d581b14021a3421befe9c55da423f011a59d80f05800a96ac5cf86cb71ee412ee29571145c2875085122bbddfa19a94b

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
5ff06602ea819682acea3bec4f2a0afd

SHA1
171982fb2bbcc7e502ae1b9dc38cf2dcb5483051

SHA256
038f13817112ff61c714b6a27c708e7f3a4aa62144f36f35296f6b15fc8299fe

SHA512
11c24cfdfaf279f3265ebe824a8daad5469ac6b59196b13ca90d4691b75876f50d4b0bdc51245689354e405e992f82cab73ddad7bc4f6909776e97d97a5b1393

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
e7c8639ffabb5798b481e18e50cdc55f

SHA1
b42e7329f507f1aed5de150046240c2675dbdb92

SHA256
661546ce97196675b8557b12489d26ff65d03ebfc105d09492233efe6c66c3b6

SHA512
a290228c56b5dcbc80dcc3ec84a7dfc9e3ad5070c7e65f972f0703c938af0f5084ab43f118331f30978012613495f3e7177cdd31800f8a57f508aa1009e171f1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
3ec4c9062ab90ac0e840a236fb9b498e

SHA1
df0055f019f4820b25104f8de6a2f42b871cb194

SHA256
48732b00521bb3b0c94dcb818dfc8d45dd5f73b0319d99b39781bc7930756d40

SHA512
5e291fc1193a7bc3170e99f807c9f3af84c44bec55e513c204fbedfc41db74bec25352985cb30e9e6b2431219e89b6a06bcb85fff64b6e9417886ffc870d0097

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG9.PNG

Filesize
438B

MD5
cd54f1ea241ffe76657978a9e5fccfa3

SHA1
4607eb93ece1c8bd3fae4ddbdf882b2f41cf53fc

SHA256
9dea4ae080d9fb4803e86537d4302a2bc3912602fa4fd3b7154196345d3984b8

SHA512
58f642c2c72ddcb39b0b6b49fac368ff7f5ae946ba5296c52e09d0192c7345cf0e0a588fdfeb23d0429aff9941d7695d19b6d60ccd0c9170b02e21a8c4b25a0d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
d581a8a331aad64fb0ca1fec4490e83b

SHA1
416b966c6e1cb0dbaa263758f4636653f11db6e6

SHA256
8b22710cb11ead38f752eaee5034603dcc9b8940ab9d330d053cc9d349fa3fc3

SHA512
e42ec5d65f1ef22765558318209a86126335590222351cca42d1beeaf4eecf9b7af08dea4131fe26246abb4be98b4bbbc73935aa10578d3ae42298e34ef1fb6f

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
23KB

MD5
6a8aad2b013026baaab88d8916a34e9b

SHA1
6a9e44ab68599d62f561b9ba597760b7322ae868

SHA256
d7b7e2a4e5b482927b56ef9863029a9bb1ad43edff1ae8ae0c9e8f96521d7f02

SHA512
2fa29f867f5b7a735b2be0dfead1bd69f4485dea9f7c0263691bb749c29fb1e86615000694a913d1e9ecab520b3e4a31e9587d50f6085deeaaaf80d65898facc

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.9289\dependencies.json

Filesize
17KB

MD5
6d566646f2f374692a6a8b76ff23f59e

SHA1
43025f5b97daa38aeec3407cc20bf60740a319db

SHA256
b700139641a3d5493cb28c9ce00408f70e4e48083c80ed5693c6ae840ee93dd9

SHA512
0e949c4f50656bdbe4bd2ff47661ac62c942b5744d316242e68306bb751bcfe778037ebbcbcd31188125cc88cc243a497fbea6ccf96701668555df5a35586e34

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.9289\resources.json

Filesize
18KB

MD5
f24f4282f4dbdc650884bd55033d7df3

SHA1
5c1aeb01a17701d7b35dd3454b4088dcd82f396d

SHA256
5690815ca9ad02021f49c1df8fd360a1ac29ef3781c15cb074a064b8669d12a2

SHA512
9d02cad4043de8c09498ed629c5d0c7763f8f4c35166919879acfb3670961e2b943234d0e721cd6b28485af477905437ec4743b41b2dbf8622d7831b0a62801e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\appConfig.json

Filesize
3KB

MD5
aba7fce4661d0d6ea8c40eb63f4718b0

SHA1
0fefed36b06f8a784736dbd504450b1574ada129

SHA256
551d3edbcbea195bc37a1ad887a21452131c132123d1a643be43411932403fee

SHA512
6fee54c2a174743342165846811e39c32eca318b424d1f8a138951cd1c5b0a9c033e5490921b943b84bf47197ede9bbf9c052292295032413abc54c8d63e806d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json

Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Windows\Installer\MSI6ACC.tmp

Filesize
953KB

MD5
64a261a6056e5d2396e3eb6651134bee

SHA1
32a34baf051b514f12b3e3733f70e608083500f9

SHA256
15c1007015be7356e422050ed6fa39ba836d0dd7fbf1aa7d2b823e6754c442a0

SHA512
d3f95e0c8b5d76b10b61b0ef1453f8d90af90f97848cad3cb22f73878a3c48ea0132ecc300bfb79d2801500d5390e5962fb86a853695d4f661b9ea9aae6b8be8

Download Submit
C:\Windows\Installer\MSICBA4.tmp

Filesize
235KB

MD5
16cae7c3dce97c9ab1c1519383109141

SHA1
10e29384e2df609caea7a3ce9f63724b1c248479

SHA256
8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

SHA512
5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

Download Submit
C:\Windows\Installer\f776a15.msi

Filesize
1.0MB

MD5
d7390d55b7462787b910a8db0744c1e0

SHA1
b0c70c3ec91d92d51d52d4f205b5a261027ba80c

SHA256
4a2f7d9d33e4ad643bf72722587f2b268d92dab3bb1d9bc56af316672e34728a

SHA512
64f3837dd6099561ce9be97d6fae0b11f3f6cc08281f1a3266d5a6f3ca8baf13bbd780735ef62b449b577d62d086f942b48519671226c60f0e1480f9dbdde434

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
981c6bd23ad276e43a0716eb2c2d86c2

SHA1
9fcf7d51c0bc47a6bbd07c98a98bcdab041cd961

SHA256
6fb77e0ab35e79e357ab4172f65e58a8c8904653b088be2d867619ad66cbb309

SHA512
44cc99cbea974ee1fcab4ca9a58ddaec073555c9ba202452cb579a199e63dccaf83a4b0413b54a788ae44f9cdde1c78d887661483f66eaf05ad2e42cdde1469d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.2MB

MD5
07552732fa64db456300880d52e81b2f

SHA1
9a653ea405f5f26ec0c2d9a0bc9bcb11ba010efc

SHA256
94bc1aa272183daf13f24594493eea40e02cb9861c76f9de3711c139f5315226

SHA512
47e97e300330ec1523f4af6e87b9866fae2e90cd9b59fc4d02e53e29b223691f980daf1f221f5286dbc1a9a9ddf6e01e7a597c5cf763710c51d84c8d5bac60b0

Download Submit
memory/592-3513-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/592-3404-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/592-3969-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/592-3970-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/592-3402-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/592-3419-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/592-3558-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/592-3551-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/592-3532-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/592-3529-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/592-3514-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/592-3512-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/800-3392-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/932-838-0x0000000003320000-0x0000000003709000-memory.dmp

Filesize
3.9MB

Download
memory/932-1427-0x0000000003320000-0x0000000003709000-memory.dmp

Filesize
3.9MB

Download
memory/932-837-0x0000000003320000-0x0000000003709000-memory.dmp

Filesize
3.9MB

Download
memory/932-1426-0x0000000003320000-0x0000000003709000-memory.dmp

Filesize
3.9MB

Download
memory/1012-839-0x0000000000020000-0x0000000000409000-memory.dmp

Filesize
3.9MB

Download
memory/1012-3079-0x0000000000020000-0x0000000000409000-memory.dmp

Filesize
3.9MB

Download
memory/1012-2163-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/1012-1428-0x0000000000020000-0x0000000000409000-memory.dmp

Filesize
3.9MB

Download
memory/1012-1417-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/1012-3221-0x0000000000020000-0x0000000000409000-memory.dmp

Filesize
3.9MB

Download
memory/1580-2922-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2100-6-0x0000000003360000-0x0000000003749000-memory.dmp

Filesize
3.9MB

Download
memory/2100-15-0x0000000003360000-0x0000000003749000-memory.dmp

Filesize
3.9MB

Download
memory/2100-692-0x0000000003360000-0x0000000003749000-memory.dmp

Filesize
3.9MB

Download
memory/2180-3222-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2180-3225-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2180-3155-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2180-3255-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2180-3226-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2384-3321-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download
memory/2400-2567-0x0000000000190000-0x0000000000579000-memory.dmp

Filesize
3.9MB

Download
memory/2400-787-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2400-4666-0x0000000000190000-0x0000000000579000-memory.dmp

Filesize
3.9MB

Download
memory/2400-2180-0x0000000000190000-0x0000000000579000-memory.dmp

Filesize
3.9MB

Download
memory/2400-3555-0x0000000000190000-0x0000000000579000-memory.dmp

Filesize
3.9MB

Download
memory/2400-3111-0x0000000000190000-0x0000000000579000-memory.dmp

Filesize
3.9MB

Download
memory/2400-1422-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/2400-1418-0x0000000000190000-0x0000000000579000-memory.dmp

Filesize
3.9MB

Download
memory/2400-1419-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2400-2164-0x0000000000190000-0x0000000000579000-memory.dmp

Filesize
3.9MB

Download
memory/2400-18-0x0000000000190000-0x0000000000579000-memory.dmp

Filesize
3.9MB

Download
memory/2400-686-0x0000000000810000-0x0000000000813000-memory.dmp

Filesize
12KB

Download
memory/2400-685-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2400-765-0x0000000000190000-0x0000000000579000-memory.dmp

Filesize
3.9MB

Download
memory/2400-2165-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2400-3355-0x0000000000190000-0x0000000000579000-memory.dmp

Filesize
3.9MB

Download
memory/2400-803-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/2400-799-0x0000000000810000-0x0000000000813000-memory.dmp

Filesize
12KB

Download
memory/2400-786-0x0000000000190000-0x0000000000579000-memory.dmp

Filesize
3.9MB

Download
memory/3004-3107-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3004-3141-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3004-3135-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3004-3126-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3004-3110-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3004-3094-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3172-4751-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/3172-4752-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/3172-4970-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download