f59628d7b563e099c5769b93df66123bd2274ef43e262337b1dc0e41785faf45

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.5.4.exe
Size

24.1MB
MD5

18f27581ee61474a5661fb3625022df0
SHA1

265d21bff7bb85d42a7eb2779a75c6e1468a9a79
SHA256

f59628d7b563e099c5769b93df66123bd2274ef43e262337b1dc0e41785faf45
SHA512

99dc67916fb4dc1c1ab93a98455f1db3cb3d23fb5b42f7cbf7f8f6c098ace89abd75cffb0059548409068bb7ea738584b817c9c694e724f7d7afabe487f3cc5c
SSDEEP

393216:T25Ku44fV+bX5IUT5M9Sc2rr6of5MJ7ZWqxPAIgtMIMlFRqFzSl8tGztnNR1:iKu4WV+bJdM9irrKJBH5lFRqhSRBn

Score

8^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 17 IoCs

pid	Process
2488	irsetup.exe
2284	BrowserInstaller.exe
1188	irsetup.exe
2432	jre-windows.exe
2384	jre-windows.exe
604	installer.exe
2788	javaw.exe
2152	ssvagent.exe
356	javaws.exe
1676	jp2launcher.exe
1740	javaws.exe
2908	jp2launcher.exe
672	MSIF3EB.tmp
992	javaw.exe
2236	javaw.exe
800	TLauncher.exe
3124	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
2676	TLauncher-Installer-1.5.4.exe
2676	TLauncher-Installer-1.5.4.exe
2676	TLauncher-Installer-1.5.4.exe
2676	TLauncher-Installer-1.5.4.exe
2488	irsetup.exe
2488	irsetup.exe
2488	irsetup.exe
2488	irsetup.exe
2488	irsetup.exe
2488	irsetup.exe
2488	irsetup.exe
2488	irsetup.exe
2284	BrowserInstaller.exe
2284	BrowserInstaller.exe
2284	BrowserInstaller.exe
2284	BrowserInstaller.exe
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe
2488	irsetup.exe
2432	jre-windows.exe
1196	Process not Found
1196	Process not Found
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
564	msiexec.exe
604	installer.exe
604	installer.exe
604	installer.exe
840	Process not Found
840	Process not Found
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe
2788	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2972	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
36	564	msiexec.exe
37	564	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 12 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	rundll32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\javaws.exe	rundll32.exe
File created	C:\Windows\system32\java.exe	rundll32.exe
File created	C:\Windows\system32\javaw.exe	rundll32.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	rundll32.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016cfd-3.dat	upx
behavioral1/memory/2676-5-0x00000000036B0000-0x0000000003A99000-memory.dmp	upx
behavioral1/memory/2488-20-0x0000000000170000-0x0000000000559000-memory.dmp	upx
behavioral1/memory/2488-765-0x0000000000170000-0x0000000000559000-memory.dmp	upx
behavioral1/memory/2488-766-0x0000000000170000-0x0000000000559000-memory.dmp	upx
behavioral1/memory/2488-803-0x0000000000170000-0x0000000000559000-memory.dmp	upx
behavioral1/files/0x000400000001e09f-822.dat	upx
behavioral1/memory/1188-851-0x0000000000F20000-0x0000000001309000-memory.dmp	upx
behavioral1/memory/2488-2173-0x0000000000170000-0x0000000000559000-memory.dmp	upx
behavioral1/memory/1188-2175-0x0000000000F20000-0x0000000001309000-memory.dmp	upx
behavioral1/memory/2488-2333-0x0000000000170000-0x0000000000559000-memory.dmp	upx
behavioral1/memory/2488-3075-0x0000000000170000-0x0000000000559000-memory.dmp	upx
behavioral1/memory/1188-3077-0x0000000000F20000-0x0000000001309000-memory.dmp	upx
behavioral1/memory/2488-4287-0x0000000000170000-0x0000000000559000-memory.dmp	upx
behavioral1/memory/1188-4428-0x0000000000F20000-0x0000000001309000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\charsets.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Atikokan	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Budapest	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Uzhgorod	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Toronto	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Amman	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javafx-iio.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\PST8PDT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Metlakatla	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Noronha	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh89	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\installer.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\management.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\La_Paz	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UCT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Rarotonga	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfont.properties.ja	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll	msiexec.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4313.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7740c4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4878.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF43A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38FA.tmp	msiexec.exe
File created	C:\Windows\Installer\f773e77.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4587.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8942.tmp	msiexec.exe
File created	C:\Windows\Installer\f773e7f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f773e7f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7740c7.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI444D.tmp	msiexec.exe
File created	C:\Windows\Installer\f773e7c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f773e7a.ipi	msiexec.exe
File created	C:\Windows\Installer\f7740c7.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC43.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC44.tmp	msiexec.exe
File created	C:\Windows\Installer\f7740c9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4285.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3EB.tmp	msiexec.exe
File created	C:\Windows\Installer\f7740c4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f773e77.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI45F5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4663.tmp	msiexec.exe
File created	C:\Windows\Installer\f773e7a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AC9.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher-Installer-1.5.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BrowserInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "19"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0390-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0334-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0166-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_166"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0058-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0102-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0164-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0185-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0218-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0128-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0393-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_393"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0400-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0056-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0256-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0288-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_76"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0242-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0320-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0014-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0172-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_172"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0307-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0084-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0321-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0378-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0401-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0059-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_36"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0368-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0102-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_86"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0118-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0082-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0075-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0224-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0233-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0130-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0165-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0245-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0320-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0235-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0173-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0142-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0171-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_74"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0085-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0105-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0319-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0283-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0094-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0185-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0200-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0260-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0293-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_293"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0104-ABCDEFFEDCBA}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0181-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0230-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0283-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0170-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0261-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_261"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_101"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0202-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0196-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0195-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_195"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0095-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0239-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBB}	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0204-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0015-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_15"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0126-ABCDEFFEDCBA}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0351-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0143-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0365-ABCDEFFEDCBC}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.1_07"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0382-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0208-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_208"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0319-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0342-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0117-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0343-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0091-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0348-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBC}	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0095-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0250-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_250"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0350-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0068-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0020-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0341-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0182-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_182"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0230-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_230"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0125-ABCDEFFEDCBA}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0160-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_160"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0330-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0353-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0380-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0210-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0370-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_12"	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1188	irsetup.exe
1188	irsetup.exe
564	msiexec.exe
564	msiexec.exe
356	javaws.exe
1676	jp2launcher.exe
1740	javaws.exe
2908	jp2launcher.exe
672	MSIF3EB.tmp
564	msiexec.exe
564	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2384	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2384	jre-windows.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeSecurityPrivilege	564	msiexec.exe
Token: SeCreateTokenPrivilege	2384	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2384	jre-windows.exe
Token: SeLockMemoryPrivilege	2384	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2384	jre-windows.exe
Token: SeMachineAccountPrivilege	2384	jre-windows.exe
Token: SeTcbPrivilege	2384	jre-windows.exe
Token: SeSecurityPrivilege	2384	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2384	jre-windows.exe
Token: SeLoadDriverPrivilege	2384	jre-windows.exe
Token: SeSystemProfilePrivilege	2384	jre-windows.exe
Token: SeSystemtimePrivilege	2384	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2384	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2384	jre-windows.exe
Token: SeCreatePagefilePrivilege	2384	jre-windows.exe
Token: SeCreatePermanentPrivilege	2384	jre-windows.exe
Token: SeBackupPrivilege	2384	jre-windows.exe
Token: SeRestorePrivilege	2384	jre-windows.exe
Token: SeShutdownPrivilege	2384	jre-windows.exe
Token: SeDebugPrivilege	2384	jre-windows.exe
Token: SeAuditPrivilege	2384	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2384	jre-windows.exe
Token: SeChangeNotifyPrivilege	2384	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2384	jre-windows.exe
Token: SeUndockPrivilege	2384	jre-windows.exe
Token: SeSyncAgentPrivilege	2384	jre-windows.exe
Token: SeEnableDelegationPrivilege	2384	jre-windows.exe
Token: SeManageVolumePrivilege	2384	jre-windows.exe
Token: SeImpersonatePrivilege	2384	jre-windows.exe
Token: SeCreateGlobalPrivilege	2384	jre-windows.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe
Token: SeRestorePrivilege	564	msiexec.exe
Token: SeTakeOwnershipPrivilege	564	msiexec.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2488	irsetup.exe
2488	irsetup.exe
2488	irsetup.exe
2488	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe
2384	jre-windows.exe
2384	jre-windows.exe
2384	jre-windows.exe
2384	jre-windows.exe
1676	jp2launcher.exe
2908	jp2launcher.exe
3124	javaw.exe
3124	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2488	2676	TLauncher-Installer-1.5.4.exe	30
PID 2676 wrote to memory of 2488	2676	TLauncher-Installer-1.5.4.exe	30
PID 2676 wrote to memory of 2488	2676	TLauncher-Installer-1.5.4.exe	30
PID 2676 wrote to memory of 2488	2676	TLauncher-Installer-1.5.4.exe	30
PID 2676 wrote to memory of 2488	2676	TLauncher-Installer-1.5.4.exe	30
PID 2676 wrote to memory of 2488	2676	TLauncher-Installer-1.5.4.exe	30
PID 2676 wrote to memory of 2488	2676	TLauncher-Installer-1.5.4.exe	30
PID 2488 wrote to memory of 2284	2488	irsetup.exe	33
PID 2488 wrote to memory of 2284	2488	irsetup.exe	33
PID 2488 wrote to memory of 2284	2488	irsetup.exe	33
PID 2488 wrote to memory of 2284	2488	irsetup.exe	33
PID 2488 wrote to memory of 2284	2488	irsetup.exe	33
PID 2488 wrote to memory of 2284	2488	irsetup.exe	33
PID 2488 wrote to memory of 2284	2488	irsetup.exe	33
PID 2284 wrote to memory of 1188	2284	BrowserInstaller.exe	34
PID 2284 wrote to memory of 1188	2284	BrowserInstaller.exe	34
PID 2284 wrote to memory of 1188	2284	BrowserInstaller.exe	34
PID 2284 wrote to memory of 1188	2284	BrowserInstaller.exe	34
PID 2284 wrote to memory of 1188	2284	BrowserInstaller.exe	34
PID 2284 wrote to memory of 1188	2284	BrowserInstaller.exe	34
PID 2284 wrote to memory of 1188	2284	BrowserInstaller.exe	34
PID 2488 wrote to memory of 2432	2488	irsetup.exe	37
PID 2488 wrote to memory of 2432	2488	irsetup.exe	37
PID 2488 wrote to memory of 2432	2488	irsetup.exe	37
PID 2488 wrote to memory of 2432	2488	irsetup.exe	37
PID 2432 wrote to memory of 2384	2432	jre-windows.exe	38
PID 2432 wrote to memory of 2384	2432	jre-windows.exe	38
PID 2432 wrote to memory of 2384	2432	jre-windows.exe	38
PID 564 wrote to memory of 2368	564	msiexec.exe	41
PID 564 wrote to memory of 2368	564	msiexec.exe	41
PID 564 wrote to memory of 2368	564	msiexec.exe	41
PID 564 wrote to memory of 2368	564	msiexec.exe	41
PID 564 wrote to memory of 2368	564	msiexec.exe	41
PID 564 wrote to memory of 604	564	msiexec.exe	42
PID 564 wrote to memory of 604	564	msiexec.exe	42
PID 564 wrote to memory of 604	564	msiexec.exe	42
PID 604 wrote to memory of 2788	604	installer.exe	43
PID 604 wrote to memory of 2788	604	installer.exe	43
PID 604 wrote to memory of 2788	604	installer.exe	43
PID 604 wrote to memory of 356	604	installer.exe	45
PID 604 wrote to memory of 356	604	installer.exe	45
PID 604 wrote to memory of 356	604	installer.exe	45
PID 356 wrote to memory of 1676	356	javaws.exe	46
PID 356 wrote to memory of 1676	356	javaws.exe	46
PID 356 wrote to memory of 1676	356	javaws.exe	46
PID 604 wrote to memory of 1740	604	installer.exe	47
PID 604 wrote to memory of 1740	604	installer.exe	47
PID 604 wrote to memory of 1740	604	installer.exe	47
PID 1740 wrote to memory of 2908	1740	javaws.exe	48
PID 1740 wrote to memory of 2908	1740	javaws.exe	48
PID 1740 wrote to memory of 2908	1740	javaws.exe	48
PID 564 wrote to memory of 536	564	msiexec.exe	49
PID 564 wrote to memory of 536	564	msiexec.exe	49
PID 564 wrote to memory of 536	564	msiexec.exe	49
PID 564 wrote to memory of 536	564	msiexec.exe	49
PID 564 wrote to memory of 536	564	msiexec.exe	49
PID 564 wrote to memory of 888	564	msiexec.exe	50
PID 564 wrote to memory of 888	564	msiexec.exe	50
PID 564 wrote to memory of 888	564	msiexec.exe	50
PID 564 wrote to memory of 888	564	msiexec.exe	50
PID 564 wrote to memory of 888	564	msiexec.exe	50
PID 564 wrote to memory of 672	564	msiexec.exe	51
PID 564 wrote to memory of 672	564	msiexec.exe	51
PID 564 wrote to memory of 672	564	msiexec.exe	51

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.4.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.4.exe" "__IRCT:3" "__IRTSS:25260914" "__IRSID:S-1-5-21-2039016743-699959520-214465309-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1709878" "__IRSID:S-1-5-21-2039016743-699959520-214465309-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1188
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\jds259467602.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds259467602.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2384
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
        5⤵
        Executes dropped EXE
        
        PID:992
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
        5⤵
        Executes dropped EXE
        
        PID:2236
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:800
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3124
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:2972

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 5CD003E1A7DC2434C1D038A80EC017FC
  2⤵
  - Loads dropped DLL
  PID:2368
- C:\Program Files\Java\jre-1.8\installer.exe
  "C:\Program Files\Java\jre-1.8\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre-1.8\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={71024AE4-039E-4CA4-87B4-2F64180401F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2788
- - C:\Program Files\Java\jre-1.8\bin\ssvagent.exe
    "C:\Program Files\Java\jre-1.8\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2152
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:356
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1676
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2908
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding E8D9FCC08520DF42080395A051635E33 M Global\MSI0000
  2⤵
  PID:536
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 5646B6DC326357D956463AC2E981244E
  2⤵
  PID:888
- C:\Windows\Installer\MSIF3EB.tmp
  "C:\Windows\Installer\MSIF3EB.tmp" C:\Program Files\Java\jre7\;C;2
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:672
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint
  2⤵
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:356
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91F3181C7600A524B6CDAAEBBB5E22A2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A3D5B2F40F82186E55BC89F55DDC313C M Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f773e7b.rbs

Filesize
962KB

MD5
36dfa6e5c0aff9c8ce3b1839055657cd

SHA1
6a67454e2dbcdf7c10e14d847d8d3f17b6c861ca

SHA256
76a9dc950d548205e0335709b41ca684949921dc7c8671d58000ff11e927f3f1

SHA512
8dba14f81fea878fe4c5d4e486ac1876cbd5b5e85e0e4b90e997677f6620bac9dea5bf4196c4850fd65364e9e3c078bebfd0645a7c567ac74dd3273a4294c69e

Download Submit
C:\Config.Msi\f773e80.rbs

Filesize
113KB

MD5
0077f40fa1007e98b6bac0a018dd8858

SHA1
21a7085d52685ad5c16e806321488f589d5a6f85

SHA256
49ce008ca272cc0ea12dd3ffc7ce50eab30fc83bd40ea8d4dff9cdaa3b156364

SHA512
20f48de78526fc779a0afad6fc0f3251e8c2ca4508c5ed7fbd4aee26eff2b3718549976dedf43a0b7a3ae5f098e968440adf0cb4a8919edf41a48ea240ab0275

Download Submit
C:\Config.Msi\f7740c8.rbs

Filesize
7KB

MD5
dfff8b8e750b0f5197c9a4083a15030f

SHA1
67f23309049a7857e37e2efd0bdc09faeeab8de7

SHA256
9298d03227b45af411c163d23fc7e111502c331ade352a1d5550fbff19650f62

SHA512
c6267173b1fd67c84a5c7b4d4e8f67ee0ab7fe02c53c67ee0b939222fd446c58c4d6ec3669d1180b2883bb1e840e0fd6ec635eef6718917432c8e27269ffa6f1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk

Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
177B

MD5
6684bd30905590fb5053b97bfce355bc

SHA1
41f6b2b3d719bc36743037ae2896c3d5674e8af7

SHA256
aa4868d35b6b3390752a5e34ab8e5cba90217e920b8fb8a0f8e46edc1cc95a20

SHA512
1748ab352ba2af943a9cd60724c4c34b46f3c1e6112df0c373fa9ba8cb956eb548049a0ac0f4dccff6b5f243ff2d6d210661f0c77b9e1e3d241a404b86d54644

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
173B

MD5
625bd85c8b8661c2d42626fc892ee663

SHA1
86c29abb8b229f2d982df62119a23976a15996d9

SHA256
63c2e3467e162e24664b3de62d8eeb6a290a8ffcdf315d90e6ca14248bc0a13a

SHA512
07708de888204e698f72d8a8778ed504e0fe4d159191efb48b815852e3997b50a27ba0bc8d9586c6fb4844166f38f5f9026a89bbbc3627e78121373982656f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
a912447c379e429ead4ae21299c29030

SHA1
155f7995daf9cd9a9dfb5a48cbb3eb634837e265

SHA256
2467a6e47054020dda4d37a572cb45d072d039a54d453d5c1ffb83c054308ac9

SHA512
6e114dc5102efcaee8b74a195cab08fffc48596963e5454ecd79851c1971ccbfb057cf8e31d18a8a058881f724d7a3a649f96fa6eacde983fa5a607e2b9c3ebf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
caab630e3b6489f1e73cd50acf051b2d

SHA1
d8a219ea3b1d448d383f5526548fee1627c6d144

SHA256
8c2c683ce70dfdaf733eacd93ea284d826b0b021734c0eadf16f4765c62c2d07

SHA512
629c71fe01ea2ee4edc8156d82de7ea9890013b909157a206947c953a9d3708c98d6a65dd07496cb4fae7d467f13b87205fc3de6df6abe142bd3a3e3ece21176

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67630e2198abc70beeaf91e670fd67c7

SHA1
35b9737aec090e3b3b5ab438a7c4075ad87da73d

SHA256
0b6a0a3a64baffe86b0aa7e9bab186addf9456f5e9d04736b0a8babf7d9c23d6

SHA512
54b365e5ce79df02fecbe58ae3e7382a029282e46485a0fb0ea6e01e4c050b211b0ddca04c5846ac1dd61f2006585ac74844b405a7a71ef5843b0508745b17d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c45586e768007e9068b661630465fe8

SHA1
d7a6f4739e392a38bff004bce66299f33b686d52

SHA256
3c0194b690028f3f22bdcf48547288ba392454f7aaa0e6e729ff1a413301ee89

SHA512
f59c43bc7f7da11abe3b0d5c4f5fff4999c761f2ef6a119e60df59c8c8c54116d4a71ec56c6e6d3e5ed4e2b99135908140f8bac9f45d5808cc810d327f86aeaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcaee9a5ad9acecc7843137ba2d9280d

SHA1
17ec3bfc71b328aa56a8258c36424af2474075fa

SHA256
4f2b2b121eae25ec11813bcaef33e62499e77dedd9c185daf551649a3d43f88a

SHA512
0791eef4fc1f9599e3338bd047857dcfbd0af08a2e826e2f84aae38c97b0bc012e1c2289aaf3354a0f1afbafb8070eb6e0b2db0dc1fdde611c78d3bf70688661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e36d50dc61c96cb83666e5af0a6b5538

SHA1
62c7dc99c8cfcfe9a9737e478177f1c1001dcc93

SHA256
998afcebe3818df251ebbf02a93dee4e180665e1ef521025047e550552738a46

SHA512
c8c45418fd2b176716d95536e9beea9d217613a51bc0bcd745aa6834bb9997e7ac36c770cfa5b709605a771d9658f2343861ae11bbefc1baa3a724984fdd2704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4774fba4d5706e81fd1b2afad2f85cd4

SHA1
2e79ac0110e56e5f46b29d0194a8277aceb42c90

SHA256
101ea6ba22f7f64707794f8119f8db0e7bfef9e5116a83af18a330e9db632e4a

SHA512
7e2b944b43138a349fea323d5fd7b398b42dfa07fc1ee68b5d5eb407052395b2223ea725ec5951cdaa728ab23a6dffa3aef7dd98f216b3833755541435c17cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
12e2c26b2aadbc5ee1bb62cefa676732

SHA1
d6a3d43a5702a00baae64a642b28f13da954331d

SHA256
fe270dac4c159c715e55beee3f73b13c412c9428a864d1d87514bb44882cd180

SHA512
3aa0e3869f1a9bf6b10511c2010e97a370e813b9c871bc37d10a6121f79735376bc6a7cc6fad4b0b529b0da60c854f3203f022573014a6f48145da3b3408be73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f967ff02753beae7f3f515ffa5b78300

SHA1
f67070a1b18ea55c1155a206005aed7f1fcfc05a

SHA256
50ffb4b5864ebbd59d9ed06a6fab3e6994a27b04f2216544a8b8f065bf452c61

SHA512
b2df83be103dc0e1c6038dffa12c4df805c0d58f16fbfb8cea2bbbd6652035e1cd9b4470b1844e2880c8f9bbf6915345919a575629e2bf5846efefc002560ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\l10n[1]

Filesize
4KB

MD5
1fd5111b757493a27e697d57b351bb56

SHA1
9ca81a74fa5c960f4e8b3ad8a0e1ec9f55237711

SHA256
85bbec802e8624e7081abeae4f30bd98d9a9df6574bd01fe5251047e8fdaf59f

SHA512
80f532e4671d685fa8360ef47a09efcb3342bcfcf929170275465f9800bfbfffc35728a1ba496d4c04a1fdefb2776af02262c3774f83fea289585a5296d560b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\masthead_fill[1]

Filesize
1KB

MD5
91a7b390315635f033459904671c196d

SHA1
b996e96492a01e1b26eb62c17212e19f22b865f3

SHA256
155d2a08198237a22ed23dbb6babbd87a0d4f96ffdc73e0119ab14e5dd3b7e00

SHA512
b3c8b6f86ecf45408ac6b6387ee2c1545115ba79771714c4dd4bbe98f41f7034eae0257ec43c880c2ee88c44e8fc48c775c5bb4fd48666a9a27a8f8ac6bcfdcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\rtutils[1]

Filesize
244B

MD5
c0a4cebb2c15be8262bf11de37606e07

SHA1
cafc2ccb797df31eecd3ae7abd396567de8e736d

SHA256
7da9aa32aa10b69f34b9d3602a3b8a15eb7c03957512714392f12458726ac5f1

SHA512
cc68f4bc22601430a77258c1d7e18d6366b6bf8f707d31933698b2008092ba5348c33fa8b03e18c4c707abf20ce3cbcb755226dc6489d2b19833809c98a11c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RLHRIIGD\host[1]

Filesize
1KB

MD5
a752a4469ac0d91dd2cb1b766ba157de

SHA1
724ae6b6d6063306cc53b6ad07be6f88eaffbab3

SHA256
1e67043252582aea0e042f5a7be4a849b7cd01b133a489c3b2e67c10ade086f3

SHA512
abc2899705a23f15862acf3d407b700bb91c545722c02c7429745ab7f722507285c62614dcb87ea846f88fc0779345cb2e22dc3ad5f8113f6907821505be2c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RLHRIIGD\layout[1]

Filesize
2KB

MD5
cc86b13a186fa96dfc6480a8024d2275

SHA1
d892a7f06dc12a0f2996cc094e0730fe14caf51a

SHA256
fab91ced243da62ec1d938503fa989462374df470be38707fbf59f73715af058

SHA512
0e3e4c9755aa8377e00fc9998faab0cd839dfa9f88ce4f4a46d8b5aaf7a33e59e26dbf55e9e7d1f8ef325d43302c68c44216adb565913d30818c159a182120fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RLHRIIGD\masthead_left[1]

Filesize
4KB

MD5
b663555027df2f807752987f002e52e7

SHA1
aef83d89f9c712a1cbf6f1cd98869822b73d08a6

SHA256
0ce32c034dfb7a635a7f6e8152666def16d860b6c631369013a0f34af9d17879

SHA512
b104ed3327fed172501c5aa990357b44e3b31bb75373fb8a4ea6470ee6a72e345c9dc4bcf46a1983c81adb567979e6e8e6517d943eb204c3f7fac559cd17c451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\common[1]

Filesize
1KB

MD5
f5bb484d82e7842a602337e34d11a8f6

SHA1
09ea1dee4b7c969771e97991c8f5826de637716f

SHA256
219108bfef63f97562c4532681b03675c9e698c5ae495205853dbcbfd93faf1a

SHA512
a23cc05b94842e1f3a53c2ea8a0b78061649e0a97fcd51c8673b2bcb6de80162c841e9fdde212d3dfd453933df2362dcb237fe629f802bafaa144e33ca78b978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\runtime[1]

Filesize
42KB

MD5
5d4657b90d2e41960ebe061c1fd494b8

SHA1
71eca85088ccbd042cb861c98bccb4c7dec9d09d

SHA256
93a647b1f2cadcbdb0fe9c46b82b2b4baf7685167de05933811549145c584ee0

SHA512
237738c0a6cb25efe29effc9c3637245e3e2397207ed51e67bae5a1b54749f88e090de524f7868d964debbb29a920a68205ccbd2dfceed4a1f3cd72d08b16fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBB76.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
27KB

MD5
a7478bfeb19abffeecfeb846f1a3b00d

SHA1
1fbf051578e5f67d263e01939fc50230f439978c

SHA256
bae2445fb5504b2a7e4a48b126904900311e0e4c7a00f36f2891de92e1ef924c

SHA512
872f983bb403163c7e8075d702e484222fc9d4632b7ab4f5b5aaffa65036bdee737c6558d698a4a247c20921b29aa2156d25396ebdd88b9c920e772a174ba600

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBB98.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
b3655c5b9a39b05941d0c23a9c56faed

SHA1
466ce387c344d2bfe0b4279102cb1117ba447d3b

SHA256
0c98e971a9d10abb4ba58b055852ead8e9aa214acee328901d0b124c190c6160

SHA512
cfc3a2794480978b970401760fe0cca0c231d0ed1cdbe404d5c487a821d6ca50b99b59261599da99bee519c5c9c64e5b236207aa1233a2fc5700a4915cd95fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
7282f2f114986f6378a24d5365436595

SHA1
47cb70852e6df6a19955ef82902cc8f1b87ce196

SHA256
33b4eecc2d29163192c2474d8e08178cb8c1e3a30effabbad64af58bc021f15e

SHA512
90204bc2848fd657e0722a534cf96bd34149462142f770aed8b8100ef510e0fdcc498c7238d56d7bee2aea2b4468d0e1441dd482a701298822baf2c26ece0e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
cdfec3c2c23708376bb456ebc3f49758

SHA1
37b11b42a80372c2eafe4e6315595321295e26dd

SHA256
3ae0732d974d17825a1cafe29610bafd76d92a932d622f08fb61a3e0dfbf327a

SHA512
3e2bfa8d505b06367241f20551d9f06f759c35b401e4bd48dcc70b09f7100966cb0099b4af5d05779842e30e5fab75caaa9575d1b741e292c82dffbef470d65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
151KB

MD5
c2be5f72a6cb93af45f70fcd786149a6

SHA1
91a3250d829e7019c7b96dc2886f1d961169a87f

SHA256
f616ad0cc12e4c8c01b1af5dd208aae46a5fdb1b02e8a192dfe84283e1161ca6

SHA512
522b82e48fc4d6c94236f6598352ef198500ef83f2b8d890dd14901173b35d179c567e9540908a9bf145f2492043fa6848182634ee4c58956418884449f223bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
5KB

MD5
c299aa2fbca25cf4473bcfd71297e02f

SHA1
ef05db4786303476316f71bc153bb53eb66833ca

SHA256
e5c9d9136cb12a6cd92d6cdc742ac8c00048f373e8695da8afc68f421e72d5f3

SHA512
82e568fda5773b77666bf8187c108df3ac455d1f7b4067158054f88a5b464ec833f45b8b0bb1cb2e99976730a8adaf29e57e0ec899ead597040af343c5f0774a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
7aaa3095aa096bf17d9c3db8f62cc690

SHA1
2e5396c166c20984c4235853cf3096ad11fd4b30

SHA256
d33913d19a117922b9ce723c7fb94fa08da264e83df1d931e76a32318ae7841f

SHA512
5c05d6fb4c1def2e878496deba156508290ebdeb400382bce5ff287af228bc2932bd2c2293829b2b106f4be15af8b8332eff2e50deb25b01f750c6e4f70c67ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
36a4c7e466ceaceee94ada56e4f43030

SHA1
98d3a52936a0631ce21b0e6ddaf3e2d745efecf5

SHA256
2578df0655fba9375430b6acc60159a5e455a55eff1d2774cd60990abbba841b

SHA512
ed90b1a29457b9c8ceb540580c60a7763ce8721d4f78febd297c39045c3df99a972610fb1a340f4ccb05d9963cc327a1b116ec9e4f485616f99e6f27ed5c536b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
dbbb334d69e349d635222e891749a378

SHA1
c9af958584930f8c212201d1b8fc51f7605dbe26

SHA256
ac02e2fd4bfbab5937cc5fce40029e4ce8c5baa018a5337871254c7c84b20a6e

SHA512
93b116867e0d5710e6d7a64c93c1334f8988a8ba7b618c2f710f753dd0ef8230012b977d4428a19b3c99054d9aac8aac4d19c4f96a6dce5cb0ee1269382b671c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
24KB

MD5
3e8ba54808a8b14efb9544b495134274

SHA1
ee29608eff98e48bb550480ae74157a388c5a5ab

SHA256
4832a7a91edce3834dd980ba1dc7abc69756f3d68401ff9466016655263b60d7

SHA512
8cfdb9d26535363b56b9fb5b21b1f3ae8661e2cc4dc95088da1c42e27bd863987adc4ad982013c3b1b99b648738ddc57f6b13df8ee117639b87c4bc781c3948e

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
751B

MD5
c868a7b196a7103781f2ea4525bd0e4f

SHA1
63391a2a82ed63ca0482115642f6b849b71accc9

SHA256
411750ffd2ddcc0f325b72b93fbbe4234784047b46c73f4c34b70cb9d2ffd9e7

SHA512
03edb14d3b55fedaa904e9765d07cabb0fdd9fed03a9d1e0365b752e14850886168010ef5aea23e424aa07ee05f7c6458deec600da1287dba914947cabcefa0e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
edccf15d4d113e8559a0e53ada73696d

SHA1
4b5eeea2225132d61aca003dac24e27af02f9773

SHA256
b9781fa5a2fabb70d57489378fd2cb6039bf8bd85a4f3c7f3ac5934f770e80b9

SHA512
84a7ab8486c7e2b12c981bd5e8a8d5dd40133e5827797bfaed34e62b25dca959c4a044bc52ab909603b66adb4c168ede2d284162050529db84baba14634cc876

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
75ad0ac83402e7a8ecf154efa31feba1

SHA1
db2df40416a26580c651581b4ba1a0b5b26357eb

SHA256
e290ef30a761839e4f2ee4baab625d3466ef183d0c4e2419c08374624591a545

SHA512
f8e268138fadc3aa3055ec445e9c4b2122811603b28e0e2b8cd360f696167810556c13c6f78217e638b37d61e7c1bd68016f64b6c0814edc54620a92749d0ec2

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG

Filesize
206B

MD5
00e77820522e807b034fcc95eae05874

SHA1
ed80d05fa9cff9c1db75e9c15a8f8846219e2a8e

SHA256
6cc4b01d2ececd80ff78cbae7051b9d5b7e0bf81803f70c8b513b03f066d06f4

SHA512
220b8c19408efdaafcc2aca762ad94e88069e25b40e6f9e634003dd2d53fb647ab88e2b4d850826fed13d3b46be28b15e69385927f488323bab9f42e90d4fc28

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG12.PNG

Filesize
22KB

MD5
8d75081b16d081cf585dba5f67316c97

SHA1
98ae770fd3b2203494a03bc2d2cf32f301c29b73

SHA256
119d708f73a67487018aae01abc18e776276fbb3a5a5593f745b96ade5ac1fe3

SHA512
afd2ef116abf52abf8379e77623d3a93705178ccf7cb443afe2acb4f57359dff4aad17c70bec0595a68f2bec062e1b3df9d20e377c82b353f443e54db39c604a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
451e442042ba9f82bf7808ed80c239c2

SHA1
426adc5bbe2f9de5c4140f50daebe0228021c6d8

SHA256
d0f7bd67c7eab68805c4840a26550e667036aa96da6a99cd3ab9a4dcef98e695

SHA512
30dd4d87ae3c106895f68b14eedda119104361ed1a1ed3223349d2a3a655d7efb30a8854af81736715c936cd10922c8171ef7007beea6ea896da0873ddef7253

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
816e5ba518cf28d84d5eba73f311839a

SHA1
6f260abde9b8ba31faebe75ee251487f094a3adf

SHA256
77017d773858b093271d747792dbd413df14339cb519bc144342a281808e8a2a

SHA512
3e746b668bea52432a20020c36ed0c017ccd2f81c1f41245ea13e98428d17903b35ac062fc62231fee6fd0a3b6b8d05989e77e18e81cc4b51c8e1a329576735d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
268e10d29ea4fd252ba0a132d61c3c98

SHA1
0eb41cea6c1c676e4d986de3189c60829a9f82f1

SHA256
2cd55eb36f7b728283804bf494d0cbcdc47d27468cc3f60011393736d5dbf668

SHA512
43682bbe114a22acf0f7e230d99cfa703376d2c3c6a83fe297e6830945c605f868e789f3ba863ef9d5f4e779ef3c83a6ad970b9af413738dd0c1bad73d56050c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG9.PNG

Filesize
438B

MD5
4a76ee7c256f582242443d31556372b3

SHA1
f3ac8015c1ec3da40b6b3af3a0f269a1d0d2dee4

SHA256
1f5171d0550fefd5730f5b36a6803cb63dfe6342a5f93b105fb4cd428d76418c

SHA512
679b7c81cbfc437609126e67c9e37d7ea0a15a762a32e6352939664c1b2462a1ee63ab426776f2ac5e0181c63762e4921c2a94b2f043806ea33fcd83e0e88cd2

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
3KB

MD5
7fdba461188ede5578043ac3e9cc0e69

SHA1
c98b60815db5d9e077482b3d622ae15fa5fdc50a

SHA256
8ba2502793d45b0d68da7c21ecda1041f982b33d7a9cfc87cf207a8d2b372684

SHA512
5e6b866ebc1506ebe3d3f3ea4274e7cfd14e3783589875fe00bd8f2f81d1d150e7bb27e8080c2fab4ff2b491d3c0eac6e50eb8ab1d76cb0965a55a7cedab5f09

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
588c7fab7d6e4e3768dcbb8b2d1f341b

SHA1
015dd1cdb3a39c551f4a27bcfe03586c04bfeb3b

SHA256
24b5001e0e82f18d59caa5673c674fb299026b5d7f4ef8bf7dabc39dfdc98002

SHA512
043c86b6e3edd8ad61cadf81a973686127e04661277bf7eaa0797b5a681d482404b22a13cb165ebf8ba4e2677508edc4cc05937faae36ddcc845413f0bbefb30

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
23KB

MD5
fa0a4f6766d24ee1a217694c64879a58

SHA1
f949c0914eff76d7edfbde8a96d7f12932a0e174

SHA256
bb47706e72221ee287a00fee6212f7ae96bd36b76496ee86704773076026a2cb

SHA512
7cc7b98740a4dcef18c438e243d267274cc217837e68dfc0693cfe0b96eda7050ce1ca2cb807cff459024e988e199654ffe430b79069a5b00c8db5aefb1dee17

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.9298\dependencies.json

Filesize
17KB

MD5
5ed4ae3fbe46daf7f4478bced45639dd

SHA1
280a8ca899023664805e1e412de4e6232454eb6b

SHA256
da14e746e46084231be66ade510d764dd35dbc9ba321507bf59f6a6d15b25038

SHA512
5bca29d3acf157ca6128782bb774ae9756e78f5a883392763fd51bf59e1757e153fc3ad38e6a4bb5dfd06478f7fe258c2242cdf548a957eed214089eb7080837

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.9298\resources.json

Filesize
18KB

MD5
22c591ed3b93b958c27d895d61e3fb39

SHA1
debabfe6faac579cdc90e0e9826f8f47f9a7c3e2

SHA256
bc607f91e4a24b6c245ed219d6776f20d83eb377c8b1f93d844aef1dfd0f20f7

SHA512
c2ab32c070d62e966d50f42d1cb7b5e09d28abc9b18ffde58371860a9d92be7fedacf08120683e0e1099418e6785a34fe4dc3a60dc9b0b3545e68d635f931d15

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\appConfig.json

Filesize
3KB

MD5
b8a421486ef3ddaeb4e04b4927d31eee

SHA1
6615fbd3e65698c9cad4231f1d8b3ba66371e117

SHA256
50e17ff2f097d35e0b571eb36bb68dc84736b9691711b6236084d52158d1f7cb

SHA512
6c13621baddccf90c5384885f25e973972411a438517282a6a4cd213123fa7ac7230bec4f1cd9f641f96e4b7927c20479acfc5bc0503cb60312d85fcab73a31d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json

Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Windows\Installer\MSIF43A.tmp

Filesize
235KB

MD5
16cae7c3dce97c9ab1c1519383109141

SHA1
10e29384e2df609caea7a3ce9f63724b1c248479

SHA256
8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

SHA512
5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

Download Submit
C:\Windows\Installer\f7740c4.msi

Filesize
1.0MB

MD5
d7390d55b7462787b910a8db0744c1e0

SHA1
b0c70c3ec91d92d51d52d4f205b5a261027ba80c

SHA256
4a2f7d9d33e4ad643bf72722587f2b268d92dab3bb1d9bc56af316672e34728a

SHA512
64f3837dd6099561ce9be97d6fae0b11f3f6cc08281f1a3266d5a6f3ca8baf13bbd780735ef62b449b577d62d086f942b48519671226c60f0e1480f9dbdde434

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
0b689a412150e3e6b39c6ec69146504e

SHA1
b690cecdb4217d05947f46eb3720fd3c10f0ebd2

SHA256
ee52474483d6f29d606aa7061d3c3b958d95c9c940bfab7578c75403be59d656

SHA512
e978b873cef32a8d6a8e692cf12728bbf8089b7af67ccd972eeeab69f88a3abecc5aa1b51dcae35e28ad01152ab7c978cc4df2e9580db438bc179dc5ea9f115e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.2MB

MD5
07552732fa64db456300880d52e81b2f

SHA1
9a653ea405f5f26ec0c2d9a0bc9bcb11ba010efc

SHA256
94bc1aa272183daf13f24594493eea40e02cb9861c76f9de3711c139f5315226

SHA512
47e97e300330ec1523f4af6e87b9866fae2e90cd9b59fc4d02e53e29b223691f980daf1f221f5286dbc1a9a9ddf6e01e7a597c5cf763710c51d84c8d5bac60b0

Download Submit
\Windows\Installer\MSI41D9.tmp

Filesize
953KB

MD5
64a261a6056e5d2396e3eb6651134bee

SHA1
32a34baf051b514f12b3e3733f70e608083500f9

SHA256
15c1007015be7356e422050ed6fa39ba836d0dd7fbf1aa7d2b823e6754c442a0

SHA512
d3f95e0c8b5d76b10b61b0ef1453f8d90af90f97848cad3cb22f73878a3c48ea0132ecc300bfb79d2801500d5390e5962fb86a853695d4f661b9ea9aae6b8be8

Download Submit
memory/800-3967-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/992-3499-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/992-3494-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1188-4428-0x0000000000F20000-0x0000000001309000-memory.dmp

Filesize
3.9MB

Download
memory/1188-2175-0x0000000000F20000-0x0000000001309000-memory.dmp

Filesize
3.9MB

Download
memory/1188-3077-0x0000000000F20000-0x0000000001309000-memory.dmp

Filesize
3.9MB

Download
memory/1188-851-0x0000000000F20000-0x0000000001309000-memory.dmp

Filesize
3.9MB

Download
memory/1188-2301-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/1676-3091-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1676-3104-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1676-3107-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1676-3135-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2236-3512-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2236-3510-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2284-2158-0x00000000034D0000-0x00000000038B9000-memory.dmp

Filesize
3.9MB

Download
memory/2284-848-0x00000000034D0000-0x00000000038B9000-memory.dmp

Filesize
3.9MB

Download
memory/2284-830-0x00000000034D0000-0x00000000038B9000-memory.dmp

Filesize
3.9MB

Download
memory/2284-847-0x00000000034D0000-0x00000000038B9000-memory.dmp

Filesize
3.9MB

Download
memory/2284-2159-0x00000000034D0000-0x00000000038B9000-memory.dmp

Filesize
3.9MB

Download
memory/2284-846-0x00000000034D0000-0x00000000038B9000-memory.dmp

Filesize
3.9MB

Download
memory/2384-3263-0x000007FFFFF70000-0x000007FFFFF80000-memory.dmp

Filesize
64KB

Download
memory/2488-687-0x00000000009D0000-0x00000000009D3000-memory.dmp

Filesize
12KB

Download
memory/2488-803-0x0000000000170000-0x0000000000559000-memory.dmp

Filesize
3.9MB

Download
memory/2488-767-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2488-765-0x0000000000170000-0x0000000000559000-memory.dmp

Filesize
3.9MB

Download
memory/2488-2333-0x0000000000170000-0x0000000000559000-memory.dmp

Filesize
3.9MB

Download
memory/2488-686-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2488-768-0x00000000009D0000-0x00000000009D3000-memory.dmp

Filesize
12KB

Download
memory/2488-805-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/2488-2174-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2488-766-0x0000000000170000-0x0000000000559000-memory.dmp

Filesize
3.9MB

Download
memory/2488-4287-0x0000000000170000-0x0000000000559000-memory.dmp

Filesize
3.9MB

Download
memory/2488-2041-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/2488-3075-0x0000000000170000-0x0000000000559000-memory.dmp

Filesize
3.9MB

Download
memory/2488-20-0x0000000000170000-0x0000000000559000-memory.dmp

Filesize
3.9MB

Download
memory/2488-2173-0x0000000000170000-0x0000000000559000-memory.dmp

Filesize
3.9MB

Download
memory/2676-15-0x00000000036B0000-0x0000000003A99000-memory.dmp

Filesize
3.9MB

Download
memory/2676-16-0x00000000036B0000-0x0000000003A99000-memory.dmp

Filesize
3.9MB

Download
memory/2676-5-0x00000000036B0000-0x0000000003A99000-memory.dmp

Filesize
3.9MB

Download
memory/2788-2917-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2908-3196-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2908-3179-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2908-3165-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2908-3162-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2908-3149-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3124-4345-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/3124-4346-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/3124-4297-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3124-4518-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/3124-4517-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download