f59628d7b563e099c5769b93df66123bd2274ef43e262337b1dc0e41785faf45

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.5.4.exe
Size

24.1MB
MD5

18f27581ee61474a5661fb3625022df0
SHA1

265d21bff7bb85d42a7eb2779a75c6e1468a9a79
SHA256

f59628d7b563e099c5769b93df66123bd2274ef43e262337b1dc0e41785faf45
SHA512

99dc67916fb4dc1c1ab93a98455f1db3cb3d23fb5b42f7cbf7f8f6c098ace89abd75cffb0059548409068bb7ea738584b817c9c694e724f7d7afabe487f3cc5c
SSDEEP

393216:T25Ku44fV+bX5IUT5M9Sc2rr6of5MJ7ZWqxPAIgtMIMlFRqFzSl8tGztnNR1:iKu4WV+bJdM9irrKJBH5lFRqhSRBn

Score

8^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 18 IoCs

Processes:

irsetup.exeBrowserInstaller.exeirsetup.exejre-windows.exejre-windows.exeinstaller.exejavaw.exessvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exejavaw.exejavaw.exeTLauncher.exejavaw.exeTLauncher.exejavaw.exe

pid	process
2028	irsetup.exe
2488	BrowserInstaller.exe
2956	irsetup.exe
760	jre-windows.exe
2260	jre-windows.exe
2444	installer.exe
2372	javaw.exe
1592	ssvagent.exe
2040	javaws.exe
2008	jp2launcher.exe
1676	javaws.exe
2940	jp2launcher.exe
2920	javaw.exe
1728	javaw.exe
2456	TLauncher.exe
2444	javaw.exe
3688	TLauncher.exe
3760	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-Installer-1.5.4.exeirsetup.exeBrowserInstaller.exeirsetup.exejre-windows.exeMsiExec.exemsiexec.exeinstaller.exejavaw.exe

pid	process
1716	TLauncher-Installer-1.5.4.exe
1716	TLauncher-Installer-1.5.4.exe
1716	TLauncher-Installer-1.5.4.exe
1716	TLauncher-Installer-1.5.4.exe
2028	irsetup.exe
2028	irsetup.exe
2028	irsetup.exe
2028	irsetup.exe
2028	irsetup.exe
2028	irsetup.exe
2028	irsetup.exe
2028	irsetup.exe
2488	BrowserInstaller.exe
2488	BrowserInstaller.exe
2488	BrowserInstaller.exe
2488	BrowserInstaller.exe
2956	irsetup.exe
2956	irsetup.exe
2956	irsetup.exe
2956	irsetup.exe
2028	irsetup.exe
760	jre-windows.exe
1204
1204
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
2180	msiexec.exe
2444	installer.exe
2444	installer.exe
2444	installer.exe
856
856
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3736 icacls.exe

pid	process
3736	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

37 2180 msiexec.exe
38 2180 msiexec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
37	2180	msiexec.exe
38	2180	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1716-17-0x00000000034B0000-0x0000000003899000-memory.dmp	upx
behavioral1/memory/2028-21-0x00000000001B0000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2028-719-0x00000000001B0000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2028-767-0x00000000001B0000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2028-800-0x00000000001B0000-0x0000000000599000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/2956-850-0x0000000000110000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2028-860-0x00000000001B0000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2956-2229-0x0000000000110000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2956-2230-0x0000000000110000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2028-2231-0x00000000001B0000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2028-2236-0x00000000001B0000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2028-2891-0x00000000001B0000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2956-3149-0x0000000000110000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2028-3151-0x00000000001B0000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2956-3410-0x0000000000110000-0x00000000004F9000-memory.dmp	upx
behavioral1/memory/2028-4290-0x00000000001B0000-0x0000000000599000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\release	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\bci.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe

Drops file in Windows directory 27 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI697B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7760a7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6822.tmp	msiexec.exe
File created	C:\Windows\Installer\f7760aa.ipi	msiexec.exe
File created	C:\Windows\Installer\f7760b2.msi	msiexec.exe
File created	C:\Windows\Installer\f7760a7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI665A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CD8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6FD6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI658F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6AD4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f7760ac.msi	msiexec.exe
File created	C:\Windows\Installer\f7760b0.ipi	msiexec.exe
File created	C:\Windows\Installer\f7760ad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7760ad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF12A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6785.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC1AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7760aa.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF320.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI69F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D17.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7760b0.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

TLauncher.exeTLauncher.exeTLauncher-Installer-1.5.4.exeirsetup.exeBrowserInstaller.exeirsetup.exeMsiExec.exeMsiExec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher-Installer-1.5.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BrowserInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

Processes:

jre-windows.exeinstaller.exeirsetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0188-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0203-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0067-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0386-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0081-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0202-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0062-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0106-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0295-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_46"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0362-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0275-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0216-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0210-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0347-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0152-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_152"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0298-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0054-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0219-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0148-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0172-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0218-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0229-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0289-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0400-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0189-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0207-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0166-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0405-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0167-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0171-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0131-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_131"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0212-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0167-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0111-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_111"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0027-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_68"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0331-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0062-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0278-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0157-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0308-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0264-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0111-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0066-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0217-ABCDEFFEDCBB}\InprocServer32	installer.exe

Modifies registry class 64 IoCs

Processes:

ssvagent.exeinstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0195-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_195"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0297-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_297"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0044-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_44"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0355-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_355"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0254-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0324-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0038-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0097-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0231-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_39"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0160-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_160"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_86"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0114-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0299-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0332-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0377-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_377"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0314-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_52"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0132-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_19"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0367-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0377-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_377"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0068-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0106-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_106"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0351-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0083-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0341-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_341"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0377-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0369-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0368-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0038-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0281-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0347-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0096-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0214-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0191-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_191"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0314-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_86"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0213-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_213"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0195-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_195"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0400-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0268-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0401-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0098-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0204-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0281-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBA}	ssvagent.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

irsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

irsetup.exemsiexec.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exe

pid	process
2956	irsetup.exe
2956	irsetup.exe
2180	msiexec.exe
2180	msiexec.exe
2040	javaws.exe
2008	jp2launcher.exe
1676	javaws.exe
2940	jp2launcher.exe
2180	msiexec.exe
2180	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2260	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2260	jre-windows.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeSecurityPrivilege	2180	msiexec.exe
Token: SeCreateTokenPrivilege	2260	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2260	jre-windows.exe
Token: SeLockMemoryPrivilege	2260	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2260	jre-windows.exe
Token: SeMachineAccountPrivilege	2260	jre-windows.exe
Token: SeTcbPrivilege	2260	jre-windows.exe
Token: SeSecurityPrivilege	2260	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2260	jre-windows.exe
Token: SeLoadDriverPrivilege	2260	jre-windows.exe
Token: SeSystemProfilePrivilege	2260	jre-windows.exe
Token: SeSystemtimePrivilege	2260	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2260	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2260	jre-windows.exe
Token: SeCreatePagefilePrivilege	2260	jre-windows.exe
Token: SeCreatePermanentPrivilege	2260	jre-windows.exe
Token: SeBackupPrivilege	2260	jre-windows.exe
Token: SeRestorePrivilege	2260	jre-windows.exe
Token: SeShutdownPrivilege	2260	jre-windows.exe
Token: SeDebugPrivilege	2260	jre-windows.exe
Token: SeAuditPrivilege	2260	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2260	jre-windows.exe
Token: SeChangeNotifyPrivilege	2260	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2260	jre-windows.exe
Token: SeUndockPrivilege	2260	jre-windows.exe
Token: SeSyncAgentPrivilege	2260	jre-windows.exe
Token: SeEnableDelegationPrivilege	2260	jre-windows.exe
Token: SeManageVolumePrivilege	2260	jre-windows.exe
Token: SeImpersonatePrivilege	2260	jre-windows.exe
Token: SeCreateGlobalPrivilege	2260	jre-windows.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

irsetup.exeirsetup.exejre-windows.exejp2launcher.exejp2launcher.exejavaw.exejavaw.exe

pid	process
2028	irsetup.exe
2028	irsetup.exe
2028	irsetup.exe
2028	irsetup.exe
2956	irsetup.exe
2956	irsetup.exe
2260	jre-windows.exe
2260	jre-windows.exe
2260	jre-windows.exe
2260	jre-windows.exe
2008	jp2launcher.exe
2940	jp2launcher.exe
2444	javaw.exe
3760	javaw.exe
3760	javaw.exe
2444	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-Installer-1.5.4.exeirsetup.exeBrowserInstaller.exejre-windows.exemsiexec.exeinstaller.exejavaws.exejavaws.exe

description	pid	process	target process
PID 1716 wrote to memory of 2028	1716	TLauncher-Installer-1.5.4.exe	irsetup.exe
PID 1716 wrote to memory of 2028	1716	TLauncher-Installer-1.5.4.exe	irsetup.exe
PID 1716 wrote to memory of 2028	1716	TLauncher-Installer-1.5.4.exe	irsetup.exe
PID 1716 wrote to memory of 2028	1716	TLauncher-Installer-1.5.4.exe	irsetup.exe
PID 1716 wrote to memory of 2028	1716	TLauncher-Installer-1.5.4.exe	irsetup.exe
PID 1716 wrote to memory of 2028	1716	TLauncher-Installer-1.5.4.exe	irsetup.exe
PID 1716 wrote to memory of 2028	1716	TLauncher-Installer-1.5.4.exe	irsetup.exe
PID 2028 wrote to memory of 2488	2028	irsetup.exe	BrowserInstaller.exe
PID 2028 wrote to memory of 2488	2028	irsetup.exe	BrowserInstaller.exe
PID 2028 wrote to memory of 2488	2028	irsetup.exe	BrowserInstaller.exe
PID 2028 wrote to memory of 2488	2028	irsetup.exe	BrowserInstaller.exe
PID 2028 wrote to memory of 2488	2028	irsetup.exe	BrowserInstaller.exe
PID 2028 wrote to memory of 2488	2028	irsetup.exe	BrowserInstaller.exe
PID 2028 wrote to memory of 2488	2028	irsetup.exe	BrowserInstaller.exe
PID 2488 wrote to memory of 2956	2488	BrowserInstaller.exe	irsetup.exe
PID 2488 wrote to memory of 2956	2488	BrowserInstaller.exe	irsetup.exe
PID 2488 wrote to memory of 2956	2488	BrowserInstaller.exe	irsetup.exe
PID 2488 wrote to memory of 2956	2488	BrowserInstaller.exe	irsetup.exe
PID 2488 wrote to memory of 2956	2488	BrowserInstaller.exe	irsetup.exe
PID 2488 wrote to memory of 2956	2488	BrowserInstaller.exe	irsetup.exe
PID 2488 wrote to memory of 2956	2488	BrowserInstaller.exe	irsetup.exe
PID 2028 wrote to memory of 760	2028	irsetup.exe	jre-windows.exe
PID 2028 wrote to memory of 760	2028	irsetup.exe	jre-windows.exe
PID 2028 wrote to memory of 760	2028	irsetup.exe	jre-windows.exe
PID 2028 wrote to memory of 760	2028	irsetup.exe	jre-windows.exe
PID 760 wrote to memory of 2260	760	jre-windows.exe	jre-windows.exe
PID 760 wrote to memory of 2260	760	jre-windows.exe	jre-windows.exe
PID 760 wrote to memory of 2260	760	jre-windows.exe	jre-windows.exe
PID 2180 wrote to memory of 1808	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 1808	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 1808	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 1808	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 1808	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 2444	2180	msiexec.exe	installer.exe
PID 2180 wrote to memory of 2444	2180	msiexec.exe	installer.exe
PID 2180 wrote to memory of 2444	2180	msiexec.exe	installer.exe
PID 2444 wrote to memory of 2372	2444	installer.exe	javaw.exe
PID 2444 wrote to memory of 2372	2444	installer.exe	javaw.exe
PID 2444 wrote to memory of 2372	2444	installer.exe	javaw.exe
PID 2444 wrote to memory of 2040	2444	installer.exe	javaws.exe
PID 2444 wrote to memory of 2040	2444	installer.exe	javaws.exe
PID 2444 wrote to memory of 2040	2444	installer.exe	javaws.exe
PID 2040 wrote to memory of 2008	2040	javaws.exe	jp2launcher.exe
PID 2040 wrote to memory of 2008	2040	javaws.exe	jp2launcher.exe
PID 2040 wrote to memory of 2008	2040	javaws.exe	jp2launcher.exe
PID 2444 wrote to memory of 1676	2444	installer.exe	javaws.exe
PID 2444 wrote to memory of 1676	2444	installer.exe	javaws.exe
PID 2444 wrote to memory of 1676	2444	installer.exe	javaws.exe
PID 1676 wrote to memory of 2940	1676	javaws.exe	jp2launcher.exe
PID 1676 wrote to memory of 2940	1676	javaws.exe	jp2launcher.exe
PID 1676 wrote to memory of 2940	1676	javaws.exe	jp2launcher.exe
PID 2180 wrote to memory of 3056	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 3056	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 3056	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 3056	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 3056	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 3060	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 3060	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 3060	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 3060	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 3060	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 3060	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 3060	2180	msiexec.exe	MsiExec.exe
PID 2180 wrote to memory of 2340	2180	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.4.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.4.exe" "__IRCT:3" "__IRTSS:25260914" "__IRSID:S-1-5-21-3551809350-4263495960-1443967649-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1709878" "__IRSID:S-1-5-21-3551809350-4263495960-1443967649-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2956
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\jds259477835.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds259477835.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2260
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
        5⤵
        Executes dropped EXE
        
        PID:2920
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
        5⤵
        Executes dropped EXE
        
        PID:1728
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2456
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2444
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:3736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 898124D0002E27ADC4DBC72717815A5E
  2⤵
  - Loads dropped DLL
  PID:1808
- C:\Program Files\Java\jre-1.8\installer.exe
  "C:\Program Files\Java\jre-1.8\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre-1.8\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={71024AE4-039E-4CA4-87B4-2F64180401F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2372
- - C:\Program Files\Java\jre-1.8\bin\ssvagent.exe
    "C:\Program Files\Java\jre-1.8\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1592
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2008
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2940
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 96472D3C7D03858CDC54C9B6D0F312B7 M Global\MSI0000
  2⤵
  PID:3056
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 28B2F415D91C86E9514DFCC2A5814E63
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3060
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADCE56373324E171381F82F4DFC0A40E M Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2340

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3688
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7760ab.rbs

Filesize
962KB

MD5
db6b901471dd96f7a449eae1f4db7779

SHA1
1dbfa756f5fe794c41c45278d12453c205e734fe

SHA256
e1b61bb9a5c453fb10c649ea3fb7a51a0963eb8bd0b8b359cd10fdf860bc8744

SHA512
c1b85e3ecd90ef1967e583287a8d8daa92d7fe2300b8df03c6f9b6db3d73537b65f4bc11eba274711e312619b3d3ead72b153fc0b0bbd88e00920c82a9ad3b36

Download Submit
C:\Config.Msi\f7760b1.rbs

Filesize
7KB

MD5
ee27d116a66ca259e286d8a816579056

SHA1
9468a0d4fa4a4b670635ba433405ddded8809d43

SHA256
08f7d29a89c6e90840eba4a16191b750f95a099e51201773a8f37b3bd366e05d

SHA512
22d221e647d2f5dc1203eaa2bd835fc67539dc0653fcb26b6b2505a59161c5bc736383dfc5fcf8238ee8ea64592111fc270bad67aa22e1dbe9a0c76a5de7ce6a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk

Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
177B

MD5
6684bd30905590fb5053b97bfce355bc

SHA1
41f6b2b3d719bc36743037ae2896c3d5674e8af7

SHA256
aa4868d35b6b3390752a5e34ab8e5cba90217e920b8fb8a0f8e46edc1cc95a20

SHA512
1748ab352ba2af943a9cd60724c4c34b46f3c1e6112df0c373fa9ba8cb956eb548049a0ac0f4dccff6b5f243ff2d6d210661f0c77b9e1e3d241a404b86d54644

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
173B

MD5
625bd85c8b8661c2d42626fc892ee663

SHA1
86c29abb8b229f2d982df62119a23976a15996d9

SHA256
63c2e3467e162e24664b3de62d8eeb6a290a8ffcdf315d90e6ca14248bc0a13a

SHA512
07708de888204e698f72d8a8778ed504e0fe4d159191efb48b815852e3997b50a27ba0bc8d9586c6fb4844166f38f5f9026a89bbbc3627e78121373982656f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
95d3423cabf182d268b6a0280b3482ac

SHA1
2bd5166ddf5c2e6803473395539f765dc981f8d4

SHA256
0067e47a5b074e390c4ac57dabbd58ce075896422e0f9ee8350cb621db0a5e0a

SHA512
0711998eae55d1c1aac8c6e3e7d48dd55fc7fbf028f2eb467be63d049de0f25e5eca805268382a03ad48b685cf32d382fd2b8680bc976bef72da39be48ba0c9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
c8b5af6181c75363d352b7af08dec5f1

SHA1
a244f77f5d955e0007d115e0c1f9c9ea28b44d80

SHA256
0861280a704cefec24106161762699804467d8e6b2025242d9b4f070d42f0030

SHA512
8cab67cc2ab5a8d1242f1806a98a8fe66259ca006c8b2e92e5c4b5bfb2b81bea3a412ee8ebcd06301177b4cbcda44d7abc4d6b3c176e00bd5c5649ca0cc6323c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d48f4d7d5ef132286e3f8f634b0a892

SHA1
4d5023f2df060eed06f090feb6d144aefbea284f

SHA256
b0b3d6f512afb8c5c36775cdf79f66fec062073b353ae370f2fdc0c4be7bc153

SHA512
280048255fd172628b324c928cb03858db617589e74cd2776a632923e9706003b2c0f12342f26e912bd3e3e2e3f103b4297499f646b10ad377b50c5a22bd7ad7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22d0a30be0dce4fcd6b88b4aa5db04c6

SHA1
05a24c2bcf2550ab4b245417f89b6e332f0a35a9

SHA256
ee87001f0e93f057159effda3f158c22bef9216b619a6e67b96dbc0ef1500c97

SHA512
7b5a63841c86383b0129cc3bd0669005668a3f82a98c333d8b5461de4a583b405960a42335c94413fa9e9a8a05dba5d7ee4896313c79345832e647617b93701d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04ba5178a30478b6c190b573e7db2df4

SHA1
b2a9ee6b0edf9fa82cb5d68118089b053c1e3285

SHA256
376fd7b752999a3d25cfebb5849708516c4e8901b887758eb9afa7e747c5e4b8

SHA512
ea4f8298f8d5a0e7ccb21bb61522582561e4bcc2857b8ad0608ba75648bc9f3e96719936756145e07257a9556257633ebece36be23684b3f25ef13c7d397f81f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2b42a3aeff30ff1d7f021c820c7ae3d

SHA1
d8142f722b1630f0cfff9236c28efd93a85b9d9b

SHA256
96f5c716ca7dcf75e2e3929132a35aef820d8e23f848f31ce6890732346a6e48

SHA512
31d41abf629dae807660a372ad8cc7f0d643699a2418e70adc17c0b3b78f5b7423310a931ad8fcd3c29169defdff31763087798d8993dc5bd6b7afda66fb20e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af65ab025ab4b0c856b01a950b127c8d

SHA1
9d4bb83f40b71bb1803fa138ae67c5ebb4fa76e4

SHA256
2e45e281dd7b14b5ca1b4a64004ac25142cbb9fbcd9e87a9cf2ccf94713be4ca

SHA512
541acf0f27c753cbc0c07f88652c2174a64251891301a53b269756d84b4a3819a697d31e60e027adcc2609287a21d8debe010cb35d82675d00bbf4eed4befc78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
5c82373e7ba6f1202481d46889c1d3f3

SHA1
8c7afbc2d4e2204a1fcf94c259e9c33f169ac8f5

SHA256
f72cd8a42ad0e82e9307fdccd7ac9ae5eef4fb0af1d869e8cafae67c35108c50

SHA512
353cc95ea640399eb44cd193ee27dfc54dad347173bf6d3de0adca3fda1eda71c55a4b4acf283fb52cd9ccb7d8cb0f65aea9f9f66b05f09d0233ef0e66bef6a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
807222a23dc4c5c7b2e10c569675cb64

SHA1
a9e12029cacf001c5da17d5e4edee1bfbdd01cd0

SHA256
e767597fbdc55bff0da2698120fadb28b90650924c45bb7b377dc7d533781d62

SHA512
dabe0f4ce136badd088188715b5c89ef28b70b32659f8773c9247ab50baa9f8d2aa496059637d99338086aa0948221234bed9964512a0a3de383893d24f259ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\common[1]

Filesize
1KB

MD5
f5bb484d82e7842a602337e34d11a8f6

SHA1
09ea1dee4b7c969771e97991c8f5826de637716f

SHA256
219108bfef63f97562c4532681b03675c9e698c5ae495205853dbcbfd93faf1a

SHA512
a23cc05b94842e1f3a53c2ea8a0b78061649e0a97fcd51c8673b2bcb6de80162c841e9fdde212d3dfd453933df2362dcb237fe629f802bafaa144e33ca78b978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\host[1]

Filesize
1KB

MD5
a752a4469ac0d91dd2cb1b766ba157de

SHA1
724ae6b6d6063306cc53b6ad07be6f88eaffbab3

SHA256
1e67043252582aea0e042f5a7be4a849b7cd01b133a489c3b2e67c10ade086f3

SHA512
abc2899705a23f15862acf3d407b700bb91c545722c02c7429745ab7f722507285c62614dcb87ea846f88fc0779345cb2e22dc3ad5f8113f6907821505be2c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\layout[1]

Filesize
2KB

MD5
cc86b13a186fa96dfc6480a8024d2275

SHA1
d892a7f06dc12a0f2996cc094e0730fe14caf51a

SHA256
fab91ced243da62ec1d938503fa989462374df470be38707fbf59f73715af058

SHA512
0e3e4c9755aa8377e00fc9998faab0cd839dfa9f88ce4f4a46d8b5aaf7a33e59e26dbf55e9e7d1f8ef325d43302c68c44216adb565913d30818c159a182120fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\masthead_left[1]

Filesize
4KB

MD5
b663555027df2f807752987f002e52e7

SHA1
aef83d89f9c712a1cbf6f1cd98869822b73d08a6

SHA256
0ce32c034dfb7a635a7f6e8152666def16d860b6c631369013a0f34af9d17879

SHA512
b104ed3327fed172501c5aa990357b44e3b31bb75373fb8a4ea6470ee6a72e345c9dc4bcf46a1983c81adb567979e6e8e6517d943eb204c3f7fac559cd17c451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\rtutils[1]

Filesize
244B

MD5
c0a4cebb2c15be8262bf11de37606e07

SHA1
cafc2ccb797df31eecd3ae7abd396567de8e736d

SHA256
7da9aa32aa10b69f34b9d3602a3b8a15eb7c03957512714392f12458726ac5f1

SHA512
cc68f4bc22601430a77258c1d7e18d6366b6bf8f707d31933698b2008092ba5348c33fa8b03e18c4c707abf20ce3cbcb755226dc6489d2b19833809c98a11c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\runtime[1]

Filesize
42KB

MD5
5d4657b90d2e41960ebe061c1fd494b8

SHA1
71eca85088ccbd042cb861c98bccb4c7dec9d09d

SHA256
93a647b1f2cadcbdb0fe9c46b82b2b4baf7685167de05933811549145c584ee0

SHA512
237738c0a6cb25efe29effc9c3637245e3e2397207ed51e67bae5a1b54749f88e090de524f7868d964debbb29a920a68205ccbd2dfceed4a1f3cd72d08b16fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\l10n[1]

Filesize
4KB

MD5
1fd5111b757493a27e697d57b351bb56

SHA1
9ca81a74fa5c960f4e8b3ad8a0e1ec9f55237711

SHA256
85bbec802e8624e7081abeae4f30bd98d9a9df6574bd01fe5251047e8fdaf59f

SHA512
80f532e4671d685fa8360ef47a09efcb3342bcfcf929170275465f9800bfbfffc35728a1ba496d4c04a1fdefb2776af02262c3774f83fea289585a5296d560b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\masthead_fill[1]

Filesize
1KB

MD5
91a7b390315635f033459904671c196d

SHA1
b996e96492a01e1b26eb62c17212e19f22b865f3

SHA256
155d2a08198237a22ed23dbb6babbd87a0d4f96ffdc73e0119ab14e5dd3b7e00

SHA512
b3c8b6f86ecf45408ac6b6387ee2c1545115ba79771714c4dd4bbe98f41f7034eae0257ec43c880c2ee88c44e8fc48c775c5bb4fd48666a9a27a8f8ac6bcfdcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAB50.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAB62.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
b3655c5b9a39b05941d0c23a9c56faed

SHA1
466ce387c344d2bfe0b4279102cb1117ba447d3b

SHA256
0c98e971a9d10abb4ba58b055852ead8e9aa214acee328901d0b124c190c6160

SHA512
cfc3a2794480978b970401760fe0cca0c231d0ed1cdbe404d5c487a821d6ca50b99b59261599da99bee519c5c9c64e5b236207aa1233a2fc5700a4915cd95fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
7282f2f114986f6378a24d5365436595

SHA1
47cb70852e6df6a19955ef82902cc8f1b87ce196

SHA256
33b4eecc2d29163192c2474d8e08178cb8c1e3a30effabbad64af58bc021f15e

SHA512
90204bc2848fd657e0722a534cf96bd34149462142f770aed8b8100ef510e0fdcc498c7238d56d7bee2aea2b4468d0e1441dd482a701298822baf2c26ece0e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
cdfec3c2c23708376bb456ebc3f49758

SHA1
37b11b42a80372c2eafe4e6315595321295e26dd

SHA256
3ae0732d974d17825a1cafe29610bafd76d92a932d622f08fb61a3e0dfbf327a

SHA512
3e2bfa8d505b06367241f20551d9f06f759c35b401e4bd48dcc70b09f7100966cb0099b4af5d05779842e30e5fab75caaa9575d1b741e292c82dffbef470d65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
151KB

MD5
c2be5f72a6cb93af45f70fcd786149a6

SHA1
91a3250d829e7019c7b96dc2886f1d961169a87f

SHA256
f616ad0cc12e4c8c01b1af5dd208aae46a5fdb1b02e8a192dfe84283e1161ca6

SHA512
522b82e48fc4d6c94236f6598352ef198500ef83f2b8d890dd14901173b35d179c567e9540908a9bf145f2492043fa6848182634ee4c58956418884449f223bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
fb1717726f5ecb359d49ce793d0e0afc

SHA1
04bc55d1be5f34f3fdfd7d29655058f9f541cb2c

SHA256
1ebd1852f1f3a06ab3f62c3fc2975263b8cca929980796820f81465c0cba9b66

SHA512
58ec07fa63c9c988d98b9816bd4ba9cd2bddab2a34ce77339e544a9c45680db342242186f6ac6826d8b5b808dcfc91ed86ebb881ba45142dd2f00371f367a8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
bd6c35f8625e8021072fe8ccf1832426

SHA1
0c0cb17468b93ee65244d10c351ea54716f5af29

SHA256
fe252024182497f5f7992dae5b16e09118c94d457d4369a001c3f71c8529bfd0

SHA512
0cd3b3ab55c35728994d876b14cd72ea2a5550cd070feb3fc6bfa6910b08f836e94c3d0fb0a4aabf2cdd9adff018235fc06d1554bc66e9fc759d27a950227984

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
24KB

MD5
4591283e914284e86939a24351e06823

SHA1
128991ea64c4dae0e95e19fc789838ebc2e33eb7

SHA256
922af652e7f98c80f8f9444fcd855ff0ef7a420583872873f20971d089bdb9b6

SHA512
10724928b7dd9e78c1b1e8be1d26f84e54c7ca076b51e9b84f19c12d086df5eba06faef10a94ebf13886bf60928db80d132fef44f9569a3b13ea27162e765a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
751B

MD5
dddb5db64def90fcd49be1fccbec595c

SHA1
8255bb878f3962a7e9b2e11866973f12cff98c0f

SHA256
6457b3f0bbe5db05ba16895953714e5aa44215ea85fddcf1ce912a679b539a78

SHA512
f3b34f2d191999870185f2546e6bbd9b249af76e2b39bc19d476d4645053b97884233f9f6e8d160a41988baa2832fc93a5d97dd2500f5a1b5f45574f39c6c1b4

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
edccf15d4d113e8559a0e53ada73696d

SHA1
4b5eeea2225132d61aca003dac24e27af02f9773

SHA256
b9781fa5a2fabb70d57489378fd2cb6039bf8bd85a4f3c7f3ac5934f770e80b9

SHA512
84a7ab8486c7e2b12c981bd5e8a8d5dd40133e5827797bfaed34e62b25dca959c4a044bc52ab909603b66adb4c168ede2d284162050529db84baba14634cc876

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
75ad0ac83402e7a8ecf154efa31feba1

SHA1
db2df40416a26580c651581b4ba1a0b5b26357eb

SHA256
e290ef30a761839e4f2ee4baab625d3466ef183d0c4e2419c08374624591a545

SHA512
f8e268138fadc3aa3055ec445e9c4b2122811603b28e0e2b8cd360f696167810556c13c6f78217e638b37d61e7c1bd68016f64b6c0814edc54620a92749d0ec2

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG

Filesize
206B

MD5
00e77820522e807b034fcc95eae05874

SHA1
ed80d05fa9cff9c1db75e9c15a8f8846219e2a8e

SHA256
6cc4b01d2ececd80ff78cbae7051b9d5b7e0bf81803f70c8b513b03f066d06f4

SHA512
220b8c19408efdaafcc2aca762ad94e88069e25b40e6f9e634003dd2d53fb647ab88e2b4d850826fed13d3b46be28b15e69385927f488323bab9f42e90d4fc28

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG12.PNG

Filesize
22KB

MD5
8d75081b16d081cf585dba5f67316c97

SHA1
98ae770fd3b2203494a03bc2d2cf32f301c29b73

SHA256
119d708f73a67487018aae01abc18e776276fbb3a5a5593f745b96ade5ac1fe3

SHA512
afd2ef116abf52abf8379e77623d3a93705178ccf7cb443afe2acb4f57359dff4aad17c70bec0595a68f2bec062e1b3df9d20e377c82b353f443e54db39c604a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
451e442042ba9f82bf7808ed80c239c2

SHA1
426adc5bbe2f9de5c4140f50daebe0228021c6d8

SHA256
d0f7bd67c7eab68805c4840a26550e667036aa96da6a99cd3ab9a4dcef98e695

SHA512
30dd4d87ae3c106895f68b14eedda119104361ed1a1ed3223349d2a3a655d7efb30a8854af81736715c936cd10922c8171ef7007beea6ea896da0873ddef7253

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
816e5ba518cf28d84d5eba73f311839a

SHA1
6f260abde9b8ba31faebe75ee251487f094a3adf

SHA256
77017d773858b093271d747792dbd413df14339cb519bc144342a281808e8a2a

SHA512
3e746b668bea52432a20020c36ed0c017ccd2f81c1f41245ea13e98428d17903b35ac062fc62231fee6fd0a3b6b8d05989e77e18e81cc4b51c8e1a329576735d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
268e10d29ea4fd252ba0a132d61c3c98

SHA1
0eb41cea6c1c676e4d986de3189c60829a9f82f1

SHA256
2cd55eb36f7b728283804bf494d0cbcdc47d27468cc3f60011393736d5dbf668

SHA512
43682bbe114a22acf0f7e230d99cfa703376d2c3c6a83fe297e6830945c605f868e789f3ba863ef9d5f4e779ef3c83a6ad970b9af413738dd0c1bad73d56050c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG9.PNG

Filesize
438B

MD5
4a76ee7c256f582242443d31556372b3

SHA1
f3ac8015c1ec3da40b6b3af3a0f269a1d0d2dee4

SHA256
1f5171d0550fefd5730f5b36a6803cb63dfe6342a5f93b105fb4cd428d76418c

SHA512
679b7c81cbfc437609126e67c9e37d7ea0a15a762a32e6352939664c1b2462a1ee63ab426776f2ac5e0181c63762e4921c2a94b2f043806ea33fcd83e0e88cd2

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
2KB

MD5
c5285dbec88aa3cac5de349c5070b01a

SHA1
4d954d671ae9a54e3f4f3fedcc504d610f4810d1

SHA256
7b558ae204586150cf6558475695f7084b5be3a3f8f001ec51c43000c07a3d1a

SHA512
bfca92a8f185814d2d27e044ed0ba386e32a45cbfb73aee2b0550efc76cca71e839bb2097038398db3ab612e9cace4bdd907df383aec4ce0a299822f0cf52f27

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
2KB

MD5
328e2fe2ed85db64ed3d14386e066e7f

SHA1
aa40b9e0fb3e7431bce9d056fb9ba38b657ebcec

SHA256
1aa3ca317d3466641f27590bb7d3639b444fcfa2210f0619e2fe3854548c84a1

SHA512
d1ab22aa68d6ee7ef9053ea224fa640b864c80a69cc1f14f0b74dd8add0f77904d5275297df6940d510d8d0896297e0507bff1c1306069ac84ad4afb0a515f3a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
3KB

MD5
0dd530c6deb4956c36bc31a1fb8e754e

SHA1
1e6984862935db83ebf0bd77697b0b00631a190d

SHA256
e6327fe34b9f63c0cc136390eb5eb27a01e8b2dade82c74a418cac551c4cc11b

SHA512
1ba448ba0d7c8a485db5289b309d63ab4370952d5e8af0fa0ce5340ee601ab5cab46d8d5f1db62a8573acb214b2cb51871c0f515b7a27d7fe5d6b0449304d650

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
3KB

MD5
3a22afca76aa6c73e4809c192f36040d

SHA1
fa520c0852fc3b6c74affc76d18bec1e1e21f0f4

SHA256
5d52cdb1e50c78a0de86eadb9d1b163d744d6e7d34d75442e4271e56cedb69b8

SHA512
7c88cc3c9312d212eb3866b87fc0d4c08646bead68a2a326841460793cee886a8a71989d9da1c9ccbf75f5cc314bac11afbec29d0fd459b97855afdc66af36c1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
588581caf44bbd52748a8bfb21b47f89

SHA1
53d7c2b985279f33ac4f1e8b49cf922c79802e64

SHA256
ba35392690e89c444028e303229751d5f7e11ee5a5a49103039082cce28c7559

SHA512
ce4e35a42834127c12a8c672ea72521fb75beeeeebb0b4237f7fc96cf5d0c88cfbcc0b05435a0bf7c5ad94b0289266ebb3373064cbc389c926cded697d530c22

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
23KB

MD5
562aeb54cfcd4a54ac15909d7092a0f7

SHA1
d48d2a262f5e47f0fdd07395e529bdde7bfe3894

SHA256
9febe29db2eeca4ec32d0d6fbaac6a1858b89ea92423325339d93bd9efcc808d

SHA512
dc5f05e70ed479f0ea3d484df11ad84b5ff5df14c7b2b7de65464b7007aabaaf5bba7bff358cf2e84f457b18939d88e35e4e5e140c1a12bb1d5cfa1a96b16312

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\NOT_RUN_TLAUNCHER.txt

Filesize
2KB

MD5
7e1f99bbaeab34cb3bbaf61bb56836fa

SHA1
30cca493f09b496fec5f3c83cd31113ee1683c52

SHA256
94df1e31e53e0bd37d0bc1e5df637c7bbf4a1f14b41a7603b8ccf05f61b697ea

SHA512
c5500ebde9754f376d7e4445230af79bdb03bafb48fd72cd5bd02558e93e524ba2f90c670ec1fe0717733d94bd99c89b35e004d23785358a107820a1a4b0b766

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\bootstrapper.jre_removed.json

Filesize
2KB

MD5
5e2f3f4a6d81d9370769128b16218fa1

SHA1
54bc3d355ee4c76da90bde7f290a20af1762b938

SHA256
66347d46051d314f0b02fc594e5a9c4e06f21e3adfa3ea36e593cba63afb313c

SHA512
b952c46efa6c32a9b4b77c8b48cfdc6d5aa5d24ab060f9313c1df792bc18913d286c148277c34c8ea7c9c8bd5a3d332509078f89583bee3ad847398b3a7272c1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\bootstrapper.libraries_removed.json

Filesize
13KB

MD5
656afe320bf34a8a79617a9740821eff

SHA1
88dd7d0e1331f159881458ccab29a81b93e11785

SHA256
4ae1e18c84222293da3912b6fc06dd66abb20612c984f915607bb90026718f1c

SHA512
532be539066de0b3124ea36f06c197de34cf056878c124f393f7f7ae6b32a80401f325a99c0ce282f468a83f4e9b9c8747018b2bac100e0bff70b49065c8a01e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.9300\dependencies.json

Filesize
17KB

MD5
481e361c075fe0c29276369b3f43cc9b

SHA1
e9c58e63ad3b2c0ae9c46c4b68ea81a1d4f8c398

SHA256
a424c196760f90145f7181456896e5196b6907e5581893fb8f1e0ae4052e03e4

SHA512
6b43e27630ff32f01779cf8d0bd166403bcab4368c4c777320237b85efd1a85a5e46a1a8557d1d72281339c8a8ae67eb45aee9c8b2789440b1af14874e24a288

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.9300\resources.json

Filesize
18KB

MD5
ce1d4f31a4568507f23ec95eada395fc

SHA1
eea9928ad87eedd7f93a69078351e85d22f74c6e

SHA256
37fff39f811453174a35504c6818c6ed5eb24b29adbc0f0305f64595d959a35d

SHA512
4b3db868920b1f729be1707eb1fc580322aa43b008c1405097d07b9ecbcde8e340984249140209347d8ef98be40c2b774be87004033f6cfcf8404bdb9837a5a5

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\appConfig.json

Filesize
3KB

MD5
e0d58fd38d99d1f049893ce2a5d704a0

SHA1
c4da1e2d46ec0397614c688f415aaf3b43753efd

SHA256
84de112fd7383ee2e3cb714681b33d1aa9939f9b79851513b1a15cfaeb99f55f

SHA512
c95f3a413df567b54e01f2861aee82f8e010993aab62f35e90d9402039394ce6c7685fe9129e642b1af21390a7494446c7aace569c42da97b068c304b5672681

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json

Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\css\smplBrow.css

Filesize
451B

MD5
9ea43501482da7353f3ae8e8f04b4080

SHA1
214165dd145848438b40307f6b86531dcb9c6e8c

SHA256
bc4422013b8b17af0e811d9f7d25023a88568c49f546069416471edfe18dc4fc

SHA512
564cec23681c5b192fecc9e9d68386947b8c76de441919c9bb5f18f23580ab1208469d9d01ef3c7603ab26bc7ca2f4325d05c61ad0774c3aa6ece505277b53d6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\checker-qual-3.12.0.jar

Filesize
203KB

MD5
ab1ae0e2f2f63601597a5a96fca8a54f

SHA1
d5692f0526415fcc6de94bb5bfbd3afd9dd3b3e5

SHA256
ff10785ac2a357ec5de9c293cb982a2cbb605c0309ea4cc1cb9b9bc6dbe7f3cb

SHA512
ff20c424e130c31c30b4f4f5b4374f8f98f94ddae2b123f3c213f147be6b3de57854ee5651b02dd97d352c1c1df2a8bfeef73d5307a71372f46a6002eab24d78

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-codec-1.9.jar

Filesize
257KB

MD5
75615356605c8128013da9e3ac62a249

SHA1
9ce04e34240f674bc72680f8b843b1457383161a

SHA256
ad19d2601c3abf0b946b5c3a4113e226a8c1e3305e395b90013b78dd94a723ce

SHA512
b65531ead8500493e3dd14a860224851b80f438fc53bf8868b443a0557d839a2b0c868e4fedcf99579ae04b6b2bbd8cdb37f9921ad785983c37569aa9d2e8102

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-graphics-17.0.0.1-win.jar

Filesize
5.5MB

MD5
70572dde1929e135369fcd160f16a996

SHA1
54a0beb140a8f9b351a2a0ea53c4546d3cf9a08f

SHA256
83a077938d70c356041ec86183503acb4950519a2fed438679402b35e4831170

SHA512
56102b0ca3e4123216ae48d13b7a1c6bd86047025a3c3efce1c9a59403f8d2c47eb7b902a3d9435a5c98e931e673e747c0022fc31a9a36655eaa70b2c71b233c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\fix_log4j\1.12.json

Filesize
304B

MD5
c0aa9a1b0900982f72e072f6f85a0ce1

SHA1
922c8819eea3221d2c0d36071558707168d36fcb

SHA256
cf2131de69ea20ba705838999ff20a5e94dd888ec08c3230f90b09b7e5d1801b

SHA512
ebb26772bf7cb67297653f9dbda5478cb43f9c0575cb730797023374e6cb8b8b683fa8d11fc28b2bd09d4c33adc67203b92741e96d91e5a4010fb6f432da8527

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\fix_log4j\1.7.10.json

Filesize
300B

MD5
33386dab73eb261523775cbcac309300

SHA1
dfd076b6e8492a83e39c00fcdea9dbe282e3dba7

SHA256
9eab2926a13dc0e6d4889c0aa4d1f3b8f1df6c02f2ee087b5fcecb7a4f780c87

SHA512
445e1a1eee477d68c4bccd5ca942985d4485138622e4a2f48b3a1fc11fa70c4d9a7abf5f403a2989f78662de04fd3a38c0c6376fa0cd10bfd0ca1dcf5082267c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\COPYRIGHT

Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ADDITIONAL_LICENSE_INFO

Filesize
51B

MD5
494903d6add168a732e73d7b0ba059a0

SHA1
f85c0fd9f8b04c4de25d85de56d4db11881e08ca

SHA256
0a256a7133bd2146482018ba6204a4ecc75836c139c8792da53536a9b67071d4

SHA512
b6e0968c9fd9464623bfa595bf47faf8f6bc1c55b09a415724c709ef8a3bcf8a954079cce1e0e6c91d34c607da2cecc2a6454d08c370a618fb9a4d7d9a078b24

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ASSEMBLY_EXCEPTION

Filesize
46B

MD5
c62a00c3520dc7970a526025a5977c34

SHA1
f81a2bcb42ccbf898d92f59a4dc4b63fef6c2848

SHA256
a4b7ad48df36316ddd7d47fcecc1d7a2c59cbfe22728930220ef63517fd58cb0

SHA512
60907d1910b6999b8210b450c6695b7cc35a0c50c25d6569cf8bb975a5967ca4e53f0985bee474b20379df88bb0891068347ecf3e9c42900ed19a1dcbc2d56ec

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\LICENSE

Filesize
35B

MD5
f815ea85f3b4676874e42320d4b8cfd7

SHA1
3a2ddf103552fefe391f67263b393509eee3e807

SHA256
01a4ebd2a3b2671d913582f1241a176a13e9be98f4e3d5f2f04813e122b88105

SHA512
ddf09f482536966ac17313179552a5efc1b230fa5f270ebde5df6adebf07ee911b9ef433dfbfcb4e5236922da390f44e355709ecaf390c741648dd2a17084950

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\removedFolders.txt

Filesize
703B

MD5
66f2bf2a3cfc55320fdcbeadef07c78c

SHA1
2c34e9fdd3cc033a31b26d443b76c643013f0565

SHA256
342732fd5c95d6735b2567ca3638f53842ee19444fd7f36c2f2c437a835d5f1f

SHA512
fcb5d465f37de84bbcb0843e915c9f0ad1f661e2de1b5924d8274d19713754621d806a6bd49679459bf9c87a368efbcee7cff82a1c400b4cefb6c3b063ad6dfe

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\signatures.json

Filesize
8KB

MD5
1c836d1767b58a864ec401f0966914a0

SHA1
6014275288006534525ffa75ce1a1b66438e036a

SHA256
a19b7acbe605085ddee8df50268e1f9284c75ed9584e924f1474916d09d848b8

SHA512
dd43b3222a6398f69c71603762ca595d8a84d47b28d10b5ec0dc8da8fbf9d07deae656791f665de4a2df806a66203bb8ccd3bdf4f29d2596937b17e2c30eee3c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\tl_dependencies.json

Filesize
1KB

MD5
107d05532cf0a58577ae6de603276a42

SHA1
54c12373677ab04e84cc2e7cb1930649ba38a952

SHA256
b32a5f902b1387192c76cc2d48540dc2b26534caab2d59b2fa054fd48c94a871

SHA512
0812455aae0d77692b903861ecdc1052d7106c387ce28adbfe4e8bca0841fe2d3865be3b16db4c9168ddcfc859370ce2402e2c5181ff34baaaeb9622bce74772

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\НЕ_ЗАПУСТИЛСЯ_TLAUNCHER.txt

Filesize
3KB

MD5
4ddbbef4c1a0a004b853ee4ed7533601

SHA1
d12b2ab682eecc5e3a3b63618fd1c95e2ecbfc87

SHA256
04204513df6f55bd1d47893e0b041ca5284b45c514eda457f3622cd2b3136f4c

SHA512
d30709a61b85914947d89b1438888a29c9467f97171d7a617b36fe417c42e407d7837c9325a3c814690c8a5afdffd13c5de4e0bf26fa1a969f63e9ab0fb79f04

Download Submit
C:\Windows\Installer\MSI658F.tmp

Filesize
953KB

MD5
64a261a6056e5d2396e3eb6651134bee

SHA1
32a34baf051b514f12b3e3733f70e608083500f9

SHA256
15c1007015be7356e422050ed6fa39ba836d0dd7fbf1aa7d2b823e6754c442a0

SHA512
d3f95e0c8b5d76b10b61b0ef1453f8d90af90f97848cad3cb22f73878a3c48ea0132ecc300bfb79d2801500d5390e5962fb86a853695d4f661b9ea9aae6b8be8

Download Submit
C:\Windows\Installer\f7760ad.msi

Filesize
1.0MB

MD5
d7390d55b7462787b910a8db0744c1e0

SHA1
b0c70c3ec91d92d51d52d4f205b5a261027ba80c

SHA256
4a2f7d9d33e4ad643bf72722587f2b268d92dab3bb1d9bc56af316672e34728a

SHA512
64f3837dd6099561ce9be97d6fae0b11f3f6cc08281f1a3266d5a6f3ca8baf13bbd780735ef62b449b577d62d086f942b48519671226c60f0e1480f9dbdde434

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
0b689a412150e3e6b39c6ec69146504e

SHA1
b690cecdb4217d05947f46eb3720fd3c10f0ebd2

SHA256
ee52474483d6f29d606aa7061d3c3b958d95c9c940bfab7578c75403be59d656

SHA512
e978b873cef32a8d6a8e692cf12728bbf8089b7af67ccd972eeeab69f88a3abecc5aa1b51dcae35e28ad01152ab7c978cc4df2e9580db438bc179dc5ea9f115e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.2MB

MD5
07552732fa64db456300880d52e81b2f

SHA1
9a653ea405f5f26ec0c2d9a0bc9bcb11ba010efc

SHA256
94bc1aa272183daf13f24594493eea40e02cb9861c76f9de3711c139f5315226

SHA512
47e97e300330ec1523f4af6e87b9866fae2e90cd9b59fc4d02e53e29b223691f980daf1f221f5286dbc1a9a9ddf6e01e7a597c5cf763710c51d84c8d5bac60b0

Download Submit
memory/1716-20-0x00000000034B0000-0x0000000003899000-memory.dmp

Filesize
3.9MB

Download
memory/1716-22-0x00000000034B0000-0x0000000003899000-memory.dmp

Filesize
3.9MB

Download
memory/1716-18-0x00000000034B0000-0x0000000003899000-memory.dmp

Filesize
3.9MB

Download
memory/1716-17-0x00000000034B0000-0x0000000003899000-memory.dmp

Filesize
3.9MB

Download
memory/1728-3528-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1728-3530-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2008-3166-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2008-3208-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2008-3207-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2008-3182-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2008-3179-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2028-2231-0x00000000001B0000-0x0000000000599000-memory.dmp

Filesize
3.9MB

Download
memory/2028-3151-0x00000000001B0000-0x0000000000599000-memory.dmp

Filesize
3.9MB

Download
memory/2028-768-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2028-2086-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/2028-767-0x00000000001B0000-0x0000000000599000-memory.dmp

Filesize
3.9MB

Download
memory/2028-689-0x0000000000890000-0x0000000000893000-memory.dmp

Filesize
12KB

Download
memory/2028-688-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2028-3152-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2028-21-0x00000000001B0000-0x0000000000599000-memory.dmp

Filesize
3.9MB

Download
memory/2028-719-0x00000000001B0000-0x0000000000599000-memory.dmp

Filesize
3.9MB

Download
memory/2028-801-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2028-800-0x00000000001B0000-0x0000000000599000-memory.dmp

Filesize
3.9MB

Download
memory/2028-805-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/2028-2232-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2028-2891-0x00000000001B0000-0x0000000000599000-memory.dmp

Filesize
3.9MB

Download
memory/2028-4290-0x00000000001B0000-0x0000000000599000-memory.dmp

Filesize
3.9MB

Download
memory/2028-860-0x00000000001B0000-0x0000000000599000-memory.dmp

Filesize
3.9MB

Download
memory/2028-2236-0x00000000001B0000-0x0000000000599000-memory.dmp

Filesize
3.9MB

Download
memory/2260-3334-0x000007FFFFF70000-0x000007FFFFF80000-memory.dmp

Filesize
64KB

Download
memory/2372-2992-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2444-4397-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download
memory/2444-4395-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download
memory/2444-4308-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2444-4886-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download
memory/2444-4907-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download
memory/2456-3812-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2488-845-0x00000000033D0000-0x00000000037B9000-memory.dmp

Filesize
3.9MB

Download
memory/2488-2096-0x00000000033D0000-0x00000000037B9000-memory.dmp

Filesize
3.9MB

Download
memory/2488-846-0x00000000033D0000-0x00000000037B9000-memory.dmp

Filesize
3.9MB

Download
memory/2488-847-0x00000000033D0000-0x00000000037B9000-memory.dmp

Filesize
3.9MB

Download
memory/2920-3517-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2920-3512-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2940-3222-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2940-3266-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2940-3238-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2940-3235-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2956-2230-0x0000000000110000-0x00000000004F9000-memory.dmp

Filesize
3.9MB

Download
memory/2956-3149-0x0000000000110000-0x00000000004F9000-memory.dmp

Filesize
3.9MB

Download
memory/2956-850-0x0000000000110000-0x00000000004F9000-memory.dmp

Filesize
3.9MB

Download
memory/2956-2233-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/2956-3410-0x0000000000110000-0x00000000004F9000-memory.dmp

Filesize
3.9MB

Download
memory/2956-2229-0x0000000000110000-0x00000000004F9000-memory.dmp

Filesize
3.9MB

Download
memory/2956-2228-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/3688-4299-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3760-4954-0x0000000002020000-0x000000000202A000-memory.dmp

Filesize
40KB

Download
memory/3760-4399-0x0000000002020000-0x000000000202A000-memory.dmp

Filesize
40KB

Download
memory/3760-4311-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3760-6346-0x0000000002020000-0x0000000002022000-memory.dmp

Filesize
8KB

Download