bazarbackdoor | e132be19bc7ae8a96d3d620710fa26b614e022abecccc161ad733eff732afcd6

Analysis

max time kernel
192s
max time network
247s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-04-2023 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.879-Installer-1.1.1.exe
Size

22.6MB
MD5

c4ceda8c435298d23cc40a842f426d61
SHA1

c7337094f09852b00a815950e96f3292295e9e15
SHA256

e132be19bc7ae8a96d3d620710fa26b614e022abecccc161ad733eff732afcd6
SHA512

25e74422d3b7adeb0cc805bbe41298d4e0fcf984b038c63a3a4faeea16e10a18f113c9a7d946e16f377ad9e3a5ca0a6425d7650b62c1e5db9ee2299e9921f52b
SSDEEP

393216:LXfgqusAgbGPfs/dQETVlOBbpFEjdGphRqV56Hpkf+V4scTKAjENq3:LvtDpsHExi73qqHpg+Vvc+Amc

Score

10^/10

bazarbackdoor adware backdoor discovery persistence stealer upx

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 10 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jre-windows.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi	BazarBackdoorVar3
C:\Windows\Installer\6dfb7f.msi	BazarBackdoorVar3
C:\Windows\Installer\6dfb83.msi	BazarBackdoorVar3

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

28 972 msiexec.exe
Downloads MZ/PE file

flow	pid	process
28	972	msiexec.exe

Executes dropped EXE 15 IoCs

Processes:

irsetup.exeBrowserInstaller.exeirsetup.exejre-windows.exejre-windows.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exe

pid	process
1980	irsetup.exe
308	BrowserInstaller.exe
1152	irsetup.exe
1984	jre-windows.exe
1680	jre-windows.exe
1300	installer.exe
1704	bspatch.exe
988	unpack200.exe
976	unpack200.exe
1208	unpack200.exe
1812	unpack200.exe
2044	unpack200.exe
1684	unpack200.exe
1528	unpack200.exe
1172	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-2.879-Installer-1.1.1.exeirsetup.exeBrowserInstaller.exeirsetup.exejre-windows.exeMsiExec.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exe

pid	process
1156	TLauncher-2.879-Installer-1.1.1.exe
1156	TLauncher-2.879-Installer-1.1.1.exe
1156	TLauncher-2.879-Installer-1.1.1.exe
1156	TLauncher-2.879-Installer-1.1.1.exe
1980	irsetup.exe
1980	irsetup.exe
1980	irsetup.exe
1980	irsetup.exe
1980	irsetup.exe
1980	irsetup.exe
1980	irsetup.exe
1980	irsetup.exe
308	BrowserInstaller.exe
308	BrowserInstaller.exe
308	BrowserInstaller.exe
308	BrowserInstaller.exe
1152	irsetup.exe
1152	irsetup.exe
1152	irsetup.exe
1980	irsetup.exe
1984	jre-windows.exe
1260
1260
1112	MsiExec.exe
1112	MsiExec.exe
1112	MsiExec.exe
972	msiexec.exe
1704	bspatch.exe
1704	bspatch.exe
1704	bspatch.exe
1300	installer.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
988	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe
976	unpack200.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0165-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0128-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0122-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0096-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0133-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0060-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0171-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0074-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0097-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0106-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0120-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0042-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0083-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0048-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0057-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0127-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0068-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0053-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0211-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1980-344-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
behavioral1/memory/1980-367-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
behavioral1/memory/1980-390-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
behavioral1/memory/1980-404-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
behavioral1/memory/1980-427-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/1152-499-0x0000000000D30000-0x0000000001118000-memory.dmp	upx
behavioral1/memory/1152-500-0x0000000000D30000-0x0000000001118000-memory.dmp	upx
behavioral1/memory/1980-501-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
behavioral1/memory/1980-572-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
behavioral1/memory/1980-1333-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
behavioral1/memory/1980-1353-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
behavioral1/memory/1980-1490-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
behavioral1/memory/1980-1512-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
behavioral1/memory/1980-1587-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx
C:\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\bspatch.exe	upx
C:\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\bspatch.exe	upx
behavioral1/memory/1704-1753-0x0000000000400000-0x0000000000417000-memory.dmp	upx
\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\bspatch.exe	upx
behavioral1/memory/1704-1765-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1704-1768-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1704-1775-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1980-2343-0x0000000000D00000-0x00000000010E8000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 1 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_351\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\dynalink.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\mesa3d.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\public_suffix.md	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_7263063\javaws.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\libffi.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\plugin2\vcruntime140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\cursors.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\public_suffix_list.dat	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-errorhandling-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\plugin2\npjp2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jfxmedia.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fontconfig.bfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\javafx.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\policy\unlimited\local_policy.jar	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_7263063\javaw.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\cryptix.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\relaxngcc.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\verify.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\directshow.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jp2native.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\kinit.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\unicode.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\xmlresolver.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\net.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\javaws.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-multibyte-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\rt.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\vcruntime140_1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\msvcp140_1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\splashscreen.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jsoundds.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\xerces.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jce.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\psfontj2d.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-debug-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-libraryloader-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\asm.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\policy\limited\local_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\dtplugin\npdeployJava1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\dcpr.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\servertool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\w2k_lsa_auth.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\libxslt.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\tzmappings	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\localedata.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-datetime-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-namedpipe-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\tnameserv.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\CIEXYZ.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\access-bridge-64.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaBrightDemiItalic.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\sunec.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\localedata.pack	installer.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\6dfb7f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C12.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C42.tmp	msiexec.exe
File created	C:\Windows\Installer\6dfb83.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6dfb7f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12EC.tmp	msiexec.exe
File created	C:\Windows\Installer\6dfb81.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1943.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exeirsetup.exejre-windows.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_18"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0129-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0067-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0072-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0081-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_61"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0118-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_24"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_66"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0145-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_145"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_03"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0125-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0108-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0095-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_31"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0183-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_183"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_10"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0133-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0190-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0063-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.1_07"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_24"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0100-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0162-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0096-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0166-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0050-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_84"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_29"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0053-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0106-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_70"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0201-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0083-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0095-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0177-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0134-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_134"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_02"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_73"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0163-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0087-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0163-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0205-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0188-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0092-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_43"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0108-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_108"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0180-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_180"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0215-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0133-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0086-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0187-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_93"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0142-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_142"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0100-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_100"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_59"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0151-ABCDEFFEDCBC}	installer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

irsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

jre-windows.exe

pid process

1680 jre-windows.exe

pid	process
1680	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1680	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1680	jre-windows.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeSecurityPrivilege	972	msiexec.exe
Token: SeCreateTokenPrivilege	1680	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	1680	jre-windows.exe
Token: SeLockMemoryPrivilege	1680	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1680	jre-windows.exe
Token: SeMachineAccountPrivilege	1680	jre-windows.exe
Token: SeTcbPrivilege	1680	jre-windows.exe
Token: SeSecurityPrivilege	1680	jre-windows.exe
Token: SeTakeOwnershipPrivilege	1680	jre-windows.exe
Token: SeLoadDriverPrivilege	1680	jre-windows.exe
Token: SeSystemProfilePrivilege	1680	jre-windows.exe
Token: SeSystemtimePrivilege	1680	jre-windows.exe
Token: SeProfSingleProcessPrivilege	1680	jre-windows.exe
Token: SeIncBasePriorityPrivilege	1680	jre-windows.exe
Token: SeCreatePagefilePrivilege	1680	jre-windows.exe
Token: SeCreatePermanentPrivilege	1680	jre-windows.exe
Token: SeBackupPrivilege	1680	jre-windows.exe
Token: SeRestorePrivilege	1680	jre-windows.exe
Token: SeShutdownPrivilege	1680	jre-windows.exe
Token: SeDebugPrivilege	1680	jre-windows.exe
Token: SeAuditPrivilege	1680	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	1680	jre-windows.exe
Token: SeChangeNotifyPrivilege	1680	jre-windows.exe
Token: SeRemoteShutdownPrivilege	1680	jre-windows.exe
Token: SeUndockPrivilege	1680	jre-windows.exe
Token: SeSyncAgentPrivilege	1680	jre-windows.exe
Token: SeEnableDelegationPrivilege	1680	jre-windows.exe
Token: SeManageVolumePrivilege	1680	jre-windows.exe
Token: SeImpersonatePrivilege	1680	jre-windows.exe
Token: SeCreateGlobalPrivilege	1680	jre-windows.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

irsetup.exeirsetup.exejre-windows.exe

pid	process
1980	irsetup.exe
1980	irsetup.exe
1980	irsetup.exe
1980	irsetup.exe
1980	irsetup.exe
1980	irsetup.exe
1152	irsetup.exe
1152	irsetup.exe
1680	jre-windows.exe
1680	jre-windows.exe
1680	jre-windows.exe
1680	jre-windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-2.879-Installer-1.1.1.exeirsetup.exeBrowserInstaller.exejre-windows.exemsiexec.exeinstaller.exe

description	pid	process	target process
PID 1156 wrote to memory of 1980	1156	TLauncher-2.879-Installer-1.1.1.exe	irsetup.exe
PID 1156 wrote to memory of 1980	1156	TLauncher-2.879-Installer-1.1.1.exe	irsetup.exe
PID 1156 wrote to memory of 1980	1156	TLauncher-2.879-Installer-1.1.1.exe	irsetup.exe
PID 1156 wrote to memory of 1980	1156	TLauncher-2.879-Installer-1.1.1.exe	irsetup.exe
PID 1156 wrote to memory of 1980	1156	TLauncher-2.879-Installer-1.1.1.exe	irsetup.exe
PID 1156 wrote to memory of 1980	1156	TLauncher-2.879-Installer-1.1.1.exe	irsetup.exe
PID 1156 wrote to memory of 1980	1156	TLauncher-2.879-Installer-1.1.1.exe	irsetup.exe
PID 1980 wrote to memory of 308	1980	irsetup.exe	BrowserInstaller.exe
PID 1980 wrote to memory of 308	1980	irsetup.exe	BrowserInstaller.exe
PID 1980 wrote to memory of 308	1980	irsetup.exe	BrowserInstaller.exe
PID 1980 wrote to memory of 308	1980	irsetup.exe	BrowserInstaller.exe
PID 1980 wrote to memory of 308	1980	irsetup.exe	BrowserInstaller.exe
PID 1980 wrote to memory of 308	1980	irsetup.exe	BrowserInstaller.exe
PID 1980 wrote to memory of 308	1980	irsetup.exe	BrowserInstaller.exe
PID 308 wrote to memory of 1152	308	BrowserInstaller.exe	irsetup.exe
PID 308 wrote to memory of 1152	308	BrowserInstaller.exe	irsetup.exe
PID 308 wrote to memory of 1152	308	BrowserInstaller.exe	irsetup.exe
PID 308 wrote to memory of 1152	308	BrowserInstaller.exe	irsetup.exe
PID 308 wrote to memory of 1152	308	BrowserInstaller.exe	irsetup.exe
PID 308 wrote to memory of 1152	308	BrowserInstaller.exe	irsetup.exe
PID 308 wrote to memory of 1152	308	BrowserInstaller.exe	irsetup.exe
PID 1980 wrote to memory of 1984	1980	irsetup.exe	jre-windows.exe
PID 1980 wrote to memory of 1984	1980	irsetup.exe	jre-windows.exe
PID 1980 wrote to memory of 1984	1980	irsetup.exe	jre-windows.exe
PID 1980 wrote to memory of 1984	1980	irsetup.exe	jre-windows.exe
PID 1984 wrote to memory of 1680	1984	jre-windows.exe	jre-windows.exe
PID 1984 wrote to memory of 1680	1984	jre-windows.exe	jre-windows.exe
PID 1984 wrote to memory of 1680	1984	jre-windows.exe	jre-windows.exe
PID 972 wrote to memory of 1112	972	msiexec.exe	MsiExec.exe
PID 972 wrote to memory of 1112	972	msiexec.exe	MsiExec.exe
PID 972 wrote to memory of 1112	972	msiexec.exe	MsiExec.exe
PID 972 wrote to memory of 1112	972	msiexec.exe	MsiExec.exe
PID 972 wrote to memory of 1112	972	msiexec.exe	MsiExec.exe
PID 972 wrote to memory of 1300	972	msiexec.exe	installer.exe
PID 972 wrote to memory of 1300	972	msiexec.exe	installer.exe
PID 972 wrote to memory of 1300	972	msiexec.exe	installer.exe
PID 1300 wrote to memory of 1704	1300	installer.exe	bspatch.exe
PID 1300 wrote to memory of 1704	1300	installer.exe	bspatch.exe
PID 1300 wrote to memory of 1704	1300	installer.exe	bspatch.exe
PID 1300 wrote to memory of 1704	1300	installer.exe	bspatch.exe
PID 1300 wrote to memory of 1704	1300	installer.exe	bspatch.exe
PID 1300 wrote to memory of 1704	1300	installer.exe	bspatch.exe
PID 1300 wrote to memory of 1704	1300	installer.exe	bspatch.exe
PID 1300 wrote to memory of 988	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 988	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 988	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 976	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 976	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 976	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1208	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1208	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1208	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1812	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1812	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1812	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 2044	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 2044	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 2044	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1684	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1684	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1684	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1528	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1528	1300	installer.exe	unpack200.exe
PID 1300 wrote to memory of 1528	1300	installer.exe	unpack200.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.879-Installer-1.1.1.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.879-Installer-1.1.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.879-Installer-1.1.1.exe" "__IRCT:3" "__IRTSS:23652314" "__IRSID:S-1-5-21-1283023626-844874658-3193756055-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1841947" "__IRSID:S-1-5-21-1283023626-844874658-3193756055-1000"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe" "STATIC=1"
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 5FA746CDADA5C4DCF456249D059991D0
2⤵
- Loads dropped DLL
PID:1112

C:\Program Files\Java\jre1.8.0_351\installer.exe
"C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300

C:\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
3⤵
- Executes dropped EXE
PID:1208

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
3⤵
- Executes dropped EXE
PID:1812

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
3⤵
- Executes dropped EXE
PID:2044

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
3⤵
- Executes dropped EXE
PID:1684

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1528

C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
PID:1172

C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe
"C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
PID:2260

C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
PID:2356

C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_351\bin\dtplugin\npdeployJava1.dll
Filesize
1.8MB

MD5
ff91ac355dc6b1df63795886125bccf8

SHA1
90979fc6ea3a89031598d2146bf5cdbbb6db6b77

SHA256
14b30467cfea0071dffc658dd31b8a25b7b4e79608933f171911c2cba6aa9a0a

SHA512
77aa8c7930730004bdb8d49a82712e1042db978102f6eca0d38317b6fd98ef03e52279130eadc7a0da1148e759db6589f7f8334d4c2eccfb2613e8f19542e197

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javacpl.exe
Filesize
103KB

MD5
7a9d69862a2021508931a197cd6501ec

SHA1
a0f7d313a874552f4972784d15042b564e4067fc

SHA256
51ff63cbac78bd133333e98d91b02b652c88cd57cedd0052519051a17be77856

SHA512
5c331e6deefc8256ea203d63770484f6b485d4c3832a60ecf4a540dff3cb75a76dbde37980fe1763ca487401b68126f58f8d1a4c72ee610f5144c624c4736850

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
Filesize
446KB

MD5
24ccb37646e1f52ce4f47164cccf2b91

SHA1
bc265e26417026286d6ed951904305086c4f693c

SHA256
adf2d659c2b2a4afff1ca58f3a742d27d767d27eabeca6a8b6ee243e9c913a39

SHA512
cb174e7a219f6ffae3715e37beb428979bc1462202729c05a25fa7b8da90e2dd6faa92c03cd9ca21567d354dce7acc1852669f4071298e953d6a286243794e32

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\Program Files\Java\jre1.8.0_351\installer.exe
Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk
Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url
Filesize
178B

MD5
3b1c6b5701ef2829986a6bdc3f6fbf94

SHA1
1a2fe685aba9430625cba281d1a8f7ba9d392af0

SHA256
6a2cdce88637830202e1031bc8c11f083103a6bbb8c1ce16fb805671a46633c8

SHA512
f3391d790bb6acb1c25b82253b19c334e7cd73648e9821b7050fefbd5b0bc4b48a0cedd97e425a83c788f9b798337d33dee2e989771604c4f886da46d2debea0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\baseimagefam8
Filesize
78.7MB

MD5
22646919b87d1a6dfc371464405b373b

SHA1
2296c69b12c3e0244fc59586f794457a4735e692

SHA256
0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11

SHA512
b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\diff
Filesize
50.4MB

MD5
926bc57fb311cc95bcefa1e1ad0ce459

SHA1
8c43b4d7aa223eaf9c73c789072545da0b2c55df

SHA256
9ccf1e30069b4781362f85c4a30993d86da99f211c2aaad4447ad051cc61600a

SHA512
216cb6483598960f5aea83beeb37fa700d047352d0b3c6c2405a7ee668554e0ab15358c178a6a2fc8c067f4177a0452cde93783797c15fccf224e640715f0743

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\newimage
Filesize
144.2MB

MD5
42f911bd9577dba41abfec153b50afdc

SHA1
e75303e84e59c81105db4aeb0e09ba92c0edfaa5

SHA256
a81763f447f212a42eddeecc63c58e580f1e4fb695480d24fba0bc43aa8c17e0

SHA512
40e22192db53eb84a117fbf729f83cbc79ff168509149b2281357295b72770816f260c9320cb7c5559f2242d7f7362dd7af4fa80d99a5db327cb2b690c9b6c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
801111689bc4333a4be0e1fded60bb0f

SHA1
faf3e434020387963177609f40868203101a3f08

SHA256
7594364eb959408abe4bf9e427ab1b4172acaba24571b5c9569b2288e0161671

SHA512
11d867db8ba7126494966cba7b4277337c4aaa71b57270141bf88c2fac8d9bad23bddf16a6a5f2ff77099f52b9fbdceb6a47ac44092eea591594fa4b39247a98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
679c940db6ca7f0563e5680cc3200f4d

SHA1
a71f448fdffac3e391a0377cd8404a1752c3d2af

SHA256
b55759824a22432cd1ddc331ccc99b0574465c4a9b67fb6bbf8278208d73dd58

SHA512
6ded167079b2e9d1050575dd61430371194024ffe1f485715f7ac0b2bb08bae6804a7d4e4d0cf2a138d30bad5a7a374b07e80388d2a237f9dd8f2513ecb7abb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
430B

MD5
0e985976057ba3b354f602b08913e40f

SHA1
ec274accd36afb743a84bed08db99f811ba5fe04

SHA256
0f282a68f475ff6bd7808b775debf5302ee8d40531404e74636463ee178968c3

SHA512
e151b9ecd53ce6d6f1d5345717c2bb3e0fa5f649f6de764cb722b13c4ff2122c2be2bec0e3b43a080885a82fbd7e758462abae704a19642c8a9d79735be80a8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
d3d62aef8652b091e262722768763fde

SHA1
105e53e19c77a5f06b52e805a9ec1c0b6106f962

SHA256
8c34f1464f05883f59a1588b2e16a75762fce5d5e6edbaa5a652a12a35ee94a2

SHA512
231e7e2e4f053b1ac039643ff1f7dae4ed8a42aa7e43f2d4b9d7f47087747f73554e8f05d1640d6b6f6aeba247b0111d61a102fa499ae70a9aa967102c9a2501

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi
Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2782.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar80F4.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe
Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG
Filesize
339B

MD5
6beb106fcdb10fdd1af8f408dbfad7c0

SHA1
47e5cc259f9b7f0aacaf61f51a2b8835135925e4

SHA256
adb0b0e1c35dc71b2796d71009d610a086a1b2a46cd78495ca6c1e414e424d52

SHA512
b5ecf7fc5f4d2378c8d069a2e40dad3dab6b1b954257abab41b35f3e460df959d02d9f2bb04d5f66a0c8067021eab4d85507613f641ca7eb7af86c3a9a6d7e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG104.PNG
Filesize
644B

MD5
9756710c8ffbd55efcc8cceb7ae36978

SHA1
1cfa830268061cd6988cd04c69dbd260eff20906

SHA256
0ef03e7257d6d31a1d37adfdbc733ed9fb41259bb0d44c0b3424d1dddfe91646

SHA512
67a8317c199349e9142821bbc204ebc31a5091560f257d8ae8f498bba1c35b3e1f666faae1fc70803e8781903bb3386dfb7b09d796c0a61211ae7df6cfe1eeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG106.PNG
Filesize
1KB

MD5
9652f5f05bdb53b417e7071ce15aebbc

SHA1
ad2e987f95cfb7ff5690b395dac47b066e919fa7

SHA256
708a0ea0632e0c82429425778557a6fedecaf63c591316423c71f3c5db210416

SHA512
60a71ef4ee4d85ad9284eddbd4443bc11e67fd2a9d5d3a4bd41364fd3c7e64be1d522437124f77fb2fa9ccd8c559e34123bd9eb5037ebee5f85c68ab069dbee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG109.PNG
Filesize
2KB

MD5
177a9e913e7039e698bea8b073ed46a0

SHA1
6aa8cb4efce1443a604dae67653cbc29727353dc

SHA256
10ece4579c86f299612f85a4dc21a6906cd522bba801d9b357abfbd2b5a21ebb

SHA512
5380f57569a5e44ecd66e6a996cb8949e01f7e2f15337a21133bb9bebd3893fb6a887b69b2bd56edbfc4872aca6f59e37b305ace774ee175955fa911b2a39a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG124.PNG
Filesize
40KB

MD5
ed056469c2f0a7adce3e80404bff316a

SHA1
48e8a5e0dbe66bb8ad044b39f2161583a10cf24e

SHA256
ee5e42eee432320ac80b75b45d4d254d2880c31092579680bd6a585beabddf0e

SHA512
34322e5654902227bb67e43e5a6ffcca5895bb634a2c3f795ea68fd57125b693d656eab4fa412f1d4f64c79aa02e0de8b36b9b04eae5bae7134062a9a5adeed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG
Filesize
280B

MD5
ac819dc416a9c3d7cd218247a505f4e4

SHA1
65184cf901d16f1f18dd82bd0673250d5422799c

SHA256
a1639ff730514d3ef9d8e5363e6848069462845a9c9c0bc4ca355b60cb9dfca3

SHA512
4ab1351fd036b4187660bf42b19a5f1b5a2ad51369c5e056bbbc765051905e3f1b5716557f113cf2e14678481101897698c3fc746814189da75693d3fec8fab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG
Filesize
281B

MD5
179d7efdf2a2909c5cce33a2fa7b29cf

SHA1
e6ee30a67170e74491069edba50c950909bea4dc

SHA256
cc4db69be2bcdf373a7615df5a274a7e08c1dc7c3106fd835272dea973b9e049

SHA512
1ffba7773a15d7b53a4fa7f1b2099b565baf1d550c801a065bd03a613b5a408429c038b51a05293868525ac9cf3976615030b5cb72931a54e1a1045a1c3bdc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG45.PNG
Filesize
438B

MD5
677ed3c0ef77f1d3d09d888f82d22089

SHA1
6fdddf5102cba85694b2212a058e7b061fe49fa4

SHA256
87db8c352230acedd0b49189c6cdf8cb168e68cd48548724c2186db978240d05

SHA512
24ea7cce29a2d968f7cce44178d91651fa6f35a17dea23aa00ac1913bc14e6ae2263bd2e93233efd387370abb7c3512fba92635e3bf6631fce2e12221fe6c1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG46.PNG
Filesize
206B

MD5
8afc6a2df8322ac99e9320a0eb07f978

SHA1
1c5134eb8e2d52fb55ad9a5dfddddd82c38897bb

SHA256
e5a9aafbba5c72f541d09f5d6cbedabe1caf0076fc198a6ac2fba7ad7a0df979

SHA512
9f955409fff9a0011a06967040df80675aad83b893ab2d00080d3411aad2844e416641b247ba18bcb9a7753f17e4887ecc18b9fca1389075dc8d1f98bbce694b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG
Filesize
43KB

MD5
97a2aaca50914badb17e343b6f592171

SHA1
991b22e59ad4482395b288ae5074268ee93a55b3

SHA256
c121b4caefaea329d596596773c39f8a35beb5fcc4bc1a09bdd47d41382364df

SHA512
c8cc5b507a97a6c3ef62a27c7cf1b3f67b81cccf99fdf158948827911d477507d3c4a3326c3bbee4296c1001dc1d745ba1779fd91886dd50d6a89c51879efe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG
Filesize
1KB

MD5
382fa04ae6fdcc6b1713b9ef02e9675a

SHA1
310b638c0bb8ec49b208a1f8982a63f6c34fd6f3

SHA256
8775ed30c651649b1e693cc9bfd8ed3093c91011691fa50bc64dc8058113614f

SHA512
11a91ee803c99a71ae956ede7d8778157456ed53ca0af8d3c72621650cc84ef1df5e3c0fc8c225e22903f0c7a57d867723777655c1f8606242b8369943ff9d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
0913b4c43b4a1c301353197c30e01f4f

SHA1
245c343a7bb339d402ff8e9d442389a4f3dfc3a8

SHA256
238d15cbb1a929fe19f4558c44fbc67d5d6b9a3176fd9d880345ae0174a8d87c

SHA512
9d2da27264af71d7d1b9a3eac36e9b413041836de2559899d384a76b888cd495703a306c384752047bc9e1da3f8ee908da7218a58cfd9af1f81b51be4b27321f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
0913b4c43b4a1c301353197c30e01f4f

SHA1
245c343a7bb339d402ff8e9d442389a4f3dfc3a8

SHA256
238d15cbb1a929fe19f4558c44fbc67d5d6b9a3176fd9d880345ae0174a8d87c

SHA512
9d2da27264af71d7d1b9a3eac36e9b413041836de2559899d384a76b888cd495703a306c384752047bc9e1da3f8ee908da7218a58cfd9af1f81b51be4b27321f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
0913b4c43b4a1c301353197c30e01f4f

SHA1
245c343a7bb339d402ff8e9d442389a4f3dfc3a8

SHA256
238d15cbb1a929fe19f4558c44fbc67d5d6b9a3176fd9d880345ae0174a8d87c

SHA512
9d2da27264af71d7d1b9a3eac36e9b413041836de2559899d384a76b888cd495703a306c384752047bc9e1da3f8ee908da7218a58cfd9af1f81b51be4b27321f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
Filesize
114KB

MD5
bd5626a0237933e0f1dccf10e7c9fbd6

SHA1
10c47d382d4f44d8d44efaa203501749e42c6d50

SHA256
7dfc1176d8a507135140b23a0c014093b7e2673f0f3e5727c3d85df4e7323762

SHA512
1fd864a5386580cf8bbafbacb12a043ef51948b729b9aedfe6dc81e6c2948a100526c7c600069f22454d550f7f736ad3045a930cc2ef97458dc1d6c782928087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
1KB

MD5
589c813b6a44efe50c070f708c1dce52

SHA1
653d9a612c914c1fc82303f14738412b6d58c1e0

SHA256
db4397fdc010a1f22d2369ac5b3ac4c2d706838ea640e316366139b9fb4d2054

SHA512
42aa9e150f57b7c3ba2cabf99906abc7bb3ac178f028920fbfd1e4627524d2fde3e5a30fabd2e84312fdc31c26c300ab82dfed1267a511cc3d4dafb73a3fbe98

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
14KB

MD5
ad9d96121246826863984a8ce68f692c

SHA1
6e5b87754991b927976163db593d81a76e44f6ea

SHA256
06e86a0632ada897370a2ec523896ae98b19e50a475eab54d4932893048b6ab7

SHA512
d0e60d9b51c268f1001826f97a840b1e0c27c767850498b35120f2fac2d8a0ecd69e65bf780d1378d34eee8ad8a9f3523e12aefe7ec297752442aa0bbe606dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
26KB

MD5
a67e72655af94ad3c5e0c1b514c04c0e

SHA1
7b8cca1c7f5234b17e1bcc699c3c74a66d9a97ea

SHA256
caae280f0d3670471c4110c1d59ab7af011631f66a8c472d54ef897cb4980e4b

SHA512
6a066bc3b6239aa0c4abe3f412ea2097ae4e750498e082ab3df8b73364b94de8e37f94e1a3058dff530191b34af47968f5eef1e57b6d567ba7965b8bcb74c942

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
37KB

MD5
5b19df5bf61af8bd768c5ee0827d8dc9

SHA1
7b53c2bfc1f36a159527ea2572e2beae543440d9

SHA256
99dfb50be2eccc4a5903eb36ae2639f24acfd8435a011798b5c5a0de805fa15c

SHA512
149462acde0a66955691e815bd4e3505cbc6cd0fcf8d2f4b06d4249307c4aa98943d6c2fef5f85639eaf3605c78a9f29610e0744f53e1272fd34beb411ceb97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
Filesize
591B

MD5
283e103f911aa1ba08c060e9cef62ed9

SHA1
6d0338c5d0b170cda338b016eac2d4d5a047f328

SHA256
6636420d1c1b0c33ae833d4e848fa8c8a7fadfe5691545abe893b61d24c3780a

SHA512
94c70ec9312a6a4c734d7372aca9969f0598efd972f13a4ccf50b766d7a886c427a93b9755b0727e8fee419256912053e4f5be0d350c5f6f96c64ec4a47db794

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
6.3MB

MD5
545c62b3d98ee4cc02af837a72dd09c4

SHA1
54446a007fd9b7363d9415673b0ac0232d5d70d5

SHA256
738029a4f974128180fa2cd239e873b01e456e8bf53bfdbf34b8ba8b57897be4

SHA512
8bf9c754861ed267efd2055ac09b4ad44df61b989859fccd14190592dca1dab0fa8f57360209eaceabb5137f742c9cea73a1a985ab1955f87a6875d0be95fdcf

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP
Filesize
451KB

MD5
0b445ace8798426e7185f52b7b7b6d1e

SHA1
7a77b46e0848cc9b32283ccb3f91a18c0934c079

SHA256
2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6

SHA512
51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG
Filesize
1KB

MD5
1cf6dc4a707fb390470baa010180aa2c

SHA1
573461063ec81b452576c266fabb0e30cb774e89

SHA256
c3fcda4e4b73324d577bccdcc7750507ea59cbab13d58e13dcb5be4f3272923b

SHA512
81b259e4bbe1f0265ce72d2efb92472b23c5a65fb1da6353d007aeb08d5bad56fde5fac0d85328395f2793c8733204384031c13aae9b42b0b17e435249f1789c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG
Filesize
45KB

MD5
f9eec55204e0bd1957aaa009bc1f0aa9

SHA1
3f576b56f97fc8cf1557d054496ac66d82f1569b

SHA256
015062c19f673688f853a0054f62ded39687d3c16cfd58cdd05954f58de76b6f

SHA512
355e36a9f014d841975ae955c6020b941396f595e1cc5e39a6a526481d5344800cbba6be5db83e44e866a9c04465a79354ca4dbd529f6a63518740fba1c1207d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG
Filesize
457B

MD5
e715517d216e2ea8972321486c64a82e

SHA1
ce56341376871dfb0940da71b8c2b0174eeb9a37

SHA256
9cace032772bfc90b522b17a1a262072df599ad8e9517a4e16d6e0b97d68e8ed

SHA512
008324bdd3cb33bb3d905e789af3648f814ed826db1a38f58426005637aaf8c11fb7cf038d38901f9fdf342a89a1f7f5db298923589fe6801567eb82b0f5f49d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG
Filesize
352B

MD5
f88854422ec72b0b5277a3873d17998a

SHA1
d2e8cbbb9872a1373fa2359a8097dbd338e10e78

SHA256
9c737e6242db287ef5afa117dc938286b9aa05efeb0d6af1f6fe6e83efb3900f

SHA512
d7094b9c457ac5b76eb8a1a2918e5571e7d8c8b57669e046037a3f8ee3749d57c1dadca4b8b0fadd0c5ffc488f036cb70d7f392ed11f74d99592bc7a5e4b7435

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG
Filesize
1KB

MD5
b892dcb07f669beaf1f92b08237d712f

SHA1
320d43d5afc38abf5d73d0363f88417b4363dd8b

SHA256
cadbc5331a0cadb9898090f5624decc1e231cc8b1b50d35bee97a8bfae04e6f0

SHA512
d47a0555f0a048e18d9628f50299d1ad5632da9cb620164bf3a684fa22a33d56b3736f64d614566532029d31e92cc2184a85fd6970257a78a11deacca5e79b32

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG
Filesize
1KB

MD5
3868db0b80c782a378d17b7133f41a7f

SHA1
0c52b2223be436848c656472db2aaa5fe99422e5

SHA256
b814c7da30e3615e78267290272964bc1cf700a8cab57520f4d7624fcef20b89

SHA512
029d4e6a4a5e6d1644b17d6c3b376f57564b25bc941c810466c39f6fdf5d87915f5ba36e31a64ea73b15c9b2eea9b73089ecf2b3773c6f9be8567ace230d2c33

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG
Filesize
41KB

MD5
383d7e5742dade5dc9f24d3b3ea42812

SHA1
650af6fc1ca47619a7298c090d9c1e5ede22a271

SHA256
681a223f76a0c42de09062573219c16988512efc43e056391d71bc9dc3363b4c

SHA512
01f370ec27505f5474e2b6b746d46e37d121906f3c43e4468a1ee78053c75b3249a4dbe1cb813d13363a4575785629925558621d5d660a32a4e7a5ad666c6396

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG
Filesize
1KB

MD5
de1b0d4aebc8d24f87c9536c5f2a5ff3

SHA1
9855d577b6827c7e96171584b907e2efe5b803e6

SHA256
ec0653fad51c2068e8b22e17a31907b2cd0c9629781112d6ba27a3f499e83509

SHA512
85dd7a66ec9cc5e782578886349e26956b68ad80fd7d20ea931f6b4ea9cd957248ddb52ebafa9161f9302862ecc72b72bd497068d9b63db467d46e74c71cdffe

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
33KB

MD5
2ed60123f0b77e868f91e473e1cc49df

SHA1
1f888f831deb93eae6a162d38fd4a6065a447b6b

SHA256
213f20d5269523f98da92316f5374d9d06011283a8f8cd6e6deb170c3cd48560

SHA512
b268c4246a47535f00a98efd2286b440ee374ce9eab69665423c38f8a4e215d7733890963b5aae0c99aa5faf54f063e26dc5fb91891b93969508ba5317962536

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
6KB

MD5
4f7be9736242579cb8afa1af86980dfe

SHA1
1c486393847996db4f6b78532dd7bd9a0a924549

SHA256
9cecc28716f392d2394829f4cc3f307d08f5aecaf3e2124bdaaa0d6d9c3400b4

SHA512
4c55bc2698d8934713e791c015480248198e22efa66dd5ca79ea834b9835c9e85ca8c2869c9b40dc394ae7e27da039f79c392f88472dedc1adfa83dd1e94f1c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ALMD9C0C.txt
Filesize
869B

MD5
96356fa67c776c285e9a7acfb614882e

SHA1
8cf0adee997fba8c525345749b20d3c6802c4ecd

SHA256
186caa7b80e34e5bd10563ae19e967e74b900061eb4a1062438b1cab9c1c9493

SHA512
6740850ac8741bd70f4c73be53fdfd023dbbc5341868ddbd22853163c2b4a382acde716eecf426ad6fe5bfd22949907b8391db3c0f3677579f0362dd52708124

Download Submit
C:\Windows\Installer\6dfb7f.msi
Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\6dfb83.msi
Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\MSI12EC.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSI1943.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSI1C42.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSI1C42.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
\Program Files\Java\jre1.8.0_351\installer.exe
Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7218462.tmp\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
Filesize
1.8MB

MD5
8d26aecef0a7bdac2b104454d3ba1a87

SHA1
50c29c58dfece62d94ed01cb5b3d070e593dc9cf

SHA256
e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c

SHA512
0daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
0913b4c43b4a1c301353197c30e01f4f

SHA1
245c343a7bb339d402ff8e9d442389a4f3dfc3a8

SHA256
238d15cbb1a929fe19f4558c44fbc67d5d6b9a3176fd9d880345ae0174a8d87c

SHA512
9d2da27264af71d7d1b9a3eac36e9b413041836de2559899d384a76b888cd495703a306c384752047bc9e1da3f8ee908da7218a58cfd9af1f81b51be4b27321f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
0913b4c43b4a1c301353197c30e01f4f

SHA1
245c343a7bb339d402ff8e9d442389a4f3dfc3a8

SHA256
238d15cbb1a929fe19f4558c44fbc67d5d6b9a3176fd9d880345ae0174a8d87c

SHA512
9d2da27264af71d7d1b9a3eac36e9b413041836de2559899d384a76b888cd495703a306c384752047bc9e1da3f8ee908da7218a58cfd9af1f81b51be4b27321f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
0913b4c43b4a1c301353197c30e01f4f

SHA1
245c343a7bb339d402ff8e9d442389a4f3dfc3a8

SHA256
238d15cbb1a929fe19f4558c44fbc67d5d6b9a3176fd9d880345ae0174a8d87c

SHA512
9d2da27264af71d7d1b9a3eac36e9b413041836de2559899d384a76b888cd495703a306c384752047bc9e1da3f8ee908da7218a58cfd9af1f81b51be4b27321f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
0913b4c43b4a1c301353197c30e01f4f

SHA1
245c343a7bb339d402ff8e9d442389a4f3dfc3a8

SHA256
238d15cbb1a929fe19f4558c44fbc67d5d6b9a3176fd9d880345ae0174a8d87c

SHA512
9d2da27264af71d7d1b9a3eac36e9b413041836de2559899d384a76b888cd495703a306c384752047bc9e1da3f8ee908da7218a58cfd9af1f81b51be4b27321f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
0913b4c43b4a1c301353197c30e01f4f

SHA1
245c343a7bb339d402ff8e9d442389a4f3dfc3a8

SHA256
238d15cbb1a929fe19f4558c44fbc67d5d6b9a3176fd9d880345ae0174a8d87c

SHA512
9d2da27264af71d7d1b9a3eac36e9b413041836de2559899d384a76b888cd495703a306c384752047bc9e1da3f8ee908da7218a58cfd9af1f81b51be4b27321f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
018c68cdf5ba005b4a380c20b13fee4c

SHA1
bf6043fbd31288e8667fcfc37cd74414bee1805f

SHA256
3c7e2319176b70bed0460000d772da9d4cfeb8d2b06dfd913905f15e65942923

SHA512
506c062854f64c4f0d74e2fe709cbaa60a1d2fef0ca7c226fed264be1843e3d329ee542290288335e337c10d266e487c552836d6cae1919ab035f945afa87ed6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7165952.tmp\jre-windows.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe
Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Windows\Installer\MSI12EC.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSI1943.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSI1C42.tmp
Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
memory/308-484-0x0000000002CF0000-0x00000000030D8000-memory.dmp

Filesize
3.9MB

Download
memory/308-485-0x0000000002CF0000-0x00000000030D8000-memory.dmp

Filesize
3.9MB

Download
memory/308-496-0x0000000002CF0000-0x00000000030D8000-memory.dmp

Filesize
3.9MB

Download
memory/1152-500-0x0000000000D30000-0x0000000001118000-memory.dmp

Filesize
3.9MB

Download
memory/1152-499-0x0000000000D30000-0x0000000001118000-memory.dmp

Filesize
3.9MB

Download
memory/1156-68-0x0000000002B50000-0x0000000002F38000-memory.dmp

Filesize
3.9MB

Download
memory/1156-369-0x0000000002B50000-0x0000000002F38000-memory.dmp

Filesize
3.9MB

Download
memory/1156-72-0x0000000002B50000-0x0000000002F38000-memory.dmp

Filesize
3.9MB

Download
memory/1172-2133-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1704-1775-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-1770-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1704-1771-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1704-1768-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-1765-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-1762-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1704-1761-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1704-1753-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1704-1760-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1704-1769-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1980-368-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1980-1363-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1980-1490-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-1512-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-344-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-572-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-367-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-366-0x00000000009A0000-0x00000000009A3000-memory.dmp

Filesize
12KB

Download
memory/1980-365-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1980-1333-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-1587-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-501-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-391-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1980-390-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-427-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-1354-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1980-444-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/1980-574-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/1980-1353-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-404-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-405-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1980-2343-0x0000000000D00000-0x00000000010E8000-memory.dmp

Filesize
3.9MB

Download
memory/1980-1334-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2372-2382-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2372-2398-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2372-2403-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download