717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher.exe
Size

9.1MB
MD5

833512c89f1ab92c80131d415f89f442
SHA1

dd9953ddcc33278bb97502ffdc6e7462e8005680
SHA256

717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6
SHA512

f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1
SSDEEP

196608:wX2Bt2BlE5QqZG5UDTQDceLB4QgRbKEYNT:wX2BtrQqQ58Q7

Score

8^/10

adware persistence privilege_escalation stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 21 IoCs

Processes:

jre-8u51-windows-x64.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejavaws.exejp2launcher.exejavaw.exejavaw.exejaureg.exejavaw.exe

pid	process
876	jre-8u51-windows-x64.exe
2096	installer.exe
788	bspatch.exe
564	unpack200.exe
2672	unpack200.exe
1600	unpack200.exe
1440	unpack200.exe
2260	unpack200.exe
2844	unpack200.exe
2244	unpack200.exe
1072	unpack200.exe
2900	javaw.exe
612	javaws.exe
1732	javaw.exe
1868	jp2launcher.exe
2664	javaws.exe
2472	jp2launcher.exe
1860	javaw.exe
572	javaw.exe
1440	jaureg.exe
2348	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

iexplore.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejavaws.exejp2launcher.exe

pid	process
2812	iexplore.exe
1156
1604	msiexec.exe
788	bspatch.exe
788	bspatch.exe
788	bspatch.exe
2096	installer.exe
564	unpack200.exe
2672	unpack200.exe
1600	unpack200.exe
1440	unpack200.exe
2260	unpack200.exe
2844	unpack200.exe
2244	unpack200.exe
1072	unpack200.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
844
844
2900	javaw.exe
2900	javaw.exe
2900	javaw.exe
2900	javaw.exe
2900	javaw.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
2096	installer.exe
844
844
612	javaws.exe
1732	javaw.exe
1732	javaw.exe
1732	javaw.exe
1732	javaw.exe
1732	javaw.exe
612	javaws.exe
1868	jp2launcher.exe
1868	jp2launcher.exe
1868	jp2launcher.exe
1868	jp2launcher.exe
1868	jp2launcher.exe
1868	jp2launcher.exe
1868	jp2launcher.exe
1868	jp2launcher.exe
1868	jp2launcher.exe
1868	jp2launcher.exe
2664	javaws.exe
2472	jp2launcher.exe
2472	jp2launcher.exe
2472	jp2launcher.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe	upx
behavioral1/memory/788-757-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/788-766-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe
File opened for modification C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exeunpack200.exemsiexec.exeunpack200.exeunpack200.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_51\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfxwebkit.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\net.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\java.policy	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\LICENSE	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\ssvagent.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\calendars.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\Xusage.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\logging.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\plugin2\npjp2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\PYCC.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\zip.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightItalic.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar	unpack200.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\THIRDPARTYLICENSEREADME-JAVAFX.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\keytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\GRAY.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\access-bridge-64.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\awt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\WindowsAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\task.xml	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_ko.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunmscapi.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\classlist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\net.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_sw.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\accessibility.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\management.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\[email protected]	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\java.security	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jaas_nt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jawt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jjs.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\LINEAR_RGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\plugin2\msvcr100.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_ja.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\THIRDPARTYLICENSEREADME.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\ffjcext.zip	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\rt.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jdwp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\wsdetect.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_de.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\glib-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2iexp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_MoveNoDrop32x32.gif	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	msiexec.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIE525.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a6e0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a6e0.msi	msiexec.exe
File created	C:\Windows\Installer\f76a6e5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a6da.msi	msiexec.exe
File created	C:\Windows\Installer\f76a6dd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA98A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a6dd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a6e3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF37A.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a6da.msi	msiexec.exe
File created	C:\Windows\Installer\f76a6df.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF212.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a6e3.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 582a56a185c9da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeinstaller.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fe2ef6f9f254384cad3ccd877f8144b200000000020000000000106600000001000020000000442fb2bd256c0fb90b1d1ef2e7c978363e1b0f6e2bc6df51b4de6e46cabff985000000000e80000000020000200000006770d853ab85cf37c9d600483cbad5a0b4bd92d1a88a0878031df6999a6d9b5290000000216a779a2ecbf2552a1f1fc08adb43b25d6738ded45fd7d3f5337bc22a105170d37a8fb58bbb0f3dabb818b30ffbc8ef62a47c6bcafff5ff4b8a9d797f0bf4c4b59e3e709efe5627c30b55ac1cd96f6a18f54edd8189ddfaa455f015d36d2b888792a81887d6d1edc91bb0b6de5f710d0327ab691b27aa38988c77e21878245ab1d3e1549dae53cade752e5f9bbfa0bd40000000f8798291bfa6dd3b868f9bbfc5ee03147426f749bbac75da54b708768920257cbf63ff6e09b633e86685508b2ce49549c00349a9f31c2a594fb32f0ea796fc61	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fe2ef6f9f254384cad3ccd877f8144b2000000000200000000001066000000010000200000006cf3e88d0c3257ffa3dfd81721d750ccbb66e2044994b8325b172e113fef2f74000000000e800000000200002000000045245bb08889ba019dbacf4c044a96f0d580eeb071599ebd01bc683eaa9d86ce20000000877f5d98922eba78ab00f080f11658053204a359cc18aa64ff20dfea24578369400000003fc09dbfbc8983ef2d2a4250387ca12334aef82284760fa7064c7b85495d08ef8ac1f8961010658f4466bd2ff8612d2fe099dc78ec603fa6004091b8783b6e20	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA56B571-3578-11EF-8356-E61A8C993A67} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60bbadb085c9da01	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425759732"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0087-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0044-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0035-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_55"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_07"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_13"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.0_01"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_39"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_73"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_09"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_76"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_56"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_58"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_26"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0026-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_01"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_40"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0008-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0068-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0047-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}	installer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

jp2launcher.exejp2launcher.exemsiexec.exe

pid process

1868 jp2launcher.exe
2472 jp2launcher.exe
1604 msiexec.exe
1604 msiexec.exe

pid	process
1868	jp2launcher.exe
2472	jp2launcher.exe
1604	msiexec.exe
1604	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-8u51-windows-x64.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	876	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	876	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeSecurityPrivilege	1604	msiexec.exe
Token: SeCreateTokenPrivilege	876	jre-8u51-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	876	jre-8u51-windows-x64.exe
Token: SeLockMemoryPrivilege	876	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	876	jre-8u51-windows-x64.exe
Token: SeMachineAccountPrivilege	876	jre-8u51-windows-x64.exe
Token: SeTcbPrivilege	876	jre-8u51-windows-x64.exe
Token: SeSecurityPrivilege	876	jre-8u51-windows-x64.exe
Token: SeTakeOwnershipPrivilege	876	jre-8u51-windows-x64.exe
Token: SeLoadDriverPrivilege	876	jre-8u51-windows-x64.exe
Token: SeSystemProfilePrivilege	876	jre-8u51-windows-x64.exe
Token: SeSystemtimePrivilege	876	jre-8u51-windows-x64.exe
Token: SeProfSingleProcessPrivilege	876	jre-8u51-windows-x64.exe
Token: SeIncBasePriorityPrivilege	876	jre-8u51-windows-x64.exe
Token: SeCreatePagefilePrivilege	876	jre-8u51-windows-x64.exe
Token: SeCreatePermanentPrivilege	876	jre-8u51-windows-x64.exe
Token: SeBackupPrivilege	876	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	876	jre-8u51-windows-x64.exe
Token: SeShutdownPrivilege	876	jre-8u51-windows-x64.exe
Token: SeDebugPrivilege	876	jre-8u51-windows-x64.exe
Token: SeAuditPrivilege	876	jre-8u51-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	876	jre-8u51-windows-x64.exe
Token: SeChangeNotifyPrivilege	876	jre-8u51-windows-x64.exe
Token: SeRemoteShutdownPrivilege	876	jre-8u51-windows-x64.exe
Token: SeUndockPrivilege	876	jre-8u51-windows-x64.exe
Token: SeSyncAgentPrivilege	876	jre-8u51-windows-x64.exe
Token: SeEnableDelegationPrivilege	876	jre-8u51-windows-x64.exe
Token: SeManageVolumePrivilege	876	jre-8u51-windows-x64.exe
Token: SeImpersonatePrivilege	876	jre-8u51-windows-x64.exe
Token: SeCreateGlobalPrivilege	876	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2812 iexplore.exe
2812 iexplore.exe
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEjp2launcher.exejp2launcher.exejavaw.exe

pid process

2812 iexplore.exe
2812 iexplore.exe
2564 IEXPLORE.EXE
2564 IEXPLORE.EXE
2564 IEXPLORE.EXE
2564 IEXPLORE.EXE
1868 jp2launcher.exe
2472 jp2launcher.exe
2348 javaw.exe
2348 javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher.exeiexplore.exemsiexec.exeinstaller.exejavaws.exejavaws.exe

description	pid	process	target process
PID 2952 wrote to memory of 2812	2952	TLauncher.exe	iexplore.exe
PID 2952 wrote to memory of 2812	2952	TLauncher.exe	iexplore.exe
PID 2952 wrote to memory of 2812	2952	TLauncher.exe	iexplore.exe
PID 2952 wrote to memory of 2812	2952	TLauncher.exe	iexplore.exe
PID 2812 wrote to memory of 2564	2812	iexplore.exe	IEXPLORE.EXE
PID 2812 wrote to memory of 2564	2812	iexplore.exe	IEXPLORE.EXE
PID 2812 wrote to memory of 2564	2812	iexplore.exe	IEXPLORE.EXE
PID 2812 wrote to memory of 2564	2812	iexplore.exe	IEXPLORE.EXE
PID 2812 wrote to memory of 2564	2812	iexplore.exe	IEXPLORE.EXE
PID 2812 wrote to memory of 2564	2812	iexplore.exe	IEXPLORE.EXE
PID 2812 wrote to memory of 2564	2812	iexplore.exe	IEXPLORE.EXE
PID 2812 wrote to memory of 876	2812	iexplore.exe	jre-8u51-windows-x64.exe
PID 2812 wrote to memory of 876	2812	iexplore.exe	jre-8u51-windows-x64.exe
PID 2812 wrote to memory of 876	2812	iexplore.exe	jre-8u51-windows-x64.exe
PID 1604 wrote to memory of 2096	1604	msiexec.exe	installer.exe
PID 1604 wrote to memory of 2096	1604	msiexec.exe	installer.exe
PID 1604 wrote to memory of 2096	1604	msiexec.exe	installer.exe
PID 2096 wrote to memory of 788	2096	installer.exe	bspatch.exe
PID 2096 wrote to memory of 788	2096	installer.exe	bspatch.exe
PID 2096 wrote to memory of 788	2096	installer.exe	bspatch.exe
PID 2096 wrote to memory of 788	2096	installer.exe	bspatch.exe
PID 2096 wrote to memory of 788	2096	installer.exe	bspatch.exe
PID 2096 wrote to memory of 788	2096	installer.exe	bspatch.exe
PID 2096 wrote to memory of 788	2096	installer.exe	bspatch.exe
PID 2096 wrote to memory of 564	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 564	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 564	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2672	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2672	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2672	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 1600	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 1600	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 1600	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 1440	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 1440	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 1440	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2260	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2260	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2260	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2844	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2844	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2844	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2244	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2244	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2244	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 1072	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 1072	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 1072	2096	installer.exe	unpack200.exe
PID 2096 wrote to memory of 2900	2096	installer.exe	javaw.exe
PID 2096 wrote to memory of 2900	2096	installer.exe	javaw.exe
PID 2096 wrote to memory of 2900	2096	installer.exe	javaw.exe
PID 2096 wrote to memory of 612	2096	installer.exe	javaws.exe
PID 2096 wrote to memory of 612	2096	installer.exe	javaws.exe
PID 2096 wrote to memory of 612	2096	installer.exe	javaws.exe
PID 612 wrote to memory of 1732	612	javaws.exe	javaw.exe
PID 612 wrote to memory of 1732	612	javaws.exe	javaw.exe
PID 612 wrote to memory of 1732	612	javaws.exe	javaw.exe
PID 612 wrote to memory of 1868	612	javaws.exe	jp2launcher.exe
PID 612 wrote to memory of 1868	612	javaws.exe	jp2launcher.exe
PID 612 wrote to memory of 1868	612	javaws.exe	jp2launcher.exe
PID 2096 wrote to memory of 2664	2096	installer.exe	javaws.exe
PID 2096 wrote to memory of 2664	2096	installer.exe	javaws.exe
PID 2096 wrote to memory of 2664	2096	installer.exe	javaws.exe
PID 2664 wrote to memory of 2472	2664	javaws.exe	jp2launcher.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
2⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\jre-8u51-windows-x64.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\jre-8u51-windows-x64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
-cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
4⤵
- Executes dropped EXE
PID:1860

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
-cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
4⤵
- Executes dropped EXE
PID:572

C:\Windows\system32\msiexec.exe
"C:\Windows\system32\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\AU\au.msi" ALLUSERS=1 /qn
4⤵
PID:2132

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.8.0_51-b16
4⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604

C:\Program Files\Java\jre1.8.0_51\installer.exe
"C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" REPAIRMODE=0
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096

C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:788

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:564

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2672

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1600

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1440

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2244

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C7C063A524AA4052DFC0D4BB24435349
2⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /c del "C:\Program Files\Java\jre1.8.0_51\installer.exe"
3⤵
PID:3012

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 57B2CEAD248C20D03433DFDB4E32D791
2⤵
PID:1844

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\TLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher.exe"
1⤵
PID:996

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\TLauncher.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2348

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76a6de.rbs
Filesize
788KB

MD5
43ffe7d291f3aa94986610da30b7ba82

SHA1
619a9b5b929368d7166c333acaf47454d122eb17

SHA256
eca82f45e96b9a09e2968a2003631b581adda537a656c7b99928ed98df5e12c5

SHA512
c76ae5bb4ec23e2e465e55e8fb0fdca6e97e1ca83f3bd67e9bad03820ad8b88caaa71a6a8c91695d64142264a443e0d3cc19bc28b385674a8acc856fd0ecff84

Download Submit
C:\Config.Msi\f76a6e4.rbs
Filesize
8KB

MD5
bcdc4c579afb3487f17d690dc3f74a62

SHA1
8cb05147abc0dfe48aa6d7f2df89f0a2d8dbc293

SHA256
de1166cd9a2edcf18e7b418eae91be3cc44bb4102f1f8b3b38c693ab9bf8ed48

SHA512
8412160a87ba9e282f3edf018d5329c501c6ea0f23fddbb64ab40dc3f48c810ccfbbcf53d1cffaaf061c1234fe53065edec8d3e2857b284ff47098293ff8ebd0

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\MSVCR100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll
Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe
Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\server\jvm.dll
Filesize
8.3MB

MD5
2894ece7b8de355b13978d6b8ec6e68c

SHA1
cec5cd8450498ee6f81eae2f10e56726b6125be2

SHA256
04d85639dacb86c6efca146051681608727f0376ca5293b9f83b232fc4db6a54

SHA512
634e1cedf63d384c072bbd32dbca35982f7b2a7a77ab6d11130f2d45fd164d17ad080206a650854473370e824ec1153c61821c318a2af7954d2031a38d37bfd4

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\amd64\jvm.cfg
Filesize
634B

MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack
Filesize
1.0MB

MD5
45288142b863dc4761b634f9de75e5e5

SHA1
9d07fca553e08c47e38dd48a9c7824e376e4ce80

SHA256
91517ff5c74438654956aae554f2951bf508f561b288661433894e517960c2ac

SHA512
f331cd93f82d2751734eb1a51cb4401969fb6e479b2e19be609e13829454ec27cec864c57bdc116bf029317c98d551e9feafc44386b899a94c242bc0464556d8

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack
Filesize
1.8MB

MD5
5cfc3a1b269312f7a2d2f1d7c0497819

SHA1
d048284db9ce7103156f8bbce988b4d9978786b7

SHA256
80ba80d2a6c20deef6e2f3973337e15e22eec30508899ae998bf191ba725db26

SHA512
8735af7c8bc5b48aac42120326a5dee21f98512ba31c57c77b6fc3906b7b1b98e5f22f57a31f26dc3e16abe63a6f15ef2e115c7fc17bbab35e846dc373da9c6b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack
Filesize
4.8MB

MD5
8dfebf0b78c6e3bf5aa5002ca9a6da1a

SHA1
1edee53b9e0af5d767d0051c2beccc474035024f

SHA256
0840d659560e62fcc41cd42dec9d7aedb8359f606097b540806452ca8ad05e21

SHA512
f9bf6e9558b52969ec152fbfebc239c1bcb7e4343b3dc58da5e7cac015d1fe75f255bd9ceb3fdeb86b2c05be62c62b552a25c94aba4091df3eaf163cf91da444

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack
Filesize
1.3MB

MD5
2ad7c3462a7494b29edbe3701ebeab4c

SHA1
7358ab9b0c4771efdc0d28764b90a46aac55e865

SHA256
7cdc489fa093e924649e82f4eb9689bc1bc0d28e20e37a0a94060efd5428c2db

SHA512
8b1f0f5932896f1876e5f8137dc8f74ff79f02b7708220b53ab2146fc742403ee952c68dddff9a92c786d4a534f7a266327934a8fe84a3c979c016cc8c93efdb

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack
Filesize
211KB

MD5
5a83bc9b3e4a7e960fd757f3ad7cd263

SHA1
f5f308aec7e93accb5d6714c178b8bf0840fb38d

SHA256
0a95ab97c85e534b72a369b3ee75200f8075cb14e6f226196b18fd43e6ba42f5

SHA512
b8e554bbf036d0500686e878597ffdefa8bcd091ab6533eae76fa04eda310cec7cac89b71911f1f81012f499c7bec890ac9032685945f7e5e6b68f7ad3f7430c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack
Filesize
150KB

MD5
168f72fd2f288a96ee9c4e845339db02

SHA1
e25b521b0ed663e2b050af2b454d571c5145904f

SHA256
5552e52e39c0e7ac423d6939eec367a0c15b4ca699a3a1954f2b191d48a034e6

SHA512
01cdf3d8d3be0b2458d9c86976cef3f5a21131d13eb2a1c6f816aeb2c384779b67d1b419fa9233aedd3bbd16970ec7c81689bf2e25a8bebadec5de8e9b5a19f1

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack
Filesize
482KB

MD5
538777ddaa33641aa2c17b8f71eed307

SHA1
ac7b5fdba952ce65b5a85578f2a81b37daed0948

SHA256
9948b1c18d71a790e7b5a82d773fea95d25ab67109843a3f3888f3f0ac9d1135

SHA512
7a5877e0eaef6424ea473a203184fedb902cd9d47df5d95d6f617ca4efa1162f0ffd418e9bc6b7492f938cb33fc6384907237487d6ad4f6d0d2d962402529d8b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\rt.pack
Filesize
13.1MB

MD5
f0177701b36068c9a2bb4924dd409fa5

SHA1
71e4b32c95e20dd565a6603d3de3819eb4f19d33

SHA256
93c1e08034b68e12d78005c2950145595327477c17c1f716248d3e16313b4eec

SHA512
8e198bf60dbb95f38bf5eca67c9b7cd4fe9920890ba3d569e08de59b38c1b00830a0a37168fd74c874df86b7ff0915c8b69adb1591432b42b5ff35e5885e6641

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\diff
Filesize
9.1MB

MD5
d417682702b140d7131851bae877f046

SHA1
aa78da727e8a62c839a9bb6f7a93b48d3a04be70

SHA256
3b3657c83e4f588f0e759cd46e99309cece2ebb54af2c377f9dc087ec764fda8

SHA512
9e107b7f61e42410807aa1e6761ac7adce412846f69ae8e2e21b147e39d1a95d41367e21624381750eb11c77322206c4d869a477e5442e8323405c85854c03cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB
Filesize
834B

MD5
a0af4d81b2b19a99a3d01be89d5f99d9

SHA1
4725c1a810005f860ede9dace7f1e5a20e5230d6

SHA256
de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a

SHA512
eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
87fb52832b75e3d4277c862750c45113

SHA1
142af7416382c80cdf834715d1d63bc6858c2946

SHA256
c4f05792cda8510ed77d940fc33053d288cf4ba64429b07be3d751d8926fe1e0

SHA512
4d8e08cbac1589298d6c047d7245a1885ef236804cd3de48ae056d0ab65e2348c1241dea979866c16c5c44fa363e3ac0f8ab034663bf1de7ec241700bf61d881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
1KB

MD5
53a9f05239a10b7a4740d9e7e8da6a46

SHA1
8f526b3e94b5d02f3be9bc3c41eb715fb2a5d118

SHA256
be468dfa7dc23940d54455379df4339eda8afa9a4160198e244002ef65d431ab

SHA512
469c9d84f85a4643ca7163166231cbaf5f7eb0b910cf7c2db53fae66c2056905da40fccd68d41d252c2c7c90895b0779d967557d0e8f40d230910362a05247d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
080540debe4865ed4d43fa6188b87a92

SHA1
d82e1f495ad456dae5fd57ef64fff1e04a651b5d

SHA256
6f207b370cd23ed7b439c68438c1f0e75d15c84024043dd8069bbb1802c755d1

SHA512
d615cc214fea10f4192992f216ed0223609740fcfff099d4895e23a73f4fb425b9e186493b295bf7edd34b1b1923a412ae79fca88a09431f72ec3949dddd33df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB
Filesize
180B

MD5
7d539911899a997e151a0d1233bfe0c5

SHA1
057d1032b3be3ee104669413495e32dcc4c646f7

SHA256
bc60a8a5815e1789d0186054f5cd8cb0503508c853f6d19dc08ea3010236053f

SHA512
2c2d8dc83bf29cf0d5eb9744cf6edad20308bfba67b5da8c877626c5470159866fe808e05ee48605a5a87072d820c88622a39fabed4e3d76c3d30d9d7c8d9f24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3b5557690d3a7069753c12f7866f3faf

SHA1
34e59a6216ab5ee91fa776413e423358c8bec0c3

SHA256
1a6edefbdf96c59d0bf979357cb6dd27b5b79fe9d13b089e42950528b8c8ec69

SHA512
ff8bcbe875c7309ccba8c00ef1993f0ea5052f73d6532fceb17702174377311bc5f9f46ae6098e889d3e9c5b20dbca2ae099b4bd20d9a5cd05549aec84ec94fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
23276d58b418f21854d69533555109c7

SHA1
be9f013952bb35476384048e710adeddce1dbdaa

SHA256
f70d302cfcdd722fad61fe390423cf9a03cf17d1ebf3972af3add6d3e0671a67

SHA512
837f59bd0535f5f9aaaaa27965c07955cc97918c279cf49fe5c84c4cb58e920dca60abea705b6da8dc211e86884a673ee5abf2c2e169652b97e92c313f40b3b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4086a9c4300a416316d996d4673ef9dc

SHA1
92dd63b0fdb86da0fbfec98bf9994b71dd4aca9b

SHA256
5745568fb8aea6db4dd17862bdc400c4c386753ddddcf22b202bd32bf16fd19c

SHA512
8ce47eacad4d0f9cd0f47a6949c0b051b29f892aed1898c428800b612d920d74a9694aa6ccb7e0a2d0326e74a78cfcb8d08a22f14ec9107b1beda6cabbdf089d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c6981f0d4c27d0e9cff82016229d8beb

SHA1
ec3b0707444efc361421158f07c03c176431a070

SHA256
36488affb57dc50a3fc74c901a7122982570689ba1b4baa314065d44d28d66a5

SHA512
25be3a0b16346cfbba83f6dab2fbdf4f079dd8272108266c12e709c476b9fc1405a406b1d072c1d59e7560359ab8dccdd0c22ebd7311cf062020102cb26e48b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
32e69183b9cc6c0e14505e8259d7a3f6

SHA1
ea2965b0ed5067c42b5a617ba64450b19b88b190

SHA256
1ab0572ed468d5004bc9b0ee94d6ac60634481d971d24c1cd455838f8c8ed049

SHA512
af925d8b28647e433a16a63888ff111540affdd4ccdc469d5fedaf68013abe847236135671c2fa70f655b30a7df1951b694ab5074f6ac9cbf7465aebd4583b17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c86f433b452fdb52383c3ba672d502eb

SHA1
364f4517e6a6edf8349a66d8879e2b62e1f15bae

SHA256
5ce1a9ac05cc1d6c5c8ee60258c45d70830ed388209e985a655f021543242e9b

SHA512
b6fc47fb10a4393c22099341f624a32d47fea5348e4f01ca51127c14a1013b2feda4b18931341341e96cb669b28953cc16db7b1314364287652786afda30330e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
46b09eb844cc0fc7ffb1169256f4dd28

SHA1
2d69b9e5a5b9350afe3a7f00ba09df2d4120c85d

SHA256
aa2a0cd765a031d6ce234d7d5ddc60538ce64ecc286e32504e5bc0239ee47849

SHA512
78f1b292f11b052a2f6693726f006519986eff594f7f5383a8511f03b9f568c79ef62ca2e026755a48ab9c4fdf0b02a99d7e35b47087eaecf1a57497c0867294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
39dda07d63679a4b51da5237e431a1cd

SHA1
d8f5aa0e55125d3e89563ce33b105e1fd892d668

SHA256
18bc98c3e46f172b088fa31c8b5aadc15ebd6ea1589c9d889e893cbecc132672

SHA512
f4da05e50671a938ab73ba978a2eb9966d88a14a73cc9e659bc8de1e51c99df042f1f3391239caf0574f32aec19dc5a7876148011a7ed71e13ece13fe4ca8594

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4aee62eac42771d95bf37cf351610c56

SHA1
5888c99fbe7038245606ef8f8bab05c29f5d5041

SHA256
7eeae47a3b79c9ec8862ae7b3831fb2491c3d190b83bc44d5a0283bea5c65d08

SHA512
08210407f25c4bdf0bf1375206e71c23e6ae426c36760a3dbacc3390a793fc181980e4a4f84b3f873d85af5636d83bba30c5b7a0acfc3c7f68258a5d0142f755

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7e58edd75048e0235aead9ce056c038e

SHA1
52ab164f6b2ff84ce050bd076c09073e331ae3dd

SHA256
74e32a8083b1ad71dd49b0dd0be415c89ae95bdcf00d5755f86d90923889de6d

SHA512
97d644049dccd8a093f52f6235629efdaf2433a685295cde461f14ed691effb7b9f28871177dd3177e52587ac353af81f937ffbd913ee73ed5a6b34a3c1775f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
15997d7876df4fdabff050a8e90efe5f

SHA1
e3378f642f1dcfad07598f20d13c5eecd6f8f2a7

SHA256
80e5ac5ca7745e7987508ae35eb653d50e36e19c0346fda3b11dc98fc9db45b2

SHA512
6408f2fbf22c557f97ee3529858c8ed9259c97e338535bae5f85d1d9832930506bb046283abb608c8824b8c866073b105f3aa0ddaef3274fa18561271872d6fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
137d2cf0f27484a64691e141388bc1e5

SHA1
0da552e13b03cfa44dbdd6ae194b5a41b4bec08c

SHA256
711c2d46ac044e98ba8a078f7f6258eaa8048ca9f3da2edc744155f3ba9885ae

SHA512
453613d735fdea5a8a32ad0a6ea9abed0eea1420626bd84e6d0aa6a3d3ee55ebf88a21731f5749d0de23463bc23317d4e9e6dc896168c68977337cca7dc40ad3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d3596ca5f5bde731bfa6c2fcdac4e399

SHA1
bf3b93e6dc07cee8b3ecbb97a482db7eb2e01005

SHA256
5f076a5eb24fe08b225d57a9e0186411401bdccf8777954a273dd46466df1593

SHA512
d059278bc6bd502d45d7587360c1b35ce0be3dcd1c03d7f8a61baade7ffb09ab2c019a1724b78fc9736fe2102726b1264279f655aa5550af4a5d594fab846e96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
62c0a812bc988421838a6c08f27e1f8e

SHA1
7617f8b736f19faf1af866c68e7e9689b8229aad

SHA256
b3ff332bff8bd499a0183b6544016565563af85557857a4728c8e36b3c7a26db

SHA512
fae2d9fcf3b1ea8a5c6ec1d796377bccd27de546949d1356c08cbe966e772854d437c5ac8991704c95021b6ff35f9ee6ec16f96bc9ef6b799299465deecd0927

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
14c88104a4cda6f0c6ce63b0febe9444

SHA1
2a6429adfd017afabace4954dfab2932b88f0bd7

SHA256
4330952ff219d2ed4abaeb2196ddb4240c963c02c29e65cf7640dfc902199eac

SHA512
6e5eb1ca2a9d8884bcd38d75d340647f2ee952ee9e4405a8b4dc15a2137355402a364cdf47b1e376f7761c37d7b2d7bab13d66caf80b144b0cbcda289aadd0f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d9ae42186bb3a2abb09fa43028b1619f

SHA1
d4adef9aaa888b1c5949d7f77c8fbc7382a97d77

SHA256
e5f0f58342d05dd2bc33ebf904ec83e332c47f67ca87984285e4a100b9150735

SHA512
7e0ffe70a9fb3b6adc006c19e4cadfdec705bc392311cc48f1afbf597cc6eaf23c2d0df19ed97ef194da7743ec80017e7827c1d06439e58b9ce8685db4395e4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b210d2bfacde76a08ecbb0a151070fd6

SHA1
9dae35667d496c75a43cf40df2f3f3413191a24e

SHA256
4db1931415d9fea65f1fb137aee566a18c9375560ad6d3caa28a602704940cd4

SHA512
66a2435146c0a53aff4ba22cb43d7f85bc7d740d28cfd14ecff011c9ebc7365cf902aaa6bbdbf39ffade15f7877a806599db45e5b75906b6fa74d5ac89e08135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
faf8f95d420136d1c5208ca292504559

SHA1
26479aaa03f164916578512b80a6d50eabb5a552

SHA256
460fc92b56f05d510672f235917043e6569725b06db63b967951596ef781f533

SHA512
bb0c86a7657ebe3a38a91f4fadb16ab966281e9ccb272bd9e24f9a8a607d5d5215ec6f30e4cee2146bdb4cc917e3e436fdd481a0d86e70b5185d9eee1efa26f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
f8972821565decc5ab5e8458ce0d7d51

SHA1
79404fc39c8e5975cdf2bdd84a5df01c633262ef

SHA256
dfdeef3f8d87713e3e3e6117c5f4e3273b5563e43faeb53c98689e30e30055d3

SHA512
36c8338ca2c0ccaae3df8010f432d83b1921ef37001432ec5ed6cf9af2d74576468fc3040bf533c65e79a6f9700d8482672981a7d25cc1549d950e65cab128bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
398B

MD5
37f9c6441f7db6a41407e8b301c00c1a

SHA1
266cec3160275a1c45b80449a067f708e927e759

SHA256
5a00853093b1bb3c1615fbf991629732c999e86c4aac644be8f32a1463cd368e

SHA512
37274fea6b1b5e55b2e294a0513d78b29b5690f69b8edceadd70433d06d595f70624cf0e154cd2db48f34b354936e4dab261e6b2748580fb5d7418982649105c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
402B

MD5
61419157fb417883e703c2e3a27c0594

SHA1
d14dd6f8a526ed05af5f9d15a482c424e977dcd8

SHA256
7f1272d09d641f93697afe2e8a30c4b194b8b016c29c94eb55a60bc6ef3a3de1

SHA512
452380d51f559ba4e3cc70c018f97c25ff17925d12b70f065d6f82d9ab2ee64e3a1862f21664458a7f77f3fa1a9f96eb0437c2277f17f956eb6f348fbf99c903

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
6484cb9117575a407f50ea2d949a9e61

SHA1
53b98e5721c32e86e695be9a01075870fc97cb24

SHA256
b5fd3465af62ab2ddc4a77a1e74fc74ccb615fec65c2d3eea6c8bc9bae56ec32

SHA512
a171f5d212466b27868d867a7416ef21b7aeb1ae5111d55e6f487347a49a628a3cecd3330b51af098e56c1c3161bd796b9f198438bfd5fd60d4ada6f83a8d3b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
bf9d3c7d1e12cd59032b468a7880ce8f

SHA1
593b9d1a151b610c46853668b94acf2f0a4b30d8

SHA256
ec8cd27b51d14b9fadf6c448e10452be25b6cb78b187ded10c826ba1dc093f6d

SHA512
f869ef6b8907650dbedce153a0450d4b01137eab691e1ff36de41be2924e74eae5ffe1dc35ad8c3ad2bacfa5bf6e9841097ae44afb7df86a5e11f30dcc1cd7ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
a800ca79a2df7a903551478e8593687d

SHA1
8fd0e8edf4ee5d25fe9aa69cc20d2beb34491bd8

SHA256
6d602a94341e39334325a8c339f62d623388132d75dbd3cfcef5bc0e968c39be

SHA512
ebabb702d914d0f7684bfab7bbf13862479a1bc183f5064f49a84e038932296eac1f1456749d1f1572696f51d316a2fea1a3430d757e772d561acc09e4a502cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi
Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\jre-8u51-windows-x64.exe.jt6tltd.partial
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5AED.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5C95.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar616C.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
8KB

MD5
8d9aeec83365149519ae65cf74f29c9c

SHA1
090085a1a9b91b43049d8c6ddaf153942589a3d1

SHA256
8ce74885afec42dec8fcdae68050c0b5bb024118d401fe1068e9879cb4330ef7

SHA512
891d7a038c2a2a17a489215de62839077d9f25b8edf6dd0be475f1968e25982b5314fec935fb70c4580eea7c535709e931ac78e22aec16de2ca5086dd8c3d855

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
18KB

MD5
4352d60eb17403cf61c2739afe5c5970

SHA1
cb0a609b2e5fe421afe7e59c45ad62c03d8da70f

SHA256
4181233c41ecfd16e50df342c9d0d03b3fe1c6c0fb1c6e5f1b024b8010dbdfe3

SHA512
82841e25d54f53c70f0ec570ff504a77f777430215af48f507b399d7f2bfd77eef80c57b1fb79a3fde2dc9fe0d40e6d141ad7f2a4f725dc372ba3b8a29388a44

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\dependencies.json
Filesize
17KB

MD5
24817047786540dd5d8cbfb94132c84d

SHA1
ff45f1ae7748fab985e0580c5746b0327a4b59ac

SHA256
a5584b00241e6aa455dce9c0d584d61f8350a7bc07a4137e9289e23f46878721

SHA512
6e048803859517d052d88d8c96c382d481620c1d930e219051264cb2c4d096b5b68d8e8e66ba2244ef7343df99f120600f8763f67bcf060c3132743eca7934ef

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\resources.json
Filesize
17KB

MD5
8ab0113596cd48af76657e53d5d93e70

SHA1
3ab4244668932e0396022372d8f311c62ce1b89b

SHA256
b0a6157bb0f4da765f93d13ca167017144c5eb15955015b0b42f7d7c0b70599d

SHA512
55fb4d7ed644ae5e47ee376b00323199788baf596b493b4959ec4c88bdb37295ee59e34d3a7d4310fc9e35d776e1ae19fcead53c09d3a440dcfec8dc6736b170

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\appConfig.json
Filesize
3KB

MD5
a9bd1871a6a69e12bb017e1375b0a659

SHA1
0cc4c515fea150c982d02fa73acf73cfa68810e7

SHA256
f725e50dc4377a28b06589b028cd3cff58845d5ed882b22b17129c4413f8b9b3

SHA512
0595d54b19805f57a1b09a492c90c4c9f655d6a501179966b1a282b0aec90b27eeba634ee4a54fb9982f80ae046e6feb2b3e2097f14a0a3e051e80c162a83bd6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json
Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C4GABFTJ.txt
Filesize
512B

MD5
ae99e45026dfbc6188f034940b635360

SHA1
68ac31a878618458b5a28e0271b9d1c84da0fac2

SHA256
e18d84871892f007b5baef431f1913efdb1fb4c7e47d96e49cd60b496750f3d2

SHA512
a90045878fcb54849b514cd18cb5ee4ef3f8ce5c4c14b25fcc8a30b4b4ddc9ac5861dc3b3e5169bda5735248406460834d6e13de564f10c9d51e1d5b075298bd

Download Submit
C:\Windows\Installer\f76a6e5.msi
Filesize
660KB

MD5
4afca17a0a4d54c04b8c3af40fb2a775

SHA1
96934a0657f09b25640b6ad18f26af6bd928d62f

SHA256
b15d3a450b7b3e5ce3194ab9e518796cc5f164c3e28762ffe36966990dcd2fe8

SHA512
ee76f5fcfdd9c1202fd5abdc2bbde8fb2543cee83265f6d2fb5458d1a086152ff6bdd4bf62a88150d325ea282bd2ecd66dd5f127bdd847cfa69cdb88985a8305

Download Submit
\Program Files\Java\jre1.8.0_51\bin\java.dll
Filesize
154KB

MD5
31401e170ddd8437635c4c8571a80341

SHA1
b79de1ce1b96ad0c3d00c8a32e55043eaeb1bad7

SHA256
3e060e1aafa2fe99f06c34db84a49d3a2f994c1a0dbef40f37dbafd45cd69533

SHA512
fc5e52e5398563a39dd5d8204ffe52a8668c19e1f1bb9706cf408c6c7ed81f8be667d87233bcdfd8739ac022792c36b9147249e5eedb51b21493100ffbf1e5c9

Download Submit
\Program Files\Java\jre1.8.0_51\bin\javaw.exe
Filesize
202KB

MD5
7b23b0aab68e65b93bb6477f05999574

SHA1
920752e4c22e1165e6df27f69599483187edfbb3

SHA256
32546ecf1236769d2d777331f90282fb97589bec75da11c8e727d61d3d4c988a

SHA512
e3395303e53edce3dfa8fe11b7338c77795595a17dac17818e4bc8b77feee4900d541201d6762aa8f46565730e24a5423684049d40bbd074186ef7223c96b604

Download Submit
memory/572-1287-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/572-1285-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/788-757-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/788-761-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/788-766-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/996-1895-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1732-1123-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1860-1265-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1860-1268-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1868-1171-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1868-1165-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1868-1127-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/1868-1128-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2348-1955-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-2049-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-2283-0x0000000001BA0000-0x0000000001BAA000-memory.dmp

Filesize
40KB

Download
memory/2348-1905-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-1940-0x0000000001BA0000-0x0000000001BAA000-memory.dmp

Filesize
40KB

Download
memory/2348-1939-0x0000000001BA0000-0x0000000001BAA000-memory.dmp

Filesize
40KB

Download
memory/2348-1941-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-2282-0x0000000001BA0000-0x0000000001BAA000-memory.dmp

Filesize
40KB

Download
memory/2348-1970-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-1982-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-2090-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-2088-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-2087-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-2058-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-2038-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-2045-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2472-1176-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2472-1175-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2472-1213-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2472-1219-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2472-1220-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2900-1043-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2952-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download