2ccb74ef3a067234c9a718f052e03ebe47954828cf08f75fdebdc5c645950b3d

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.7.exe
Size

24.1MB
MD5

6c6d9d44d11a3dabdd12190827499fd2
SHA1

493b199a43cd915f7b5113bf3841da3b3672421c
SHA256

2ccb74ef3a067234c9a718f052e03ebe47954828cf08f75fdebdc5c645950b3d
SHA512

6e9348aa831a0e306bf180194cb4c289aeb89762c8af8137e41387a68bb341a32bcafe5c17544adccfd8d51e69458b9bb20e288021f6fdc46a1133be4352d59d
SSDEEP

786432:ZKxabBbJyM9irrKJBH5lFRqH0fYk/pUJ8a:ZKcSMQPKJBZlCUfYSpUJ8

Score

8^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 22 IoCs

Processes:

irsetup.exeTLauncher.exejre-8u51-windows-x64 (1).exejre-8u51-windows-x64.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejavaws.exejp2launcher.exeTLauncher.exejavaw.exe

pid	process
2900	irsetup.exe
1652	TLauncher.exe
1680	jre-8u51-windows-x64 (1).exe
1800	jre-8u51-windows-x64.exe
1412	installer.exe
924	bspatch.exe
1268	unpack200.exe
1076	unpack200.exe
2384	unpack200.exe
448	unpack200.exe
2988	unpack200.exe
400	unpack200.exe
2860	unpack200.exe
2020	unpack200.exe
2944	javaw.exe
2540	javaws.exe
2404	javaw.exe
1992	jp2launcher.exe
3000	javaws.exe
592	jp2launcher.exe
2924	TLauncher.exe
1616	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-Installer-1.4.7.exeirsetup.exeiexplore.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exe

pid	process
1992	TLauncher-Installer-1.4.7.exe
1992	TLauncher-Installer-1.4.7.exe
1992	TLauncher-Installer-1.4.7.exe
1992	TLauncher-Installer-1.4.7.exe
2900	irsetup.exe
2900	irsetup.exe
2900	irsetup.exe
2508	iexplore.exe
1136
1136
2508	iexplore.exe
1136
2040	msiexec.exe
924	bspatch.exe
924	bspatch.exe
924	bspatch.exe
1412	installer.exe
1268	unpack200.exe
1076	unpack200.exe
2384	unpack200.exe
448	unpack200.exe
2988	unpack200.exe
400	unpack200.exe
2860	unpack200.exe
2020	unpack200.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
868
868
2944	javaw.exe
2944	javaw.exe
2944	javaw.exe
2944	javaw.exe
2944	javaw.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
1412	installer.exe
868
868
2540	javaws.exe
2404	javaw.exe
2404	javaw.exe
2404	javaw.exe
2404	javaw.exe
2404	javaw.exe
2540	javaws.exe
1992	jp2launcher.exe
1992	jp2launcher.exe
1992	jp2launcher.exe
1992	jp2launcher.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/2900-20-0x0000000000E10000-0x00000000011F9000-memory.dmp	upx
behavioral1/memory/2900-786-0x0000000000E10000-0x00000000011F9000-memory.dmp	upx
behavioral1/memory/2900-800-0x0000000000E10000-0x00000000011F9000-memory.dmp	upx
behavioral1/memory/2900-1538-0x0000000000E10000-0x00000000011F9000-memory.dmp	upx
behavioral1/memory/2900-2205-0x0000000000E10000-0x00000000011F9000-memory.dmp	upx
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe	upx
behavioral1/memory/924-2973-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/924-2985-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

Processes:

irsetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe
File opened for modification C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_51\bin\jaas_nt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\[email protected]	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\orbd.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\plugin2\msvcr100.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\verify.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_es2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\decora_sse.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\j2pkcs11.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\ktab.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\local_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunpkcs11.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaSansRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jli.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\keytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dt_shmem.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsound.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\cacerts	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\resource.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\unpack.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\tzmappings	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\sunmscapi.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunmscapi.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsdt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\jmxremote.password.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\hijrah-config-umalqura.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\fontmanager.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\mlib_image.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_de.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JavaAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_font_t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\THIRDPARTYLICENSEREADME-JAVAFX.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_common.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\trusted.libraries	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\rt.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_MoveNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\hprof.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\pack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\calendars.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_pt_BR.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\java.security	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\US_export_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dt_socket.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\glib-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\content-types.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kinit.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\sunec.dll	installer.exe

Drops file in Windows directory 7 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f7818ce.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7818ce.msi	msiexec.exe
File created	C:\Windows\Installer\f7818d1.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BDC.tmp	msiexec.exe
File created	C:\Windows\Installer\f7818d3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59A9.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 78f4df5a51cbda01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeinstaller.exeIEXPLORE.EXEirsetup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{93E07F91-3744-11EF-8547-E6D98B7EB028} = "0"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20bf306a51cbda01	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd29b99b2e34d4ea7569295cf1e4fdd0000000002000000000010660000000100002000000023a8ad60de9da49cd1053dda4b3c4988e00754c60daf526f156a0e48736077b5000000000e8000000002000020000000d1a281e68d39c2bd416b596f76d45e4ba1139535badae279d1b5227315f5547e20000000854ba3cfcd9f866aaf4a45f543d95bf0f90d0470d46bb9e4a08ecfa8368640a940000000af6dd7d254f6796c5bb422de6dbe019fb6872ed62d9d7596107c85cd1ba1819a49ad54e2de5729aee40405cdc9f7d06d7e870730fec5281249c4bca9e72f4a36	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd29b99b2e34d4ea7569295cf1e4fdd00000000020000000000106600000001000020000000428db9644baee6dc900c843a62fe483227169704b3065da5b26ba4d0972160f7000000000e8000000002000020000000d5beee8dd9b79a9b8f47e6d79eecfbc40fe866a3e88014edefd41cbf100570fd900000006eada75f887fd4c8d037027736c35f7568da5281a4e891c8d73b92da28776fc3df312d28031d4b24b216c17c5df99daab1906ea0507da2d4831d3f0de83eecc07a49ff72ce552162f6ff5d7a57ce2a89214757f040ed1402a4c744df8d0ed623ac09e8a8d6a6d5f5d4e1dc0929b63ed38460ab374961dcb0623b2236596e432f31b1c5c04250df7dbaa145123f6121904000000077157db94bf7079fae3f2ac4ac44e22a239e3c7216503ec2b7108a24cae7e1ab7d2376aa7a36d3def71ef83a697da68180fd5a250282ea942885cab517428504	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_52"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0049-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.0_05"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_62"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_22"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_22"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0100-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\Implemented Categories	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_14"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0037-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_37"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_78"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0014-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0015-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_40"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0036-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0053-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBB}\InprocServer32	installer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jp2launcher.exejp2launcher.exe

pid process

1992 jp2launcher.exe
592 jp2launcher.exe

pid	process
1992	jp2launcher.exe
592	jp2launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-8u51-windows-x64 (1).exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeIncreaseQuotaPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeSecurityPrivilege	2040	msiexec.exe
Token: SeCreateTokenPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeAssignPrimaryTokenPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeLockMemoryPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeIncreaseQuotaPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeMachineAccountPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeTcbPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeSecurityPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeTakeOwnershipPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeLoadDriverPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeSystemProfilePrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeSystemtimePrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeProfSingleProcessPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeIncBasePriorityPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeCreatePagefilePrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeCreatePermanentPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeBackupPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeRestorePrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeShutdownPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeDebugPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeAuditPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeSystemEnvironmentPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeChangeNotifyPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeRemoteShutdownPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeUndockPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeSyncAgentPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeEnableDelegationPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeManageVolumePrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeImpersonatePrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeCreateGlobalPrivilege	1680	jre-8u51-windows-x64 (1).exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2508 iexplore.exe
2508 iexplore.exe

pid	process
2508	iexplore.exe
2508	iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

irsetup.exeiexplore.exeIEXPLORE.EXEjp2launcher.exejp2launcher.exejavaw.exe

pid	process
2900	irsetup.exe
2900	irsetup.exe
2900	irsetup.exe
2900	irsetup.exe
2508	iexplore.exe
2508	iexplore.exe
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE
1992	jp2launcher.exe
592	jp2launcher.exe
1616	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-Installer-1.4.7.exeTLauncher.exeiexplore.exemsiexec.exeinstaller.exe

description	pid	process	target process
PID 1992 wrote to memory of 2900	1992	TLauncher-Installer-1.4.7.exe	irsetup.exe
PID 1992 wrote to memory of 2900	1992	TLauncher-Installer-1.4.7.exe	irsetup.exe
PID 1992 wrote to memory of 2900	1992	TLauncher-Installer-1.4.7.exe	irsetup.exe
PID 1992 wrote to memory of 2900	1992	TLauncher-Installer-1.4.7.exe	irsetup.exe
PID 1992 wrote to memory of 2900	1992	TLauncher-Installer-1.4.7.exe	irsetup.exe
PID 1992 wrote to memory of 2900	1992	TLauncher-Installer-1.4.7.exe	irsetup.exe
PID 1992 wrote to memory of 2900	1992	TLauncher-Installer-1.4.7.exe	irsetup.exe
PID 1652 wrote to memory of 2508	1652	TLauncher.exe	iexplore.exe
PID 1652 wrote to memory of 2508	1652	TLauncher.exe	iexplore.exe
PID 1652 wrote to memory of 2508	1652	TLauncher.exe	iexplore.exe
PID 1652 wrote to memory of 2508	1652	TLauncher.exe	iexplore.exe
PID 2508 wrote to memory of 2232	2508	iexplore.exe	IEXPLORE.EXE
PID 2508 wrote to memory of 2232	2508	iexplore.exe	IEXPLORE.EXE
PID 2508 wrote to memory of 2232	2508	iexplore.exe	IEXPLORE.EXE
PID 2508 wrote to memory of 2232	2508	iexplore.exe	IEXPLORE.EXE
PID 2508 wrote to memory of 2232	2508	iexplore.exe	IEXPLORE.EXE
PID 2508 wrote to memory of 2232	2508	iexplore.exe	IEXPLORE.EXE
PID 2508 wrote to memory of 2232	2508	iexplore.exe	IEXPLORE.EXE
PID 2508 wrote to memory of 1680	2508	iexplore.exe	jre-8u51-windows-x64 (1).exe
PID 2508 wrote to memory of 1680	2508	iexplore.exe	jre-8u51-windows-x64 (1).exe
PID 2508 wrote to memory of 1680	2508	iexplore.exe	jre-8u51-windows-x64 (1).exe
PID 2508 wrote to memory of 1800	2508	iexplore.exe	jre-8u51-windows-x64.exe
PID 2508 wrote to memory of 1800	2508	iexplore.exe	jre-8u51-windows-x64.exe
PID 2508 wrote to memory of 1800	2508	iexplore.exe	jre-8u51-windows-x64.exe
PID 2040 wrote to memory of 1412	2040	msiexec.exe	installer.exe
PID 2040 wrote to memory of 1412	2040	msiexec.exe	installer.exe
PID 2040 wrote to memory of 1412	2040	msiexec.exe	installer.exe
PID 1412 wrote to memory of 924	1412	installer.exe	bspatch.exe
PID 1412 wrote to memory of 924	1412	installer.exe	bspatch.exe
PID 1412 wrote to memory of 924	1412	installer.exe	bspatch.exe
PID 1412 wrote to memory of 924	1412	installer.exe	bspatch.exe
PID 1412 wrote to memory of 924	1412	installer.exe	bspatch.exe
PID 1412 wrote to memory of 924	1412	installer.exe	bspatch.exe
PID 1412 wrote to memory of 924	1412	installer.exe	bspatch.exe
PID 1412 wrote to memory of 1268	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 1268	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 1268	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 1076	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 1076	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 1076	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2384	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2384	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2384	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 448	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 448	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 448	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2988	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2988	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2988	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 400	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 400	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 400	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2860	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2860	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2860	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2020	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2020	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2020	1412	installer.exe	unpack200.exe
PID 1412 wrote to memory of 2944	1412	installer.exe	javaw.exe
PID 1412 wrote to memory of 2944	1412	installer.exe	javaw.exe
PID 1412 wrote to memory of 2944	1412	installer.exe	javaw.exe
PID 1412 wrote to memory of 2540	1412	installer.exe	javaws.exe
PID 1412 wrote to memory of 2540	1412	installer.exe	javaws.exe
PID 1412 wrote to memory of 2540	1412	installer.exe	javaws.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe" "__IRCT:3" "__IRTSS:25232362" "__IRSID:S-1-5-21-2721934792-624042501-2768869379-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2900

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
2⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\jre-8u51-windows-x64 (1).exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\jre-8u51-windows-x64 (1).exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
-cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
4⤵
PID:1696

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
-cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
4⤵
PID:2300

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\jre-8u51-windows-x64.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\jre-8u51-windows-x64.exe"
3⤵
- Executes dropped EXE
PID:1800

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Program Files\Java\jre1.8.0_51\installer.exe
"C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" REPAIRMODE=0
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412

C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1268

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1076

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2384

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:448

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:400

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
PID:3000

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:592

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D096F8D905FC2ED4A5394671C118A486
2⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /c del "C:\Program Files\Java\jre1.8.0_51\installer.exe"
3⤵
PID:2532

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:2924

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7818d2.rbs
Filesize
788KB

MD5
89b982055fac0a906ffc5f7ee81f4ea0

SHA1
524ce5ea2b5c1acf997454d6e1e4ec6edbff5a50

SHA256
30c594b4c97f83879d71fdd9ec36af1e8da5b4857f142f5e7e8a2a9e9e20fd57

SHA512
ba60d8879d41b35764a651419f8b86617535cd872bcad3efb06d91106f4f8526349ab823619271547cfa332474128ff4a86123d6956b94b6f025e2689703c77d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\MSVCR100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll
Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe
Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack
Filesize
1.8MB

MD5
5cfc3a1b269312f7a2d2f1d7c0497819

SHA1
d048284db9ce7103156f8bbce988b4d9978786b7

SHA256
80ba80d2a6c20deef6e2f3973337e15e22eec30508899ae998bf191ba725db26

SHA512
8735af7c8bc5b48aac42120326a5dee21f98512ba31c57c77b6fc3906b7b1b98e5f22f57a31f26dc3e16abe63a6f15ef2e115c7fc17bbab35e846dc373da9c6b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack
Filesize
211KB

MD5
5a83bc9b3e4a7e960fd757f3ad7cd263

SHA1
f5f308aec7e93accb5d6714c178b8bf0840fb38d

SHA256
0a95ab97c85e534b72a369b3ee75200f8075cb14e6f226196b18fd43e6ba42f5

SHA512
b8e554bbf036d0500686e878597ffdefa8bcd091ab6533eae76fa04eda310cec7cac89b71911f1f81012f499c7bec890ac9032685945f7e5e6b68f7ad3f7430c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack
Filesize
482KB

MD5
538777ddaa33641aa2c17b8f71eed307

SHA1
ac7b5fdba952ce65b5a85578f2a81b37daed0948

SHA256
9948b1c18d71a790e7b5a82d773fea95d25ab67109843a3f3888f3f0ac9d1135

SHA512
7a5877e0eaef6424ea473a203184fedb902cd9d47df5d95d6f617ca4efa1162f0ffd418e9bc6b7492f938cb33fc6384907237487d6ad4f6d0d2d962402529d8b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\rt.pack
Filesize
13.1MB

MD5
f0177701b36068c9a2bb4924dd409fa5

SHA1
71e4b32c95e20dd565a6603d3de3819eb4f19d33

SHA256
93c1e08034b68e12d78005c2950145595327477c17c1f716248d3e16313b4eec

SHA512
8e198bf60dbb95f38bf5eca67c9b7cd4fe9920890ba3d569e08de59b38c1b00830a0a37168fd74c874df86b7ff0915c8b69adb1591432b42b5ff35e5885e6641

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\diff
Filesize
9.1MB

MD5
d417682702b140d7131851bae877f046

SHA1
aa78da727e8a62c839a9bb6f7a93b48d3a04be70

SHA256
3b3657c83e4f588f0e759cd46e99309cece2ebb54af2c377f9dc087ec764fda8

SHA512
9e107b7f61e42410807aa1e6761ac7adce412846f69ae8e2e21b147e39d1a95d41367e21624381750eb11c77322206c4d869a477e5442e8323405c85854c03cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB
Filesize
834B

MD5
a0af4d81b2b19a99a3d01be89d5f99d9

SHA1
4725c1a810005f860ede9dace7f1e5a20e5230d6

SHA256
de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a

SHA512
eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
eee5503836a927d1df2dd9affc364af8

SHA1
100054b38b1b5bf7e2a16a12add9fc2f85f7116b

SHA256
22d07e6f851b4c210c3891efe6c865aaa7cda1f139211022d30a08637ef21097

SHA512
c7926feb41f338cb3955a16b2fa265300842268980b8bf311fbdb0d1c02c908dcfc4f1203211e5f1fa9f8eb764768e94f32fe0f0b285a2a3e7b309cfa3fae36e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
1KB

MD5
2dd6666d47f96bd7bb73186099806779

SHA1
885b04b872c8dd1e5edbf4e04f5b83abac0f2fa6

SHA256
df5e9c5d7b463d75d9c2655e13e94c508f60cd7546560111c6e574e199529821

SHA512
aa8a91d05a0f1d21404e0cf1273808ba42bd980585b83120918679b6dc78d6e8527344775baab06e114082eaef2871b3884c8381c6e695e08a1ddab6fc1958aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB
Filesize
180B

MD5
76dbf5f65aac900559ce3ab7a49bed02

SHA1
bf5a57a1d7214157d875669c78065a54b57683b7

SHA256
388b28718fdadf275ca29e11707ab6d1b2e3436d1246f3b0c2fc4d79fe813fd4

SHA512
b180cdbe145ea5d241bcc972f87e03665ce294a16a0090b3969779e9a071a2a5ac09df6a6ad1ba4d784a9ed058ec7bd691598d0f6b6aa22e5e38e955f4d8e550

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
50e4147b0c08e11d7179b61400f5a6f4

SHA1
046cbbe82b0e5987c9b28710689c08828831049e

SHA256
f94a44a061104c19efec0a7d7f56c864797b1100eb7ff3c95fa01e6a36a52517

SHA512
a25ca3b77c37fadd8f15c644a73830e58ed069442d21f7e295df2bca08dccbb196040c4a724bf0429342f0c888feeee75fe30ca2837904a2c038b3f7132e6a9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fbc8b74b5f834849fa143e2f0d781dbd

SHA1
67293e7be0e0fbc982870fafc9d4684f2682d72a

SHA256
fabd38b5df6a4ca6c875e25c55aeaa7e72cdb8bee4de0034b4bd6aee62e0eacd

SHA512
1ef2f407998e761754f674fb624286e0a9355bf91f908a8ea65df5f3b56c4b4e48f02b967b289dab04f310fe7f7fd24e8c6c363c0313754f128d291709f794d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e92c24809ef34845a199e7ac1b3b5461

SHA1
560193dd5b47661e8f8c7a4738cbd5a2bf37a6ba

SHA256
2838da5b4e85f3d252935853723021b97b35d4593c778456a7d99046f016b463

SHA512
71da4176bbeb416907bfd9ff066c7210b28f1c49997ab33bc33ad538433c6eb57ceca8f782cfabde6cf9c6b7938ef19742516642d822a6fe9ece4c77f5675f9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dce95e98ea9230887f13e4978ca3c5d7

SHA1
0f56e51b29ddb52b6f24c4f6676c4b4f4360a9e6

SHA256
2ba93ce748212882945e76c5d318d391452dc82b3908aa9a9ae509d6d3f43bcf

SHA512
996d8d84899c435376340a54bef9b274768f906570fdbf3427d26dffb4aaf6ccfaf2e9b04ae599b20205092365096f74d6b002c78016213b34a32a45ebe7641f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4b327b7f70c9a6719006e7b33b42bc51

SHA1
156f8797b4620ae6df2210f1572550fa4217639c

SHA256
bb2d489de9b7c34262c81cb553147a2da9a73b6815f403e5cd86ff317aa4451a

SHA512
4bb58b9efe4da69dbf6e333da4e0406120dc3f27f5d9289510f9311e548c97d903b214750aa76acb24476868c2d48f398697adef9dd5bab09e9dc79ed67c8545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f7b8e93f9a1f5cddd7e6501d694b89d7

SHA1
6676a447d45c4ea5e11ffa2de7ad576642f228d3

SHA256
a4efdfa15d6167cb2b21fe69b7014cda9e190a7f7811129fe7f5dfa49d6d8908

SHA512
9e714b6d241f6b4b67c6a82708fda2c225c7b2780907d82130d85cd3bd17b14d51f56519b8fc68f0bebfa0695ddbffd9a0666fece3c47cf585b27ec854a581b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1b42d71f26db268acf5a553eaf80be77

SHA1
d9dc8f37335904e375f8b738cebac0460b12e0bd

SHA256
24d63872d431f0753ab738c259ebe4f72ba54ef0ea9dd597c1bd2afac7141522

SHA512
4b8977286a532a8f15cf486b65d1935021fdde970d5ee07b8eeb5c268b841b46cbc34a7958778ab1c353de79463cd31064033556c5c0eb363fbf329c1a6fa9e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
185486f6058bf5d743443341003c79ed

SHA1
a8b18f37462b958345635b65846d983041a8f3bc

SHA256
378eeea9a6568a407bfd425ce43503664b1409621793669a30ee2aee1584327e

SHA512
c13d8fd542e5e209538c7fbb42578c7ee32fd2d9e065c4ec92cc05ea7751abd17ab697f43224619cfcc3e69a7119786e1d00f799b749347ed70ad580085348dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
95f08576946ecd7c6d693daa258057f3

SHA1
5144878a3930a231005c291559b5fc8b2c5c25ef

SHA256
2037a460129f8b439091dae31b569336358a7a81102b89fd0544f8f4080577a8

SHA512
d3288bc5711ec498324f91f2d81fb551f61239bdbf5e4ac125b4a3e85bf5557af5639ac1bf2039b4194d357832d0555ebca0f86acbd88e09881597548ee85107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3604e486403f49a3545958f2ee30e0a1

SHA1
9a28738614354d931d4ead63f0405652011b47fe

SHA256
395eba596c9228ae1b2e0a65528afe7cde7412bc491c298e4dddb63a8aece1b6

SHA512
7250101f999c6f86af1b41b95d31cb59fff83c5f78ef675e978ffce13074780fee8d700541bf19620f900585cc57e24481d96504ed047104ff6639a29c8c0055

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
4acadc00d8a4ba174c2b0e8a562634bc

SHA1
1190012fc001ac252f169b1294fa3d10d694793b

SHA256
d6d7d19ac056968356881ef033c7b2c5fa498b94c62f65299026ad0ab986301f

SHA512
fcd12b8199d6f92be2aad1e338f40f2f9f58bd7447ae6529415d714025e876d9d403f056f2187e6adbcd5128c72d26cdceae206d51f81af869316a11db119ee5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
398B

MD5
85cda7d9f056862fb14cdf759c5aceac

SHA1
cec5a32dc9b9f45de31c481132c866f125318824

SHA256
677016016b1b311493da725e956d86d6de2368a38e69e6dc747b788ffb64b6bc

SHA512
cd444ce941947150ae1736f31b6e4207f73b4fed8cabae566e7791112c5dde2d7b6e2603be8a6b0e651bed6e266285dfdc4b35cb4f49b8f045d64e2a08126d2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
402B

MD5
f7f6ea3d50a4c5b3acfa7cae6fcf64df

SHA1
97f404708254d4b10c33b1a99600eeb3779b2f58

SHA256
3ffa1e00bba6b04e38b0f3cc0dd33a8a06e78f15271c0e2b8736c623f2891fb6

SHA512
5a0c0a02cb91b0c49271ed287905135b8cb4d5afd65ff596e5c224e8d68e4354eb287e01b2fc40082155e88e3b4a6bef6e86c961a31c130fc7355814962674f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
50541970b2d0903ddd033caff61ff89c

SHA1
3c03b8c70b98e87cfda6d4c5234e2e72a34c843d

SHA256
413ddf77c8bc0c7aa9d1d7b644c9e4ec58df879cff51f7d37da5d1e5bbf6feb7

SHA512
31c266e471cfc44dc15f2978b151671c0c36b36e50e98eb480c7c9600108028640308acb0c577f94e17b38a2b516b3edac1331456568410896912d32e81e4b23

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
de51ccc178a138e2e5de2da5e0c928e9

SHA1
b219753c7b0426e937c235c62377afc47e9649af

SHA256
074a77d40b27d4ec9dd5f9f972e18306ed7e620ba4f1b6c40d53e76d234a59e4

SHA512
efa906e7a6e683e9bd944004e1fb33c0bfd3da0150cb4d04dfea23e69af284c0df137b979391c6c450868a68d9fc0e805e48ba97085079b2e772cdde73f23caa

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi
Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\jre-8u51-windows-x64 (1).exe.oval9e9.partial
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar33C5.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe
Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP
Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG10.PNG
Filesize
206B

MD5
19cc60490b1c2ff33fd88054ea0b08fa

SHA1
e0efb3ffe0e9de359922d134c68f67371d0fe21a

SHA256
49708851bdda2b324cbe7fa391af81ff3fab72de28c88b073035b1ec87fc5e57

SHA512
452fb6a1f9b7a908f6bfc7634a6f9de848adbe37fa080977060d5b2eea7da1207b87b1449b37a909d6be8e748fc39c6e7d30829546751f9c60c2490f2bf46aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG
Filesize
43KB

MD5
803866e63e1b433eafa31ddf1819d88a

SHA1
e5cbdf988d8711b831981c9cc5c2695e44ecd963

SHA256
3cff2eae4bc6ef69c72d163d41c4f387e8cc3413772024062d093583069fc6f1

SHA512
d494faf98f9179111f0a1e6ba8261d6b0924172c57663ae26efc4aa3022c1420dfc980705ca5579169a33a68baa299bdf3c38b8f322fbf2e54ed0f36198aff98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG
Filesize
644B

MD5
4c8bb522e8cf8c27b8e7fc318c7ab17b

SHA1
3071a7f9b977d6a27e9ab0777456b3c13753568a

SHA256
3eccb1386194744d6596a9c3abf854ea591e12742d789518e90afb99fa370871

SHA512
d112bbbcaed8b8ec04bf52fa0f2a320c04dc4962c862e383e27b6f4f8bff621ee201b982140f84b6de527753e92511e21be539296a9aa38e572a5d5051c7d539

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG
Filesize
40KB

MD5
54c173de619065c86d50c5c7cf66097a

SHA1
58111b16ba2075c2fcfe30ddef29ea66108cf9ad

SHA256
30db6860833fe2f29801d604bda19e5a0d2a4b9f409caadce56dde13324078a7

SHA512
85ec2700ebbc18bfcbee25f3b025a9c1d3b32502f6b4313c2df124f454c0d9d098414bef0a8bf44f7e5b3eeeae6e3491106c2b477d69b94158b897ea6b0f5b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP
Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP
Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP
Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG
Filesize
438B

MD5
c2d61af0e799bbc8bcde7bb15564952b

SHA1
09bb6c51afcff1276a9ea2a795a9cf3e5ab4494a

SHA256
5ca45fb4679f8ec9671685874fe70871f1cb49e6b6f6210137864784888d070e

SHA512
edc12546dc237505c698092db968d04399a697c0bd9a10e56daec05340864d24f56939e182a052275f6a750aeb4a02f32b21cda0311278ed8e0bc758bb577743

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
9KB

MD5
e426dac318be5e5bf99606b4d5e49061

SHA1
08864ad3ede8a54e6cd3916ed4a05afac6a6c014

SHA256
738ac332435b3dc97a99f42e44504fa1d01138ac4590fc6dbebff01bf2f68842

SHA512
ee968da5b217fdd5b4868912f23346d6eafe362915ac016651b73797b9fb313de376509f818243c885df8bbb95ab2b83fb61d834b06db67679ea372ce4391860

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
17KB

MD5
87c2444db22b3e668431868fde5236e6

SHA1
c11616659aa4fe8cc3b755b56142f88b1e2f6cde

SHA256
bcbd86ff748903078c381227343e423b8023243f84c9a55984c382a3b16a62d4

SHA512
b1c93a7e9d56cbaffc7bdb73575120e28dac0006ba77c926c53b586c72689b43a00ff1da60cc7c5eed6d8cc916caaba6fb204134869545079f019cc1cf95bf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
18KB

MD5
9808196f980d936e4daa0ccf233d54a1

SHA1
aa125cb8334d8a777d50568e29e4ff6289692173

SHA256
5b7af3b0cc3b90e00d366985e27dc76146d28d2db865e5df98415d1568d52353

SHA512
41588d1b1b41f8320ab6a7377ef9f87604c1bc55558ddd11e40c233d6f66d55fbc7a9271202d69c475078ac3692bc6a151097915228d8e4b3b5dae761db4a518

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
26KB

MD5
ff046aac32405350e2e8ff9fd8c2b728

SHA1
dda44ddcb238fa0efb9de6ea09918cafc1c8fc20

SHA256
282d946a10e5d7c2cbe42c10f7442c9d9accaff58f33060cae19f70e20321095

SHA512
dc42583b306ba1936cf0af7456adb821584d0c56aed0de89587f255b11c2c79c3765afe89f562c337e026558c66c767a2b6656e5fd01c54011d5b341a85570b2

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
9.1MB

MD5
833512c89f1ab92c80131d415f89f442

SHA1
dd9953ddcc33278bb97502ffdc6e7462e8005680

SHA256
717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

SHA512
f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG
Filesize
45KB

MD5
baf26cf75bcc4e8d89ab634d96191627

SHA1
7b3acdb1ea5cc827b079cd2b5ebffcffedc1da9a

SHA256
81b942e871ef52c2fcd67c769f400e3f9f9bdd5921b4eb77f85c9653bf8715f0

SHA512
1162675a91229ce9c92161b17ab765693d455956f8217dc71ae916364a289a37bbebeef23415ffc5b6b8374321838dd259b26184d6aa3865c69d92a254068ec9

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG
Filesize
41KB

MD5
1cde7f4b65d7915806fffa1dc22bb527

SHA1
fe0dce2a7ea338b44e1d264288379ac14289c430

SHA256
04079a342d1ada8ef6ae3ca5503a307a72637061c6d34cae90a3dfb342ff9727

SHA512
84bc5e70bbc6ac35a351e271796af476aaa7dc40edbb5adfc6b85978dc855787c1d20060792e9efdfe4e8aeb6f271efc4df4a757d79ee53d057bcac3d79587d7

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG
Filesize
475B

MD5
aed347c1520185c3d1ca24604e5689e2

SHA1
d1a213e4df60376d3cd9c4c8d97051a74c5a42e3

SHA256
c6c1a74804e7ef24c8f0fe671f9776ffaa96fd78f8cf609be29394ec4b528580

SHA512
7b7ad53f205fce8c0b19c68a33affa41d79e780fa10a67fba11239bf3c06b7995764f237ba0dcce3d6f9fdbd9038c6ecb73f3c504066bd71f2dd4224d8d86aa5

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG
Filesize
368B

MD5
29bacaeca4131335a6821277b65aec45

SHA1
050fbd5270b614c3ec14ae4609f91667922f5416

SHA256
20c7e42db9c1f0df908dcaf4fa7536ea9d236b747a30d55d1744a286ae8d9e06

SHA512
747b3cbbed596517c19eab89830a781ec4fc0f52cdae642250b1a941092dbc0f40e6096e423f496e6e267f99e164a97031359568d842691c432cc445af7410e6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
23KB

MD5
bb8a023fd35026c18a61e6241a93937a

SHA1
14792b3f3f0ccb298bae3f466cdd658353250e05

SHA256
d750e78317577bafa7d7dd73d28d0328e9baf0305be9a2953eb10c3a4fc2390f

SHA512
036642e84baba26411f8ad1b9f75129480edbaf577f4f80d53bfd22299cffec9e3b03a4c7a295b3b8617b387bb639f7d528a7b388db00c8579b69865b6de783f

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
4KB

MD5
1309abb4d7695b135de1bccb3d0383bd

SHA1
6435990c33f357ecdad2f72f11da62a766c4abd8

SHA256
d705428077945f54aea3cb29ccf04123369634444a578cd9f01ab1b947d454c3

SHA512
05440cbc9f24a56083a4ad63b42cc02b782c46abecdf4b23de9f7d6f8f66b196bcc9fa21920575ba1899735bd2bf398166151e95d2a802288d637ae4ec2ec83a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\2.923\dependencies.json
Filesize
17KB

MD5
24817047786540dd5d8cbfb94132c84d

SHA1
ff45f1ae7748fab985e0580c5746b0327a4b59ac

SHA256
a5584b00241e6aa455dce9c0d584d61f8350a7bc07a4137e9289e23f46878721

SHA512
6e048803859517d052d88d8c96c382d481620c1d930e219051264cb2c4d096b5b68d8e8e66ba2244ef7343df99f120600f8763f67bcf060c3132743eca7934ef

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.fastrepo.org\tlauncher-sources\prod\release\tlauncher\appConfig.json
Filesize
3KB

MD5
a9bd1871a6a69e12bb017e1375b0a659

SHA1
0cc4c515fea150c982d02fa73acf73cfa68810e7

SHA256
f725e50dc4377a28b06589b028cd3cff58845d5ed882b22b17129c4413f8b9b3

SHA512
0595d54b19805f57a1b09a492c90c4c9f655d6a501179966b1a282b0aec90b27eeba634ee4a54fb9982f80ae046e6feb2b3e2097f14a0a3e051e80c162a83bd6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RL56TJS2.txt
Filesize
867B

MD5
0f81e2f98ffa18bf899476e15634fba3

SHA1
4d82c438933a9a6fbbee713b45a4ebee77c84f37

SHA256
5cda8e7778a26db64572a80b429c3a4ab034695e0e168f6c13daa222eeaaf850

SHA512
bf5921ed8415f514b3676d0b106163cbf787cf2a07257a7b8d4dd3e011bf64dee9351281344b08450222c25391cf06258260896ee10988427dac20362c449be8

Download Submit
\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.2MB

MD5
af9bb57e1893112a57a47df0908bc3d1

SHA1
39f31da08004741fd4b9fb31b04e29368f1e317e

SHA256
1cf4f5e5d5bed48b7c989e34bb80507ca623cb1ac1fc1596f07cfd1dc7aec60e

SHA512
3a8cd6660a0147101f4898c20a6fec1192b4196ae8e46cd3e730dc43c8bd7feed9c576590b6aa79c7763e5942466ac9118d44177edbc2ff1ddf1af3da5234040

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
memory/592-3430-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/592-3393-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/592-3467-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/924-2982-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/924-2979-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/924-2978-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/924-2985-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/924-2973-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-3506-0x0000000001BA0000-0x0000000001BAA000-memory.dmp

Filesize
40KB

Download
memory/1616-3545-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1616-3622-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1616-3619-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1616-3593-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1616-3529-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1616-3526-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1616-3509-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1616-3507-0x0000000001BA0000-0x0000000001BAA000-memory.dmp

Filesize
40KB

Download
memory/1616-3444-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1652-2208-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1696-3568-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1696-3565-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1696-3560-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1992-3389-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1992-3364-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1992-802-0x0000000003250000-0x0000000003639000-memory.dmp

Filesize
3.9MB

Download
memory/1992-19-0x0000000003250000-0x0000000003639000-memory.dmp

Filesize
3.9MB

Download
memory/1992-3326-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/1992-6-0x0000000003250000-0x0000000003639000-memory.dmp

Filesize
3.9MB

Download
memory/1992-3327-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/1992-17-0x0000000003250000-0x0000000003639000-memory.dmp

Filesize
3.9MB

Download
memory/2300-3594-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2404-3322-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2900-20-0x0000000000E10000-0x00000000011F9000-memory.dmp

Filesize
3.9MB

Download
memory/2900-686-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2900-1538-0x0000000000E10000-0x00000000011F9000-memory.dmp

Filesize
3.9MB

Download
memory/2900-801-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2900-787-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2900-800-0x0000000000E10000-0x00000000011F9000-memory.dmp

Filesize
3.9MB

Download
memory/2900-2205-0x0000000000E10000-0x00000000011F9000-memory.dmp

Filesize
3.9MB

Download
memory/2900-688-0x00000000003A0000-0x00000000003A3000-memory.dmp

Filesize
12KB

Download
memory/2900-786-0x0000000000E10000-0x00000000011F9000-memory.dmp

Filesize
3.9MB

Download
memory/2924-3434-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2944-3242-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download