0bc2628f57e61fa26ada1eb67af476a4a306b8d81e8c86a54f469472eefd2948

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.68-Installer-0.5.2.exe
Size

14.7MB
MD5

6dc6ae6d6ea79048ef2ebe1b57d4a19d
SHA1

9c76b44cd6812f250c960d33a74734fb123558ab
SHA256

0bc2628f57e61fa26ada1eb67af476a4a306b8d81e8c86a54f469472eefd2948
SHA512

6e2f8039090c97ce2ccbfc2eb1f42fd479fbe69bfd7c3b6bcf035e07b98c28a4f807005759a593780ee4b2c34bab3df9d8a568c4b154be8a60e94ab033234e07
SSDEEP

393216:AX1eHUCfsD441ffz4e4oQL1CbfvIzAtdB7lRhYpwvv:AlsUC+1Hz4e4tCEzuB7lRGO3

Score

7^/10

adware persistence privilege_escalation stealer upx

Malware Config

Signatures

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1188-17-0x0000000000C60000-0x0000000001048000-memory.dmp	upx
behavioral1/memory/1188-94-0x0000000000C60000-0x0000000001048000-memory.dmp	upx
behavioral1/memory/1188-174-0x0000000000C60000-0x0000000001048000-memory.dmp	upx
behavioral1/memory/1188-182-0x0000000000C60000-0x0000000001048000-memory.dmp	upx
behavioral1/memory/1188-194-0x0000000000C60000-0x0000000001048000-memory.dmp	upx
behavioral1/memory/1188-236-0x0000000000C60000-0x0000000001048000-memory.dmp	upx
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe	upx
behavioral1/memory/2348-1055-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2348-1066-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe
File opened for modification C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exemsiexec.exejavaw.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_51\bin\net.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_ko.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\jaccess.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\cacerts	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_font_t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\jmxremote.access	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfxmedia.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\awt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jli.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_it.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\zipfs.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management-agent.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jjs.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\psfont.properties.ja	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\LICENSE	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsoundds.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jaas_nt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\cursors.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\release	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\decora_sse.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\management.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\w2k_lsa_auth.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\net.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dcpr.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightDemiItalic.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\glass.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\content-types.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunec.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\bci.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\lcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\tzmappings	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\rt.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\installer.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\kcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jabswitch.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\flavormap.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsdt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\classlist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfxswt.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\classes.jsa	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JAWTAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\meta-index	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\task.xml	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\hprof.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jsound.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\server\Xusage.txt	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_zh_TW.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\sunmscapi.dll	installer.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exedxdiag.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f77430e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7775.tmp	msiexec.exe
File created	C:\Windows\Installer\f77430f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C3F.tmp	msiexec.exe
File created	C:\Windows\Installer\f774309.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DF7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77430c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77430f.msi	msiexec.exe
File created	C:\Windows\Installer\f774312.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D78.tmp	msiexec.exe
File created	C:\Windows\Installer\f774314.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f774312.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe
File created	C:\Windows\Installer\f77430c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI459A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f774309.msi	msiexec.exe

Executes dropped EXE 25 IoCs

Processes:

irsetup.exeTLauncher.exejre-8u51-windows-x64.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejavaws.exejp2launcher.exejavaw.exejavaw.exejaureg.exeTLauncher.exejavaw.exejavaw.exe

pid	process
1188	irsetup.exe
1468	TLauncher.exe
2740	jre-8u51-windows-x64.exe
2028	installer.exe
2348	bspatch.exe
1240	unpack200.exe
1300	unpack200.exe
1928	unpack200.exe
1956	unpack200.exe
1124	unpack200.exe
2004	unpack200.exe
2044	unpack200.exe
2592	unpack200.exe
836	javaw.exe
2572	javaws.exe
2684	javaw.exe
2420	jp2launcher.exe
2820	javaws.exe
2228	jp2launcher.exe
352	javaw.exe
2424	javaw.exe
2912	jaureg.exe
2856	TLauncher.exe
1928	javaw.exe
1272	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-2.68-Installer-0.5.2.exeirsetup.exeiexplore.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exe

pid	process
2188	TLauncher-2.68-Installer-0.5.2.exe
2188	TLauncher-2.68-Installer-0.5.2.exe
2188	TLauncher-2.68-Installer-0.5.2.exe
2188	TLauncher-2.68-Installer-0.5.2.exe
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe
1332	iexplore.exe
1248
1248
1992	msiexec.exe
2348	bspatch.exe
2348	bspatch.exe
2348	bspatch.exe
2028	installer.exe
1240	unpack200.exe
1300	unpack200.exe
1928	unpack200.exe
1956	unpack200.exe
1124	unpack200.exe
2004	unpack200.exe
2044	unpack200.exe
2592	unpack200.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
860
860
836	javaw.exe
836	javaw.exe
836	javaw.exe
836	javaw.exe
836	javaw.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
2028	installer.exe
860
860
2572	javaws.exe
2684	javaw.exe
2684	javaw.exe
2684	javaw.exe
2684	javaw.exe
2684	javaw.exe
2572	javaws.exe
2420	jp2launcher.exe
2420	jp2launcher.exe
2420	jp2launcher.exe
2420	jp2launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 88c7e60898c9da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEinstaller.exeiexplore.exeirsetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000001956bc5f9dc9ab470fcf0d43fa04c08e6c245a9676f4fd4f60d9e73e266db0a8000000000e8000000002000020000000beeddaace408207a4a4f44eecf1b9bcaba67a160dbc721bf168459af949ec4a190000000c4b4909a87fef8185e1f097342e3f4b2ab15c8bf63df94e11e241140de8f1513272eccc7f0bfc531c915ab01d28131317d28c266e60ad6f5093702e18ef75f4b09f61a3b25d6c90dbd2a858de4d4a9c72b1e5aea5920ede2f93814e03a00eb2a7e04c000864e11fe31d3e06834efba3a553c0f79fba25ecedfb3cd25c51c835bc62d6de41f5f9767f3ac0af09bd139e2400000006dfbcbb57644020377cccd42a5810342559b84db9e45f505c2454d4768635eb8203f49809db8925805ecc69697bf83fcb62e3cbc16179367c9a4d4ad09faafb1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{41660511-358B-11EF-B97B-5630532AF2EE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000004eab321a8b2cf7709bcb346ee2ff6f753cc97fc7b4ddaf52412825075cc6fc7d000000000e8000000002000020000000ec32f5e2c13607d4d72d538a2808a76d1a34846709fa35eeb4921862850e0b0f2000000054f012682eca9d7d070e3b2f6c04efee2e9e744f15e5b1d69c9675b30df108054000000096218d4fbeb3f1127b00731bc16746ea1af3558baea0ba82cbb7864aa916f64a23d628701732bbc31d9533e01b16df48f03fd50139f065d345cab8636b84f2ea	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50fa091898c9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

Processes:

installer.exemsiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0037-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0067-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0039-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_03"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_39"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_58"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0012-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_11"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0083-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_18"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F60730A4A66673047777F5728467D401\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0087-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0021-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0032-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_20"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0019-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_19"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_04"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0009-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0020-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBA}	installer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

jp2launcher.exejp2launcher.exemsiexec.exedxdiag.exe

pid process

2420 jp2launcher.exe
2228 jp2launcher.exe
1992 msiexec.exe
1992 msiexec.exe
2672 dxdiag.exe
2672 dxdiag.exe

pid	process
2420	jp2launcher.exe
2228	jp2launcher.exe
1992	msiexec.exe
1992	msiexec.exe
2672	dxdiag.exe
2672	dxdiag.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-8u51-windows-x64.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeSecurityPrivilege	1992	msiexec.exe
Token: SeCreateTokenPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeLockMemoryPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeMachineAccountPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeTcbPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeSecurityPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeTakeOwnershipPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeLoadDriverPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeSystemProfilePrivilege	2740	jre-8u51-windows-x64.exe
Token: SeSystemtimePrivilege	2740	jre-8u51-windows-x64.exe
Token: SeProfSingleProcessPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeIncBasePriorityPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeCreatePagefilePrivilege	2740	jre-8u51-windows-x64.exe
Token: SeCreatePermanentPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeBackupPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	2740	jre-8u51-windows-x64.exe
Token: SeShutdownPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeDebugPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeAuditPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeChangeNotifyPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeRemoteShutdownPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeUndockPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeSyncAgentPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeEnableDelegationPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeManageVolumePrivilege	2740	jre-8u51-windows-x64.exe
Token: SeImpersonatePrivilege	2740	jre-8u51-windows-x64.exe
Token: SeCreateGlobalPrivilege	2740	jre-8u51-windows-x64.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1332 iexplore.exe
1332 iexplore.exe

pid	process
1332	iexplore.exe
1332	iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

irsetup.exeiexplore.exeIEXPLORE.EXEjp2launcher.exejp2launcher.exejavaw.exejavaw.exedxdiag.exe

pid	process
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe
1188	irsetup.exe
1332	iexplore.exe
1332	iexplore.exe
744	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE
2420	jp2launcher.exe
2228	jp2launcher.exe
1928	javaw.exe
1272	javaw.exe
1272	javaw.exe
1272	javaw.exe
1272	javaw.exe
2672	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-2.68-Installer-0.5.2.exeirsetup.exeTLauncher.exeiexplore.exemsiexec.exeinstaller.exe

description	pid	process	target process
PID 2188 wrote to memory of 1188	2188	TLauncher-2.68-Installer-0.5.2.exe	irsetup.exe
PID 2188 wrote to memory of 1188	2188	TLauncher-2.68-Installer-0.5.2.exe	irsetup.exe
PID 2188 wrote to memory of 1188	2188	TLauncher-2.68-Installer-0.5.2.exe	irsetup.exe
PID 2188 wrote to memory of 1188	2188	TLauncher-2.68-Installer-0.5.2.exe	irsetup.exe
PID 2188 wrote to memory of 1188	2188	TLauncher-2.68-Installer-0.5.2.exe	irsetup.exe
PID 2188 wrote to memory of 1188	2188	TLauncher-2.68-Installer-0.5.2.exe	irsetup.exe
PID 2188 wrote to memory of 1188	2188	TLauncher-2.68-Installer-0.5.2.exe	irsetup.exe
PID 1188 wrote to memory of 1468	1188	irsetup.exe	TLauncher.exe
PID 1188 wrote to memory of 1468	1188	irsetup.exe	TLauncher.exe
PID 1188 wrote to memory of 1468	1188	irsetup.exe	TLauncher.exe
PID 1188 wrote to memory of 1468	1188	irsetup.exe	TLauncher.exe
PID 1188 wrote to memory of 1468	1188	irsetup.exe	TLauncher.exe
PID 1188 wrote to memory of 1468	1188	irsetup.exe	TLauncher.exe
PID 1188 wrote to memory of 1468	1188	irsetup.exe	TLauncher.exe
PID 1468 wrote to memory of 1332	1468	TLauncher.exe	iexplore.exe
PID 1468 wrote to memory of 1332	1468	TLauncher.exe	iexplore.exe
PID 1468 wrote to memory of 1332	1468	TLauncher.exe	iexplore.exe
PID 1468 wrote to memory of 1332	1468	TLauncher.exe	iexplore.exe
PID 1332 wrote to memory of 744	1332	iexplore.exe	IEXPLORE.EXE
PID 1332 wrote to memory of 744	1332	iexplore.exe	IEXPLORE.EXE
PID 1332 wrote to memory of 744	1332	iexplore.exe	IEXPLORE.EXE
PID 1332 wrote to memory of 744	1332	iexplore.exe	IEXPLORE.EXE
PID 1332 wrote to memory of 744	1332	iexplore.exe	IEXPLORE.EXE
PID 1332 wrote to memory of 744	1332	iexplore.exe	IEXPLORE.EXE
PID 1332 wrote to memory of 744	1332	iexplore.exe	IEXPLORE.EXE
PID 1332 wrote to memory of 2740	1332	iexplore.exe	jre-8u51-windows-x64.exe
PID 1332 wrote to memory of 2740	1332	iexplore.exe	jre-8u51-windows-x64.exe
PID 1332 wrote to memory of 2740	1332	iexplore.exe	jre-8u51-windows-x64.exe
PID 1992 wrote to memory of 2028	1992	msiexec.exe	installer.exe
PID 1992 wrote to memory of 2028	1992	msiexec.exe	installer.exe
PID 1992 wrote to memory of 2028	1992	msiexec.exe	installer.exe
PID 2028 wrote to memory of 2348	2028	installer.exe	bspatch.exe
PID 2028 wrote to memory of 2348	2028	installer.exe	bspatch.exe
PID 2028 wrote to memory of 2348	2028	installer.exe	bspatch.exe
PID 2028 wrote to memory of 2348	2028	installer.exe	bspatch.exe
PID 2028 wrote to memory of 2348	2028	installer.exe	bspatch.exe
PID 2028 wrote to memory of 2348	2028	installer.exe	bspatch.exe
PID 2028 wrote to memory of 2348	2028	installer.exe	bspatch.exe
PID 2028 wrote to memory of 1240	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1240	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1240	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1300	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1300	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1300	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1928	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1928	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1928	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1956	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1956	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1956	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1124	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1124	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 1124	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 2004	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 2004	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 2004	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 2044	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 2044	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 2044	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 2592	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 2592	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 2592	2028	installer.exe	unpack200.exe
PID 2028 wrote to memory of 836	2028	installer.exe	javaw.exe
PID 2028 wrote to memory of 836	2028	installer.exe	javaw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.68-Installer-0.5.2.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.68-Installer-0.5.2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1905626 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.68-Installer-0.5.2.exe" "__IRCT:1" "__IRTSS:15356824" "__IRSID:S-1-5-21-268080393-3149932598-1824759070-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
4⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1332 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:744

C:\Users\Admin\Downloads\jre-8u51-windows-x64.exe
"C:\Users\Admin\Downloads\jre-8u51-windows-x64.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
-cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
6⤵
- Executes dropped EXE
PID:352

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
-cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
6⤵
- Executes dropped EXE
PID:2424

C:\Windows\system32\msiexec.exe
"C:\Windows\system32\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\AU\au.msi" ALLUSERS=1 /qn
6⤵
PID:2496

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.8.0_51-b16
6⤵
- Executes dropped EXE
PID:2912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Program Files\Java\jre1.8.0_51\installer.exe
"C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" REPAIRMODE=0
2⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028

C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
PID:2044

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
PID:836

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
PID:2820

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C7A417A854CEADFCC48681A327CF2086
2⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /c del "C:\Program Files\Java\jre1.8.0_51\installer.exe"
3⤵
PID:1352

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B1DDD4DF3F242451004971FBF57DDB33
2⤵
PID:2928

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:2856

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xmx512m -Dfile.encoding=UTF8 -cp C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\guice\4.1.0\guice-4.1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\extensions\guice-assistedinject\4.1.0\guice-assistedinject-4.1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\javax\inject\javax.inject\1\javax.inject-1.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\aopalliance\aopalliance\1.0\aopalliance-1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\guava\guava\19.0\guava-19.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\apache\commons\commons-lang3\3.4\commons-lang3-3.4.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\net\sf\jopt-simple\jopt-simple\4.9\jopt-simple-4.9.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\log4j\log4j\1.2.17\log4j-1.2.17.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tukaani\xz\1.5\xz-1.5.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\picture-bundle\2.8\picture-bundle-2.8.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\skin-server-API\1.0\skin-server-API-1.0.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\tlauncher-resource\1.4\tlauncher-resource-1.4.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\github\junrar\junrar\0.7\junrar-0.7.jar;C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\dnsjava\dnsjava\2.1.8\dnsjava-2.1.8.jar; org.tlauncher.tlauncher.rmo.TLauncher
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1272

C:\Windows\system32\cmd.exe
cmd.exe /C chcp 437 & wmic CPU get NAME
4⤵
PID:2888

C:\Windows\system32\chcp.com
chcp 437
5⤵
PID:2940

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
5⤵
PID:2512

C:\Windows\system32\cmd.exe
cmd.exe /C chcp 437 & dxdiag /whql:off /t C:\Users\Admin\AppData\Roaming\.minecraft\logs\tlauncher\dxdiag.txt
4⤵
PID:2092

C:\Windows\system32\chcp.com
chcp 437
5⤵
PID:1360

C:\Windows\system32\dxdiag.exe
dxdiag /whql:off /t C:\Users\Admin\AppData\Roaming\.minecraft\logs\tlauncher\dxdiag.txt
5⤵
PID:836

C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\SysWOW64\dxdiag.exe" /whql:off /t C:\Users\Admin\AppData\Roaming\.minecraft\logs\tlauncher\dxdiag.txt
6⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2672

C:\Windows\system32\cmd.exe
cmd.exe /C chcp 437 & wmic qfe get HotFixID
4⤵
PID:3068

C:\Windows\system32\chcp.com
chcp 437
5⤵
PID:1736

C:\Windows\System32\Wbem\WMIC.exe
wmic qfe get HotFixID
5⤵
PID:1740

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c0
1⤵
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77430d.rbs
Filesize
788KB

MD5
d3a8848557a30398592e0d73e8cd3940

SHA1
fa8ba7efbdb12686ca631a174ff6bdd8d0a20ec9

SHA256
6f399e2232031e217e471132507352aba6e3957ea8f5713525c5bd31b0b7c56a

SHA512
032a9f2306acd7bbe36409ea0bda6f6678d558c1e70044472d50a46bf5180abe1ece572ced9971ccc742344b1d77b92028c88409778f89791bb6e1b8f1820c2d

Download Submit
C:\Config.Msi\f774313.rbs
Filesize
8KB

MD5
b6a626d0a950ebbd247c3954982eba2f

SHA1
0fc078a9eeb10c9ead5f2a8ad961d06041fe0162

SHA256
78827ebc9d09956a3a3c270591f0b33617e6766d8c39f660b6c80ac027867736

SHA512
9d9d1fba0d63a6c91189a0cd23ad134755bdfc7566bef978ef313cd22b3dbee0bb216031350eaa30cab7078bf3a381511311114ecc601dfd3adae39504e113a0

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\MSVCR100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll
Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe
Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack
Filesize
1.0MB

MD5
45288142b863dc4761b634f9de75e5e5

SHA1
9d07fca553e08c47e38dd48a9c7824e376e4ce80

SHA256
91517ff5c74438654956aae554f2951bf508f561b288661433894e517960c2ac

SHA512
f331cd93f82d2751734eb1a51cb4401969fb6e479b2e19be609e13829454ec27cec864c57bdc116bf029317c98d551e9feafc44386b899a94c242bc0464556d8

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack
Filesize
1.8MB

MD5
5cfc3a1b269312f7a2d2f1d7c0497819

SHA1
d048284db9ce7103156f8bbce988b4d9978786b7

SHA256
80ba80d2a6c20deef6e2f3973337e15e22eec30508899ae998bf191ba725db26

SHA512
8735af7c8bc5b48aac42120326a5dee21f98512ba31c57c77b6fc3906b7b1b98e5f22f57a31f26dc3e16abe63a6f15ef2e115c7fc17bbab35e846dc373da9c6b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack
Filesize
211KB

MD5
5a83bc9b3e4a7e960fd757f3ad7cd263

SHA1
f5f308aec7e93accb5d6714c178b8bf0840fb38d

SHA256
0a95ab97c85e534b72a369b3ee75200f8075cb14e6f226196b18fd43e6ba42f5

SHA512
b8e554bbf036d0500686e878597ffdefa8bcd091ab6533eae76fa04eda310cec7cac89b71911f1f81012f499c7bec890ac9032685945f7e5e6b68f7ad3f7430c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack
Filesize
150KB

MD5
168f72fd2f288a96ee9c4e845339db02

SHA1
e25b521b0ed663e2b050af2b454d571c5145904f

SHA256
5552e52e39c0e7ac423d6939eec367a0c15b4ca699a3a1954f2b191d48a034e6

SHA512
01cdf3d8d3be0b2458d9c86976cef3f5a21131d13eb2a1c6f816aeb2c384779b67d1b419fa9233aedd3bbd16970ec7c81689bf2e25a8bebadec5de8e9b5a19f1

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack
Filesize
482KB

MD5
538777ddaa33641aa2c17b8f71eed307

SHA1
ac7b5fdba952ce65b5a85578f2a81b37daed0948

SHA256
9948b1c18d71a790e7b5a82d773fea95d25ab67109843a3f3888f3f0ac9d1135

SHA512
7a5877e0eaef6424ea473a203184fedb902cd9d47df5d95d6f617ca4efa1162f0ffd418e9bc6b7492f938cb33fc6384907237487d6ad4f6d0d2d962402529d8b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\rt.pack
Filesize
13.1MB

MD5
f0177701b36068c9a2bb4924dd409fa5

SHA1
71e4b32c95e20dd565a6603d3de3819eb4f19d33

SHA256
93c1e08034b68e12d78005c2950145595327477c17c1f716248d3e16313b4eec

SHA512
8e198bf60dbb95f38bf5eca67c9b7cd4fe9920890ba3d569e08de59b38c1b00830a0a37168fd74c874df86b7ff0915c8b69adb1591432b42b5ff35e5885e6641

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\diff
Filesize
9.1MB

MD5
d417682702b140d7131851bae877f046

SHA1
aa78da727e8a62c839a9bb6f7a93b48d3a04be70

SHA256
3b3657c83e4f588f0e759cd46e99309cece2ebb54af2c377f9dc087ec764fda8

SHA512
9e107b7f61e42410807aa1e6761ac7adce412846f69ae8e2e21b147e39d1a95d41367e21624381750eb11c77322206c4d869a477e5442e8323405c85854c03cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB
Filesize
834B

MD5
a0af4d81b2b19a99a3d01be89d5f99d9

SHA1
4725c1a810005f860ede9dace7f1e5a20e5230d6

SHA256
de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a

SHA512
eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
87fb52832b75e3d4277c862750c45113

SHA1
142af7416382c80cdf834715d1d63bc6858c2946

SHA256
c4f05792cda8510ed77d940fc33053d288cf4ba64429b07be3d751d8926fe1e0

SHA512
4d8e08cbac1589298d6c047d7245a1885ef236804cd3de48ae056d0ab65e2348c1241dea979866c16c5c44fa363e3ac0f8ab034663bf1de7ec241700bf61d881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
1KB

MD5
53a9f05239a10b7a4740d9e7e8da6a46

SHA1
8f526b3e94b5d02f3be9bc3c41eb715fb2a5d118

SHA256
be468dfa7dc23940d54455379df4339eda8afa9a4160198e244002ef65d431ab

SHA512
469c9d84f85a4643ca7163166231cbaf5f7eb0b910cf7c2db53fae66c2056905da40fccd68d41d252c2c7c90895b0779d967557d0e8f40d230910362a05247d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB
Filesize
180B

MD5
8020211db5f7875376949059ddc05340

SHA1
816468ac4f29ba824bf9e25a4a228639987c7d0b

SHA256
e4b148a536c38a65013e4f720b3f31f5ae072786ee19e7f12a9355a43150c047

SHA512
96d93caea06d7455653b487498e924ec3bf9ba0b92c8bc9748a1d777affd3f374d86943a04ab07df02fad90a065d12592640fba1526e8a22ed08519d44cfb736

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3e0bd04d88ee62ac949e6aa3749ed427

SHA1
a410a9ab3c2d62e9bc19f8924d210f29e65b75dc

SHA256
5ff3b6c523c5b3e104debb1dbf241453baaf8ed2c2dbdb3917711820ca8ba812

SHA512
47032c36004268d33f3ad11d451aaac348ce70abd19cbbdc27a63cab5c8f805e809928375c289be152e6ef4e019bf7b67854aa032cd19755b28821c7256e0876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bfb95ec216cee5d9f71732c5394958e8

SHA1
0011c68c1b060fd81899e8768fbe4f46bcfa61d4

SHA256
4114135238ea645465c11ea7175555e2261e9f993e5643c487cadc2906290854

SHA512
612983cc1706aafde31e6526db7fd5766140775fc31db28bc886d270370ff66a1ea9c6558587f904c9ed499b5dbac5ce04d15f3fd99137b426083a61a2549380

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a02e2ca1e3c21bb3da24827a432f106b

SHA1
b54d822713989a4db564442e3d133d25119538eb

SHA256
a38a2cf181c52dc398bcd95ce387325c158814390bcf8f6f8b7dce0670790313

SHA512
979021980cea47b5459781cbe1c1e8193627e6150e3a585409e687357afd4697f9544be3797e697acbc5eb65b7d7bff807944f54769e5f94a29d641a15a7d3d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c5caed8b86f1025c6ef72c68d3b78d9a

SHA1
72630f5f79fe5c5a741ab7c90dfca7f83025aea9

SHA256
e4297eb147acce641e82e8da62b28c20ed4d90979800a0339a505442e2dd6195

SHA512
69f143261b4156fec30275ed35df234f9a755873af453bcbbce93fd9f93a438e23ae4329b41035908d95dfd2012fc10840a520a23bd7992a51bdbca151d6e941

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dcbffec1aab3fc6450a25bdfcb91207e

SHA1
1556b85fced2ecd6b41a9f4f1415aa3123f073a7

SHA256
9a7bdc7bad64ce23987655b97c182863ba23fb1efb6bcb43286e03bec72e09b7

SHA512
cff019c8a3a1db5d8859b6efd04a4e8a090952dcca1c16a27fc553b92ac7655810113ccce066a223732a56d4bca3a3c8eb16b4d37283963fbcde10d519240ad3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
155ed7697fdec856fcf21918a9a28720

SHA1
2a11e3dfd0abcc24e8fc64afa0c63dfc3fc0912f

SHA256
036da9abff28030fdbfb753a938ddcc0705a0599d7a6100bafe468ed98584d4f

SHA512
f0f62fdfbcfa61359399b5105b3910af8b6ecfe898af8c5c7e8fd67c303bfe6135996e4cf2b440cc9cb46252ad56fccf10b24054a0deaeb5c95eabb8f5736866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
71db348c50d3959314bb35ea77402fdf

SHA1
aeb297227c2846269886ce11210049320af3a1b1

SHA256
2179b7d9e1d75200952f9250757279059d827a423182e6b789fd28852d3708c4

SHA512
7dfb8ca4165340f348a16c6d3e06d1aac566a2706ae19d8d25652b60c15eca30c21c6d3ea016ec2b60d50c5375da0ea8a59761dc694e5b5129f6bd8defa99dec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
912163b72deeece4372d9b5378578684

SHA1
144f6fa57997b722afa94db521cfe3b2511cb51f

SHA256
f236c2d43c2b8ae717983aa1a9bcffd8da97b3c5bf08d24fc158a0246e35186b

SHA512
b393225370d3929ce621f5f6c622da633351d97dcf32d2dcfbece55fd2df0807a7ab8d4fb0148d9cc35a7af839a90de812ffc77e1a83ae4d40a0ae15f6e07069

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cda9705a024c1a96de8de8bf9fb04fcd

SHA1
72d09866549fa3680daca3002184d297c545b3c0

SHA256
073538ff0136007ba290c2dffaa0298ae0261f7e72e3ed5ac70804e6f98e4600

SHA512
6ed397be1fd23703adf8d7ce4948bedd7e5dcf317fe464fab816d28c380c368d0cc5eaaf713ce47201d12404f0aebbc38b251d39b7c29a1d22d0b502dc29fa1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8362006a88359b99bef0da40e5211463

SHA1
c910d38b872a1b2ea6276623f8392d6613d50884

SHA256
9578de8384777a33c87c741391da063070c978ba1eec34cb7027e966c3c7cedc

SHA512
10e1d7c484991af55ee36b0b4181d6366c2cec87d9d3dd66fb682b0a2b5215c83a55ba77dc1d600cc6f6d04ad9c305234e6741830279e928ce1b9220105138c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
07a965a6ed8c125e5ba8767d9a9e5a94

SHA1
fc9ec5e8d2ea1c3c6b61a303909232858f6c4af5

SHA256
1fefc0ffe552b91866aab85dcc35469f163d29ac5a0d149a9eab22618d0dd969

SHA512
6bec7d983307e77b800190756417f21bf287a6bd7b8b440531cac14aed346dccb3b9a2fa544303cca9c762ac1563f5206b2623680902f641d6e00452ffe266b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
893040119c244a1f8da7186a546ce6a8

SHA1
c4e5e5403c0d79ba5d33c518762af23e027f844d

SHA256
0e5d0d0bdfcbe657bcca4258a5da7e028a810d6b32f5a4120bd24db4e46a7424

SHA512
2feb9e23dc5ff6135313d254841520f397bd9d1b5592c53c3e564e9d805ac5ce2972a6f641f783bc43b28fd6a05ea30173c124dd93367d308335b24b27179bbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
26bbb7758d321c87a13909fd4c399b96

SHA1
8211777562b634b699823d670dfb6b113d09aff7

SHA256
f6925c7271730bd36aef69c2f002e195d09a9655500b0da28219a2be35576698

SHA512
25bcbda9d8bbb0e993356ac2af9ccc630c276ec41db745a43780130de498e4e7a050127e725fbfaec51ef9ee4bb8c2af36f720c586824fc3778992f35e6f87b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
a5dbcad530771c13fe0b5e7524ecd99c

SHA1
8ce168b26c42000c06df9223d02f461b3a18332b

SHA256
8c5d8cf2df349d510ab70cf14c21fa5b780dd49c4611e8c3c1877ac29697ab17

SHA512
9537abcbbc7aa83ba608b7b41999539f710e7e94d62da1dfd9d184127c1414d9e02d3ced876b2ee7b83b0f44572b165db3bed7a0330b3fff0d8082cb39dca67b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
398B

MD5
0ec9aeec954498afc1fc28355b6a9cd8

SHA1
a0da76f1fa8be1440acd78555d22e196d4192619

SHA256
eefb724ab4cf3ef062071c24ef3a5854ea835935d9147503d3bdfe27991abeae

SHA512
42a220e9a30468d5988b4a8c03b029bacce9a08fc4dafd36f8ff4713bac897e983fe5e89c5484461797f89c140c3799b97484ab386273dbb31932c685a64a957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
402B

MD5
d3850c92612d9ba018ec11640973d6f3

SHA1
ee5169c642b4bb214f114fb7da3566e1f51c614d

SHA256
db147efaccdc8614b3bcc05031a78ea3353f69adba3a4bfb47f7b205d47ddbda

SHA512
e238a213fd564fcc0b99ee80601bd5dcb7976db1164172d9f3f96f7785b01dbdacfa40177c36857c42aec4f53d2665dcdd0e73b56b2121080696050981182aa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
4f23138ac9400f5cd4776556731f5643

SHA1
940dd1da731073db638b0f7bd8dfe0634db0b72f

SHA256
e2307576a0195d81a7322948df9de3caf8f0c2862764c3d70973627dafa1e156

SHA512
b6c29156c13a029b3cc1e53e548b3d51482d83ff9e17b8ca38f9eae4a5d72f5b431b2d61d1db7a50d1d619476cdc26aa1b4c1629b23f932f67c147cc6845e89a

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
d565b383bab3defc3a337f1dd03c2ca0

SHA1
de228af955e9fc3d7238d92e7fcb92f838edb74f

SHA256
911e733d9ca88019bcc3b8d7e62bcdc740f0e6826eda2adce94dbebb56fea9ee

SHA512
f99c1f650fefb692ea07d828002212fbe2be25e70e674de23530d52a613725051b65e0dc74e0c29be2ae0d48514aa6226d2335f9697b471042f9c6d841f791bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi
Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1066.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1172.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar15CC.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG
Filesize
339B

MD5
57b109c8746d000da4f4233c576e70a5

SHA1
c8cb9497435ed94202bac1df401ae1de5d895b0c

SHA256
e7ee985ec5a62b245890ea42dac472fcb1d9387b6c6986a57cde85a471c98787

SHA512
26a1ac6457fddb953a74048c3a9e67d6df949a7d3fb1022658dfbf65b18d22280d83dc965a31130ce189e8e519c51fe985883cf5cb46c1ee8f35c36620d97a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG19.PNG
Filesize
438B

MD5
7a64271e0ab1f805bdcdabf1a5bc306b

SHA1
d49ce9c0f273cbe0fe0c74db7c2325ecc206ea08

SHA256
c947d05b6594630bc38377a7c476df09a17e5a1d61c70c22039c94869bb45c5c

SHA512
be8a7742d24eca019331432631d0357b2f89239f9debc8b17517c4380aed4c09a0c093b443797ba405ce65b67118e54d5476b90837d638a8d7fa2bfffc9c42d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG
Filesize
280B

MD5
a1b2c18ba9b5c4f53239d82fca6998f2

SHA1
00d1cf03d3bf42127e26e8f34472e0be753019ad

SHA256
4309e21f54ba0c15fb6c490f898a1ac5ab150f219351e8e881034c34f04e5c07

SHA512
108a6c6446d38c95815cbeece132adef16fc3ee1a4971f35cefb6324f14b37ec3268af104d3642df9940a2de68aa425f1bf972c5bd48f3fe3e0fc0e910cd6b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG
Filesize
281B

MD5
19c48e3f951fe27d2af8da0d9a633223

SHA1
f86d5d916635fddfb3fa3f137debfee94b1c46cd

SHA256
abd943cecd411160d5ed3151370a1e0db765eb67cabe9126dc10bfd97636a38a

SHA512
0c1daec28b5cb6c70baa54c56832695fb0ce46217d4a426a3414b6713f896bd59bcac35e9ae357a95590f98a2da4e93365ef4699fe625868b0ed9fe4d950a845

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
18KB

MD5
abbc84fe0a3e1e82dd7d7e35b53fb93c

SHA1
fa3e9b3fa4c776018093a0d83755454d105cb5e1

SHA256
1dd9a114421e225533a026c65eb4832c640e4cc45c976d222bb63652ed57ac3f

SHA512
52325c702e39f99fb8445d2ff49fd2c9124d81e8e275021500ca93732307d49df00e3504857e7d3ed799d34d3a034675345d21dfa1aa14915ad4c84312531fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
7KB

MD5
af252c27985a132f05596dc6d1b41c92

SHA1
ad031c71ffe1b1e767b3aad9a0fde039ae4d4f1a

SHA256
191b7484e92d7b0652c9529c709d4b7b885aa0d078b706c1ca9ccad1aa3e3876

SHA512
5cdc0914dcfa6a96b4c3082fcb4c157365f9074ab3daa364204dd4026139e050367a820dba35ec4377f8548bee1ea8993c8e9ef2166c0bf9afa6215f8d0cc80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF8D1B58590C530DEA.TMP
Filesize
16KB

MD5
ad1232f5b2c606ce8715347981a7824d

SHA1
194ea8a154042464484f4f4491e42d4b19c9e038

SHA256
01e6e51aa72505fe5433f36a18cd7473f74ce2d2b8ded150c08fe755a3251a56

SHA512
f120babba317b599294ba6d2c1e65c9d7d1c2e13d2cbbc54a336eb61e0a4311a3a8447784369276e1b4d2c7a5335824e5449ff1f60fc74ae5b7cea12eefd32e3

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
2.7MB

MD5
b4c85facb1ba9b726675bc7f8e9dc8bb

SHA1
daaf287ad2be511c99260e57c98575740eb65ab2

SHA256
fcfb649a92bc918b5a211b8cfa07f2930bc727b144cf2cc259e9e1697c3f44c1

SHA512
68b96fe8fe6b7a09920495aefef349d39651d0aa0b31eb5c62c8af698ea1f7d6356b5044cbc87d1346891e12af3a94270b2184e7842d09e046c25261428398be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LN69L5J2.txt
Filesize
511B

MD5
aa4baaffe6c2b952bde768640304dbe0

SHA1
634e64d10989303466e78ded502c67f9600ae1cb

SHA256
b648ea7b252f55f6cf432b1591017a7bac5c181d3754265c65675f272673bf6c

SHA512
daa6a56708bf84b8a110f1c1c30a8d5abfddcbec19e0366df97969daa75a8a55941f414c57d0828636cf26788b4b6e89a87a21a2b102df3fcdece4d52e706729

Download Submit
C:\Users\Admin\Downloads\jre-8u51-windows-x64.exe.p6h46ji.partial
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
C:\Windows\Installer\f77430f.msi
Filesize
660KB

MD5
4afca17a0a4d54c04b8c3af40fb2a775

SHA1
96934a0657f09b25640b6ad18f26af6bd928d62f

SHA256
b15d3a450b7b3e5ce3194ab9e518796cc5f164c3e28762ffe36966990dcd2fe8

SHA512
ee76f5fcfdd9c1202fd5abdc2bbde8fb2543cee83265f6d2fb5458d1a086152ff6bdd4bf62a88150d325ea282bd2ecd66dd5f127bdd847cfa69cdb88985a8305

Download Submit
\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
58ba6a510156ca2c218ecde8b5104ea4

SHA1
e089d7e48fa79794ed8708fc798258a60dd77c4f

SHA256
d49a0af66e3cb83079283bbd5a50eee87a3d396855aa1c87fb50bfce62e3ec31

SHA512
259a047a498717d9384a787469c1d5037a223292d3720c7f24e36214d3edc6d955171803d366ba08bf18fe01fc6c00784dbb10bdbbcda806066ce405dd41f60c

Download Submit
memory/352-1555-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/352-1551-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/352-1549-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/836-1328-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1188-202-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/1188-94-0x0000000000C60000-0x0000000001048000-memory.dmp

Filesize
3.9MB

Download
memory/1188-95-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1188-182-0x0000000000C60000-0x0000000001048000-memory.dmp

Filesize
3.9MB

Download
memory/1188-236-0x0000000000C60000-0x0000000001048000-memory.dmp

Filesize
3.9MB

Download
memory/1188-61-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1188-62-0x0000000000650000-0x0000000000653000-memory.dmp

Filesize
12KB

Download
memory/1188-183-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1188-174-0x0000000000C60000-0x0000000001048000-memory.dmp

Filesize
3.9MB

Download
memory/1188-194-0x0000000000C60000-0x0000000001048000-memory.dmp

Filesize
3.9MB

Download
memory/1188-195-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1188-17-0x0000000000C60000-0x0000000001048000-memory.dmp

Filesize
3.9MB

Download
memory/1188-175-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1272-1709-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1894-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-2611-0x0000000054AF0000-0x0000000054AFA000-memory.dmp

Filesize
40KB

Download
memory/1272-2612-0x0000000054AF0000-0x0000000054AFA000-memory.dmp

Filesize
40KB

Download
memory/1272-2613-0x0000000054AF0000-0x0000000054AFA000-memory.dmp

Filesize
40KB

Download
memory/1272-2614-0x0000000054AF0000-0x0000000054AFA000-memory.dmp

Filesize
40KB

Download
memory/1272-2607-0x00000000545E0000-0x00000000545EA000-memory.dmp

Filesize
40KB

Download
memory/1272-2608-0x00000000545E0000-0x00000000545EA000-memory.dmp

Filesize
40KB

Download
memory/1272-1930-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1924-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1872-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1866-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1859-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1850-0x0000000054AF0000-0x0000000054AFA000-memory.dmp

Filesize
40KB

Download
memory/1272-1851-0x0000000054AF0000-0x0000000054AFA000-memory.dmp

Filesize
40KB

Download
memory/1272-1852-0x0000000054AF0000-0x0000000054AFA000-memory.dmp

Filesize
40KB

Download
memory/1272-1853-0x0000000054AF0000-0x0000000054AFA000-memory.dmp

Filesize
40KB

Download
memory/1272-1844-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1770-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1766-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1748-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1726-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1705-0x00000000545E0000-0x00000000545EA000-memory.dmp

Filesize
40KB

Download
memory/1272-1693-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1698-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1272-1706-0x00000000545E0000-0x00000000545EA000-memory.dmp

Filesize
40KB

Download
memory/1468-237-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1928-1678-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1928-1677-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1928-1672-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1928-1665-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1928-1679-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2188-15-0x00000000032F0000-0x00000000036D8000-memory.dmp

Filesize
3.9MB

Download
memory/2188-14-0x00000000032F0000-0x00000000036D8000-memory.dmp

Filesize
3.9MB

Download
memory/2228-1461-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2228-1498-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2228-1460-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2228-1504-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2348-1062-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/2348-1066-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2348-1060-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/2348-1061-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/2348-1055-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2420-1414-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2420-1456-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2420-1450-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2420-1415-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2424-1570-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2672-2615-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2672-2616-0x0000000001E40000-0x0000000001E9C000-memory.dmp

Filesize
368KB

Download
memory/2672-2620-0x0000000001E40000-0x0000000001E6A000-memory.dmp

Filesize
168KB

Download
memory/2672-2621-0x0000000001E40000-0x0000000001E6A000-memory.dmp

Filesize
168KB

Download
memory/2684-1407-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2856-1655-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download