79f3253ef6d17fabd5bbb627fd604f2093519642f1d74875050f4c5b5c14a30b

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.841-Installer-0.9.6.exe
Size

20.9MB
MD5

3f287173a52111e30366ab7c601ce1a5
SHA1

dae84d13bf14ac70a5565912e19c92bf2fa9f581
SHA256

79f3253ef6d17fabd5bbb627fd604f2093519642f1d74875050f4c5b5c14a30b
SHA512

698a7a38d60a42c035cbf5a5dd69c0a164cf4fb1b629a6461803b216384d407d0cce61dea81624157f916d4352a7f6084b78441b1ab79cfadb571b9ca23f97d4
SSDEEP

393216:DXXRIcBtYto0fs/dQETVlOBbpFEj9GZdqV56HpkV3sZH3oegnW:DnRPBWTHExiTTqqHp8aH2W

Score

7^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/2072-20-0x0000000001260000-0x0000000001648000-memory.dmp	upx
behavioral1/memory/2072-375-0x0000000001260000-0x0000000001648000-memory.dmp	upx
behavioral1/memory/2072-425-0x0000000001260000-0x0000000001648000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/112-453-0x0000000000A60000-0x0000000000E48000-memory.dmp	upx
behavioral1/memory/112-517-0x0000000000A60000-0x0000000000E48000-memory.dmp	upx
behavioral1/memory/2072-526-0x0000000001260000-0x0000000001648000-memory.dmp	upx
behavioral1/memory/2072-596-0x0000000001260000-0x0000000001648000-memory.dmp	upx
behavioral1/memory/2072-1382-0x0000000001260000-0x0000000001648000-memory.dmp	upx
behavioral1/memory/2072-1384-0x0000000001260000-0x0000000001648000-memory.dmp	upx
behavioral1/memory/2072-1459-0x0000000001260000-0x0000000001648000-memory.dmp	upx
behavioral1/memory/2072-1462-0x0000000001260000-0x0000000001648000-memory.dmp	upx
behavioral1/memory/2072-1478-0x0000000001260000-0x0000000001648000-memory.dmp	upx
behavioral1/memory/2072-1490-0x0000000001260000-0x0000000001648000-memory.dmp	upx
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe	upx
behavioral1/memory/2708-1610-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2708-1621-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2072-1928-0x0000000001260000-0x0000000001648000-memory.dmp	upx
behavioral1/memory/2072-2475-0x0000000001260000-0x0000000001648000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

28 1032 msiexec.exe
30 1032 msiexec.exe
32 1032 msiexec.exe
34 1032 msiexec.exe
Downloads MZ/PE file

flow	pid	process
28	1032	msiexec.exe
30	1032	msiexec.exe
32	1032	msiexec.exe
34	1032	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe
File opened for modification C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exemsiexec.exeunpack200.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunmscapi.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\nio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\sRGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_ja.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_common.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\PYCC.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\splash.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\glass.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jaas_nt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javafx.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management-agent.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\awt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\US_export_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\cmm\GRAY.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jce.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2ssv.dll	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_fr.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\ssvagent.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\j2pcsc.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\invalid32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\rt.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\glib-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\LICENSE	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\lcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\mlib_image.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\deploy\messages_it.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaBrightRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\jfr\profile.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JAWTAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\policytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\zipfs.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\management\management.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\dt_socket.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\klist.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\plugin2\msvcr100.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\prism_es2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\tnameserv.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\t2k.dll	installer.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\task64.xml	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\ext\jaccess.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\cursors.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\images\cursors\win32_MoveDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\jfxmedia.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\content-types.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\lib\security\java.security	installer.exe
File created	C:\Program Files\Java\jre1.8.0_51\bin\JavaAccessBridge-64.dll	installer.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f777cb2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBEC9.tmp	msiexec.exe
File created	C:\Windows\Installer\f777cba.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f777cb8.ipi	msiexec.exe
File created	C:\Windows\Installer\f777caf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f777caf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI857F.tmp	msiexec.exe
File created	C:\Windows\Installer\f777cb4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f777cb2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f777cb5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDB9.tmp	msiexec.exe
File created	C:\Windows\Installer\f777cb8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF53.tmp	msiexec.exe
File created	C:\Windows\Installer\f777cb5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEA4.tmp	msiexec.exe

Executes dropped EXE 25 IoCs

Processes:

irsetup.exeAdditionalExecuteTL.exeirsetup.exejre-windows.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejavaws.exejp2launcher.exejavaw.exejavaw.exejaureg.exeTLauncher.exejavaw.exe

pid	process
2072	irsetup.exe
2540	AdditionalExecuteTL.exe
112	irsetup.exe
2768	jre-windows.exe
2228	installer.exe
2708	bspatch.exe
3036	unpack200.exe
1896	unpack200.exe
1872	unpack200.exe
2268	unpack200.exe
1580	unpack200.exe
2192	unpack200.exe
2392	unpack200.exe
1596	unpack200.exe
1260	javaw.exe
2504	javaws.exe
960	javaw.exe
2096	jp2launcher.exe
1924	javaws.exe
1748	jp2launcher.exe
2612	javaw.exe
1568	javaw.exe
2276	jaureg.exe
2280	TLauncher.exe
2088	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-2.841-Installer-0.9.6.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exe

pid	process
1248	TLauncher-2.841-Installer-0.9.6.exe
1248	TLauncher-2.841-Installer-0.9.6.exe
1248	TLauncher-2.841-Installer-0.9.6.exe
1248	TLauncher-2.841-Installer-0.9.6.exe
2072	irsetup.exe
2072	irsetup.exe
2072	irsetup.exe
2072	irsetup.exe
2072	irsetup.exe
2072	irsetup.exe
2072	irsetup.exe
2072	irsetup.exe
2540	AdditionalExecuteTL.exe
2540	AdditionalExecuteTL.exe
2540	AdditionalExecuteTL.exe
2540	AdditionalExecuteTL.exe
112	irsetup.exe
112	irsetup.exe
112	irsetup.exe
2072	irsetup.exe
1140
1140
1032	msiexec.exe
2708	bspatch.exe
2708	bspatch.exe
2708	bspatch.exe
2228	installer.exe
3036	unpack200.exe
1896	unpack200.exe
1872	unpack200.exe
2268	unpack200.exe
1580	unpack200.exe
2192	unpack200.exe
2392	unpack200.exe
1596	unpack200.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
856
856
1260	javaw.exe
1260	javaw.exe
1260	javaw.exe
1260	javaw.exe
1260	javaw.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
2228	installer.exe
856
856
2504	javaws.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exeirsetup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_51\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_59"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_46"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_74"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0100-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0022-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_27"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_17"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0048-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_61"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_101"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0001-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_01"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_51\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

jre-windows.exeirsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	jre-windows.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	jre-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	jre-windows.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	jre-windows.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	jre-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

jp2launcher.exejp2launcher.exemsiexec.exe

pid process

2096 jp2launcher.exe
1748 jp2launcher.exe
1032 msiexec.exe
1032 msiexec.exe

pid	process
2096	jp2launcher.exe
1748	jp2launcher.exe
1032	msiexec.exe
1032	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2768	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2768	jre-windows.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeSecurityPrivilege	1032	msiexec.exe
Token: SeCreateTokenPrivilege	2768	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2768	jre-windows.exe
Token: SeLockMemoryPrivilege	2768	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2768	jre-windows.exe
Token: SeMachineAccountPrivilege	2768	jre-windows.exe
Token: SeTcbPrivilege	2768	jre-windows.exe
Token: SeSecurityPrivilege	2768	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2768	jre-windows.exe
Token: SeLoadDriverPrivilege	2768	jre-windows.exe
Token: SeSystemProfilePrivilege	2768	jre-windows.exe
Token: SeSystemtimePrivilege	2768	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2768	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2768	jre-windows.exe
Token: SeCreatePagefilePrivilege	2768	jre-windows.exe
Token: SeCreatePermanentPrivilege	2768	jre-windows.exe
Token: SeBackupPrivilege	2768	jre-windows.exe
Token: SeRestorePrivilege	2768	jre-windows.exe
Token: SeShutdownPrivilege	2768	jre-windows.exe
Token: SeDebugPrivilege	2768	jre-windows.exe
Token: SeAuditPrivilege	2768	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2768	jre-windows.exe
Token: SeChangeNotifyPrivilege	2768	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2768	jre-windows.exe
Token: SeUndockPrivilege	2768	jre-windows.exe
Token: SeSyncAgentPrivilege	2768	jre-windows.exe
Token: SeEnableDelegationPrivilege	2768	jre-windows.exe
Token: SeManageVolumePrivilege	2768	jre-windows.exe
Token: SeImpersonatePrivilege	2768	jre-windows.exe
Token: SeCreateGlobalPrivilege	2768	jre-windows.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

irsetup.exeirsetup.exejp2launcher.exejp2launcher.exejavaw.exe

pid process

2072 irsetup.exe
2072 irsetup.exe
2072 irsetup.exe
2072 irsetup.exe
2072 irsetup.exe
2072 irsetup.exe
112 irsetup.exe
112 irsetup.exe
2096 jp2launcher.exe
1748 jp2launcher.exe
2088 javaw.exe
2088 javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-2.841-Installer-0.9.6.exeirsetup.exeAdditionalExecuteTL.exemsiexec.exeinstaller.exe

description	pid	process	target process
PID 1248 wrote to memory of 2072	1248	TLauncher-2.841-Installer-0.9.6.exe	irsetup.exe
PID 1248 wrote to memory of 2072	1248	TLauncher-2.841-Installer-0.9.6.exe	irsetup.exe
PID 1248 wrote to memory of 2072	1248	TLauncher-2.841-Installer-0.9.6.exe	irsetup.exe
PID 1248 wrote to memory of 2072	1248	TLauncher-2.841-Installer-0.9.6.exe	irsetup.exe
PID 1248 wrote to memory of 2072	1248	TLauncher-2.841-Installer-0.9.6.exe	irsetup.exe
PID 1248 wrote to memory of 2072	1248	TLauncher-2.841-Installer-0.9.6.exe	irsetup.exe
PID 1248 wrote to memory of 2072	1248	TLauncher-2.841-Installer-0.9.6.exe	irsetup.exe
PID 2072 wrote to memory of 2540	2072	irsetup.exe	AdditionalExecuteTL.exe
PID 2072 wrote to memory of 2540	2072	irsetup.exe	AdditionalExecuteTL.exe
PID 2072 wrote to memory of 2540	2072	irsetup.exe	AdditionalExecuteTL.exe
PID 2072 wrote to memory of 2540	2072	irsetup.exe	AdditionalExecuteTL.exe
PID 2072 wrote to memory of 2540	2072	irsetup.exe	AdditionalExecuteTL.exe
PID 2072 wrote to memory of 2540	2072	irsetup.exe	AdditionalExecuteTL.exe
PID 2072 wrote to memory of 2540	2072	irsetup.exe	AdditionalExecuteTL.exe
PID 2540 wrote to memory of 112	2540	AdditionalExecuteTL.exe	irsetup.exe
PID 2540 wrote to memory of 112	2540	AdditionalExecuteTL.exe	irsetup.exe
PID 2540 wrote to memory of 112	2540	AdditionalExecuteTL.exe	irsetup.exe
PID 2540 wrote to memory of 112	2540	AdditionalExecuteTL.exe	irsetup.exe
PID 2540 wrote to memory of 112	2540	AdditionalExecuteTL.exe	irsetup.exe
PID 2540 wrote to memory of 112	2540	AdditionalExecuteTL.exe	irsetup.exe
PID 2540 wrote to memory of 112	2540	AdditionalExecuteTL.exe	irsetup.exe
PID 2072 wrote to memory of 2768	2072	irsetup.exe	jre-windows.exe
PID 2072 wrote to memory of 2768	2072	irsetup.exe	jre-windows.exe
PID 2072 wrote to memory of 2768	2072	irsetup.exe	jre-windows.exe
PID 2072 wrote to memory of 2768	2072	irsetup.exe	jre-windows.exe
PID 1032 wrote to memory of 2228	1032	msiexec.exe	installer.exe
PID 1032 wrote to memory of 2228	1032	msiexec.exe	installer.exe
PID 1032 wrote to memory of 2228	1032	msiexec.exe	installer.exe
PID 2228 wrote to memory of 2708	2228	installer.exe	bspatch.exe
PID 2228 wrote to memory of 2708	2228	installer.exe	bspatch.exe
PID 2228 wrote to memory of 2708	2228	installer.exe	bspatch.exe
PID 2228 wrote to memory of 2708	2228	installer.exe	bspatch.exe
PID 2228 wrote to memory of 2708	2228	installer.exe	bspatch.exe
PID 2228 wrote to memory of 2708	2228	installer.exe	bspatch.exe
PID 2228 wrote to memory of 2708	2228	installer.exe	bspatch.exe
PID 2228 wrote to memory of 3036	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 3036	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 3036	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1896	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1896	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1896	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1872	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1872	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1872	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 2268	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 2268	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 2268	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1580	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1580	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1580	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 2192	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 2192	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 2192	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 2392	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 2392	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 2392	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1596	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1596	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1596	2228	installer.exe	unpack200.exe
PID 2228 wrote to memory of 1260	2228	installer.exe	javaw.exe
PID 2228 wrote to memory of 1260	2228	installer.exe	javaw.exe
PID 2228 wrote to memory of 1260	2228	installer.exe	javaw.exe
PID 2228 wrote to memory of 2504	2228	installer.exe	javaws.exe
PID 2228 wrote to memory of 2504	2228	installer.exe	javaws.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.841-Installer-0.9.6.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.841-Installer-0.9.6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1908426 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.841-Installer-0.9.6.exe" "__IRCT:3" "__IRTSS:21900001" "__IRSID:S-1-5-21-1340930862-1405011213-2821322012-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1814730 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1839152" "__IRSID:S-1-5-21-1340930862-1405011213-2821322012-1000"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:112

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
-cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
4⤵
- Executes dropped EXE
PID:2612

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
-cp "C:\Program Files\Java\jre1.8.0_51\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
4⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\msiexec.exe
"C:\Windows\system32\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\AU\au.msi" ALLUSERS=1 /qn
4⤵
PID:2516

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.8.0_51-b16
4⤵
- Executes dropped EXE
PID:2276

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
3⤵
- Executes dropped EXE
PID:2280

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Program Files\Java\jre1.8.0_51\installer.exe
"C:\Program Files\Java\jre1.8.0_51\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_51\\" STATIC=1 REPAIRMODE=0
2⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228

C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack" "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar"
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
PID:3036

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack" "C:\Program Files\Java\jre1.8.0_51\lib\javaws.jar"
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
PID:1896

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack" "C:\Program Files\Java\jre1.8.0_51\lib\plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\rt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\charsets.pack" "C:\Program Files\Java\jre1.8.0_51\lib\charsets.jar"
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
PID:1580

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\jsse.pack" "C:\Program Files\Java\jre1.8.0_51\lib\jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392

C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_51\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.pack" "C:\Program Files\Java\jre1.8.0_51\lib\ext\jfxrt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -Xshare:dump
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504

C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaw.exe" -classpath "C:\Program Files\Java\jre1.8.0_51\lib\deploy.jar" com.sun.deploy.panel.JreLocator
4⤵
- Executes dropped EXE
PID:960

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2096

C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
PID:1924

C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_51\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_51" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNTFcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DBB789A4DC430ED9453320B6DC5E18F8
2⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /c del "C:\Program Files\Java\jre1.8.0_51\installer.exe"
3⤵
PID:1844

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 91E91CAD71D59654DDA7C7C029D751A4
2⤵
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f777cb3.rbs
Filesize
788KB

MD5
cf1242a402c1097113e4577bdd3088e0

SHA1
886ed3f43202da346f0f91e22fae828a3fca74bd

SHA256
076d9a71f922ec9eb359a4358fe273395f2c9b0780296c14c6d548b9fff48b3f

SHA512
3166b79f0a73175707844b3081b804374e99a41177a257fd97a6d6220fa183fe4d29773f63e065bdf7ab11f380e7d19c0c6f0c27915b91f488b5ed169372aa68

Download Submit
C:\Config.Msi\f777cb9.rbs
Filesize
8KB

MD5
aba2b0a24b90511bbc650891a1f2a94d

SHA1
320de79864f1f9f36d41c6a34aca54f5782992e9

SHA256
11aab0e28889762baedebdfd95c9013832d32696febab1d8a2af4ec5216d11c3

SHA512
60ee1b1772056ce20adf98383a78365578ad0fb9f8a1a7b2e1417e8a0d6e89f9e6c4f67ad15a30fc728912fecaa31e85ef3e180c607f1644c79d36c3d41a138d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\MSVCR100.dll
Filesize
809KB

MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npdeployJava1.dll
Filesize
1.1MB

MD5
cb63e262f0850bd8c3e282d6cd5493db

SHA1
aca74def7a2cd033f18fc938ceb2feef2de8cb8c

SHA256
b3c10bf5498457a76bba3b413d0c54b03a4915e5df72576f976e1ad6d2450012

SHA512
8e3ad8c193a5b4ab22292893931dc6c8acd1f255825366fdd7390f3d8b71c5a51793103aeacecfb4c92565b559f37aec25f8b09abb8289b2012a79b0c5e8cb3b

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javacpl.exe
Filesize
75KB

MD5
f49218872d803801934638f44274000d

SHA1
871d70960ff7db8c6d11fad68d0a325d7fc540f1

SHA256
bb80d933bf5c60ee911dc22fcc7d715e4461bc72fd2061da1c74d270c1f73528

SHA512
94432d6bc93aad68ea99c52a9bcb8350f769f3ac8b823ba298c20ff39e8fa3b533ef31e55afeb12e839fd20cf33c9d74642ce922e2805ca7323c88a4f06d986d

Download Submit
C:\Program Files\Java\jre1.8.0_51\bin\javaws.exe
Filesize
314KB

MD5
5ed6faed0b5fe8a02bb78c93c422f948

SHA1
823ed6c635bd7851ccef43cbe23518267327ae9a

SHA256
60f2898c91ef0f253b61d8325d2d22b2baba1a4a4e1b67d47a40ffac511e95a5

SHA512
5a8470567f234d46e88740e4f0b417e616a54b58c95d13c700013988f30044a822acfef216770181314fa83183a12044e9e13e6257df99e7646df9a047244c92

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\deploy.pack
Filesize
1.8MB

MD5
5cfc3a1b269312f7a2d2f1d7c0497819

SHA1
d048284db9ce7103156f8bbce988b4d9978786b7

SHA256
80ba80d2a6c20deef6e2f3973337e15e22eec30508899ae998bf191ba725db26

SHA512
8735af7c8bc5b48aac42120326a5dee21f98512ba31c57c77b6fc3906b7b1b98e5f22f57a31f26dc3e16abe63a6f15ef2e115c7fc17bbab35e846dc373da9c6b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\javaws.pack
Filesize
211KB

MD5
5a83bc9b3e4a7e960fd757f3ad7cd263

SHA1
f5f308aec7e93accb5d6714c178b8bf0840fb38d

SHA256
0a95ab97c85e534b72a369b3ee75200f8075cb14e6f226196b18fd43e6ba42f5

SHA512
b8e554bbf036d0500686e878597ffdefa8bcd091ab6533eae76fa04eda310cec7cac89b71911f1f81012f499c7bec890ac9032685945f7e5e6b68f7ad3f7430c

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\plugin.pack
Filesize
482KB

MD5
538777ddaa33641aa2c17b8f71eed307

SHA1
ac7b5fdba952ce65b5a85578f2a81b37daed0948

SHA256
9948b1c18d71a790e7b5a82d773fea95d25ab67109843a3f3888f3f0ac9d1135

SHA512
7a5877e0eaef6424ea473a203184fedb902cd9d47df5d95d6f617ca4efa1162f0ffd418e9bc6b7492f938cb33fc6384907237487d6ad4f6d0d2d962402529d8b

Download Submit
C:\Program Files\Java\jre1.8.0_51\lib\rt.pack
Filesize
13.1MB

MD5
f0177701b36068c9a2bb4924dd409fa5

SHA1
71e4b32c95e20dd565a6603d3de3819eb4f19d33

SHA256
93c1e08034b68e12d78005c2950145595327477c17c1f716248d3e16313b4eec

SHA512
8e198bf60dbb95f38bf5eca67c9b7cd4fe9920890ba3d569e08de59b38c1b00830a0a37168fd74c874df86b7ff0915c8b69adb1591432b42b5ff35e5885e6641

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\bspatch.exe
Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\diff
Filesize
9.1MB

MD5
d417682702b140d7131851bae877f046

SHA1
aa78da727e8a62c839a9bb6f7a93b48d3a04be70

SHA256
3b3657c83e4f588f0e759cd46e99309cece2ebb54af2c377f9dc087ec764fda8

SHA512
9e107b7f61e42410807aa1e6761ac7adce412846f69ae8e2e21b147e39d1a95d41367e21624381750eb11c77322206c4d869a477e5442e8323405c85854c03cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c20e448be76f8c2e30314c6e2af29fa9

SHA1
ec3a3a4d962128fdebbe6797761dfb0a9f3d9ee7

SHA256
a4d5e9caccc4471a901212f361ef1a87945258ec19bd521dccfce83cd4e9d562

SHA512
ab143a4c34b98927c0798e08482727e9d807403f4cd99971207fa4c56c3b1e3b28dff91f6170db801194456ce020f093d4d17cfe62b1e6aaa7b63abd29ee18e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9462d8e9e38fcf62833ad9ff544bc81f

SHA1
f2c3f33a5c39884e4203d783ce2a50cac66588f4

SHA256
c66f73558630daec07dbf50bc350e09782e74e02f08d74fa42022137eef9f33f

SHA512
3aa9d1942e24dce228129f9aeb8431e777f7d9dc5a394e32b5e0d17930aa72bfad3e7040928f9bd4756088dd028929e58ad9f14eefef874ce46665b88efb010c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
060ee8a1190d802fc27a7979ff7fd2a2

SHA1
eeb36c79797367085ce0f445f391623f69966926

SHA256
7d07b30e2b485508d91b2b546fb8febbbb5e567a51026685c13a7a3c134733c1

SHA512
dc2a9a60293ce0ac6342ad893cf21dd4e2ba71c05a7d434837bf07e99a14e4d11f7ce6fc9535248ba487e0299533cc53a27b6f321538be7e1b5c1afe2b7d5503

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
516afda73758e185424c78aca27bf8ee

SHA1
0a9f3edaa6a9c8e9d0fe91d62b18dfce21b73bcd

SHA256
2770eb02bcf901ffb719d55dd3ce1b1ecde9f9c46c50c9fccc32f03d8b94bed6

SHA512
0ce68e17e5871165edbcb94dd0e77ea478a6906edc5d4a7764e3571a77db634b214c3e250c3643f06fd71774d87da8dae2291000b1746fd32941851124e5efda

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
6125355f03fb0a9688551535763d8c48

SHA1
14ecc82244316d7f4ef8f15a8aa0eeee4edc72fb

SHA256
030f5a5064c190e3562bebede10255455984b002767011875bd120532686e6c9

SHA512
235947c5c9e61581f76a94715e41e6fcf08fcc6e6fb99142eff2db4908d9a5b549b283d85161fc8283e75c4492c654148ddf7ff23d41b5970f08173e69a4fc34

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
591260343d375bfe9f13e1ae1013e9ac

SHA1
aa2035fc78987ac6f0f58500d886b304431fdb2f

SHA256
7296c56a3a8184f8cd0d188abc884bd1afc262acb8b632f7c1e251a9d2451394

SHA512
8672f142be803cc7a1ed4895bafb14640ff4bb829b0237ef0eb8b05f22ad693ba6d24daf205d1a491119633664bcce7812ede614270ba291bc818d2c18a1db8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_51_x64\jre1.8.0_51.msi
Filesize
38.7MB

MD5
1ef598379ff589e452e9fc7f93563740

SHA1
82ad65425fa627176592ed5e55c0093e685bfeef

SHA256
d4bdc230eaebefe5a9aa3d9127d12ac09d050bf51771f0c78a6a9d79a1f9dbf2

SHA512
673f4b08fc25e09e582f5f7e01b2369e361f6a5b480f0aa2f1d5991f10076ba8a9d6b1f2227979b514acc458b4fdc254fc3c14173db7e38b50793174d4697f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1F27.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1F4A.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG
Filesize
339B

MD5
fe137c81fbde2a02aa1144c7be80a6e2

SHA1
aebc161f139a5e204484f09935ce93aea2815b85

SHA256
cb61659f0698a66ed996db7f8a9dbe770c2888f7132b480427a06631e8b963c6

SHA512
1f47fe0ba45e26240605a5ed52b376fe86f2a599b3c67348d1b579cd8d452a002bfb6fc9a380122451c1916ea324a4b9f1764443e3847bd8b1138a955d7d8416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG104.PNG
Filesize
40KB

MD5
d9014b0296ca862ce63a31896ad8b0d5

SHA1
1d5c437fb4d0bea1021ce3e34dd54f5c3db4ec43

SHA256
78390f091624addd4f060a58f6e96d3012dbb17355470f6c33831f68773ec0d7

SHA512
abe9836e63b182c35e1b38168b4ebf7703a6b7aee408466fde883ca0cc47aa55dbe289ae21a2fc502db20a29fef07aa9dc3d756cf6148c88604042e0fdd305aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG105.PNG
Filesize
1KB

MD5
d83f1730a96b95e76287da1a6693a06a

SHA1
32308a5d667c6522d73388d7b67e38c97d5308a0

SHA256
5700a7080ab93c16129f8f72527f8efe1370acf712ad8cb8ae31bd5052b1ed43

SHA512
07be8a92a3ef5a937424a56f926c839ee394b91ab18b975e4cf767643dc66644aa84756a4157c4d91d787a05bee2897f54699faa91054b67121cb8e71c5661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG108.PNG
Filesize
2KB

MD5
b64546a43eb61ea574f2e7f77078b4a1

SHA1
77be598cc22686c9d993cc0e0e821185e54fd4fc

SHA256
88b4f791137b5b961c0a26f88aef627e9826532c8cb4a684e1cc3826e33ea502

SHA512
5a861a434607029416ad8bc94a74b5af1eb6e06a75e4234bc66d0c52f303d62ea9f17e79b41b73596e34a5890e1bd3fda1106f16a5b84f0e39fa72701ea5464a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG
Filesize
280B

MD5
706c01b9fc4abbc103f4801e82fde0f7

SHA1
e9dc373751d241f3b4c0257846fc7f4a4d779344

SHA256
fdf94d2223e3edf60a71134446de70577a9bdeb37edd039f04d67af3764cb04a

SHA512
4448de09cf0d31e7256f418fea18ae6bafe448966edfca18c40aee77cd2858fcd809bfaae956559894bb95e2f8d7970a49f45ff9fefa4f62657d008d0140b472

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG22.PNG
Filesize
1KB

MD5
e8b5b830f0aecefd7913201dae73e130

SHA1
ccae811e66ab16141b304fe0837581bb4e437fe7

SHA256
06c2bfdb9abe36e2944d1e3ade5f06a2d26b7d1abd9375089a31b444ee3d615e

SHA512
112a7ab2acf6666a576953bca0ce88157350149ea498ef2b0cd3121dd9659d8df261115a66891bcef2fda25f637894b35b692e6f8985cae05a497da69469f367

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG
Filesize
281B

MD5
57dafa9987575c033bda214c847b1458

SHA1
29e6c1f2a1299504303132de0519f37e580d0942

SHA256
ffa2ac5921d812b08a4d694d10e393c8c76f410635c4ca96ba782cb743ab2855

SHA512
8bbba096aa0e967a3f2898a46663e327c34b28f437f45bed422a91bdc5f8366dc3e10689a2b8843d051d18e9e76044f30f98bf1db01602d1d8b30954f0dab110

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG46.PNG
Filesize
206B

MD5
bbb7566d1df1670f17398815e5bbf8f7

SHA1
d4862a872c8b39ba162d09bd01b698f92795f837

SHA256
57645422c10c9e410f14a25c636a372067fbd3f0da6aebf32feb2c070abb3c92

SHA512
b8869dae59b15399981d0f12fa26fcb169987b1d0749b2e36e4fc0350b352de7f8625b54dd152d2d446fb118080d10620583213afefbc0052fcad167902baca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG
Filesize
43KB

MD5
801095e25a19f34bdd0125332baa586f

SHA1
0d61fc1fe7652bd42f77b4ccb45c87aeb8845214

SHA256
2e3d98e961d62512a950ac66134a6a4bd2615e191e7308a6fc52a5bf0e2a8b71

SHA512
2c3225bf38ecca5656dd60a9003f248fbb38097bb71cf4168fee2eee4e8056b11b971b973e753cd92a5375a0ecd88d54e44aacdf135821da1b78235abd823c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG
Filesize
1KB

MD5
35dc064624279a6587516c92f4259235

SHA1
898662913850b22ef17fd702d85c416794321222

SHA256
6498efd71fe1f92ab1fd602c074fd2c013b96d8a6280555d8ef54115bbcde1b2

SHA512
8227905652eb6e87fec020d389793961a795ce572963d57d672282ba05e930c8b8d6f49d4c2dd07563cae08243069aba66b214acbd1362d1ec64417c13323651

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
Filesize
110KB

MD5
dc1091f32258495a5313da54870b0768

SHA1
26eb9cfd00861bb55fdb4e25bd3427b5b137c148

SHA256
ebd2b290264dfc287b3ed4fda4aa6680f71a2997e15a8e1003696d9000a17d23

SHA512
8f084e376a8e0e5bc3ae34d24d114e29ade6f4a5bb59fb5a291bc9c427df1ec8539b1d7d5fb1609f2a4087f2eb17b445f8b9e2751dca0717c06ac2207ad4e639

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
8KB

MD5
ab8feaf409e514ac64190a89a91bb80d

SHA1
edb7c68873ff0dd0751c559d0afc39a65ca10473

SHA256
d3d878250f7a9efad2ed58f18a7949ed8fe9eec2b26d32a8d5b115a39a062b32

SHA512
9d72bc62d755c98e68168d3f5b2e553b6838a23744ca4026f051ce862b6fd219f1b17fa43bd3c238b916cbb6c00dc12aba57a26590585afe49b239d7429797f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
18KB

MD5
2ede91507611f3e315943d8b6f867a13

SHA1
274dff064cd804c13bd65cfa0b5769cc00795d2f

SHA256
305b21da29c0563ab172f7640d21b3fe1deef8d7a0e4a6389e6ace88c2c5e89e

SHA512
3cd68a55802157cbba01974b2ccb5c1b8578faef0104adfdf7df2c550c44979cd86b391c6c3dd3f2e5b0b1d9b1787817c9f12d92d8c608bea07ca3b81e33e722

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
Filesize
603B

MD5
074e892e776dc13bedce5ecb78295966

SHA1
5750a3a91faf1d66b0a19b843541b718ccf1874e

SHA256
71c0a04ff30a1e360bb4b58b9c9a098fc659dbad38eb87cbdcf455a66e688652

SHA512
97581d2fcb25d55a54cc7e4037e5fe9c534e1bce09b920f263ac44cfaf021693b00a3f77be1be315aa74fa25a2aa4cbf500c921f4da738558ef8e999ed138b13

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
4.4MB

MD5
36b0cf922898be229d7192c142bbef0b

SHA1
28056ae3088f21097a305b505d898be3408ae67e

SHA256
a68acea31bb170b0cd85ba1ed9db349b4a9091780ad280c1649583c010df750f

SHA512
e6733d90656cc370eaad55d30a8a39384933cebfc8109020fe8c3302b44b14882f159b768bfb98df00666d7f9629835a146a77b46b5caea13786e959b2d0199d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG12.BMP
Filesize
451KB

MD5
72140762686e56435d154a429210c04f

SHA1
ba8aedeb5729dd4c4175d7a72e87d43074a58e8e

SHA256
6319580128c2b8e048e78d5e5eaaf7bf14fdb3ef5ffe6c35e8856204a9b6430b

SHA512
d73f114d65c067455025023c1676a59a0bf262e19da3883e05a8ddf5ca1206bcf1a552e922715604bdac507bc0f01265a563ef7b34c7d2afef9504e15d649c93

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG
Filesize
1KB

MD5
4a087a588ab5100411444675b96c8b89

SHA1
2893640f722d1dfb1251ecfbd2b397112a546133

SHA256
2e0ac52afe35d27ef951956c5d42f405f3a2fafc61d7590a358c21524dbcfe82

SHA512
77460dcf21c04566a31fc57f4a88b8dc8a1e007dee06c8e2ff59d15cff9161767582e913c49b2dd2bf131139ac85065386f71de1c9c457915872aebb754c905e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG
Filesize
45KB

MD5
0e405c87b6110dd8960c7b71f9ffe4f3

SHA1
ee700d17287ef52879e75dbcda77bfcc33049717

SHA256
5da7ac89f64c5a50f1c779c278be8d798590201f748b17f91bc117f785b2bb29

SHA512
1059c647d32f5e1f0f0f61e76fe44e1ae84c13f99511898aae0f3cddcdeb7b08b96f140d89f0548a7478904b2a981d2f4b228c6162449158c817e241164a5798

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG
Filesize
457B

MD5
f3d9e5d67703a59ea81d5e661f425a8b

SHA1
8ad7586f0f0d5a9934518158fbe93ca98aedfff9

SHA256
2c48c7bbc556d68b13a8ae4d4a86392d20e03e860c52cfc56b678fb0cbdea94a

SHA512
d6792bac91175015d297269979152bc2a306e23f4ad183f2216914d82943d40d40aec149bce9cb47aec38f80ad68ed878321cce74f10a7d81a5c8b2ad2cda51a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG
Filesize
352B

MD5
21cb7168b7a2adafaf298e87767d9b11

SHA1
00d1f66e15b38c024ce019f82f6db9597ffd54c8

SHA256
5ee86596338d44325d820c8b74bab895c842038766b3952c6c70572a9f3df1c2

SHA512
afe756f3a755301317b9c5124bed1396d752206c3b2e5faa42ef82312fbbb1a46dbccc943da2399c54868d772c6b335e55dcb2069af6b5956225c9b956c09e2d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG45.PNG
Filesize
438B

MD5
842bceedfb1bea13bc67b8857539142c

SHA1
6f595e9f375e32cc7b89f1e1906bf3bf6adbbae0

SHA256
98d04bdaf68e5ba7dcc89d2f49dac646eb354915622bc0cd80f3b563a2404580

SHA512
738c42ff17575b577de56083c716d01619b544c67901449b02f1d776fa46795a7fe258a9b20ce949e59b3381125bf333152adc42e4481ae531987362e791c07e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG
Filesize
1KB

MD5
e1f85e62f3a619b5848378c2cf3169ec

SHA1
0241e34ad99ba73e5e145b0ef5135c924c72ab27

SHA256
ae85581f385f730fbf3e9c774f194eed3a2059861846428d1059e6d92f1ea1e0

SHA512
2a57eda6c58a40d4fa149e9f553acb80e5898d91f2bf0100f6a95be8a38a0ed298cef56cd29336481c69144091b4b0ab639ec3272eba835f889ccf4018f0dd61

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG
Filesize
1KB

MD5
8fd6a83316ed70cda0ae74aec12d58fc

SHA1
3678eb7e2a44e84a96329b6d1f19f077e6aaec88

SHA256
fda2188de607703dd49250383af8f8cbe4e2c62badbf008763fe8e55979dffc3

SHA512
eb19a1cd4dd1b0f9a0e377dff057e2fa9869c327347a5f7947b30d437c3e524e8da809f55db5b6936e21589d5a5c8057dc14b213dfee65b4764fa22149633c3d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG
Filesize
41KB

MD5
bee7f4219c017cf50f97816d34c29d52

SHA1
cb7c2ea34610a93cb50eb430730654753fa0a179

SHA256
3c6aa37937a0279192aaa990ea30e524d2fac9aceac1899e2b51400c6394447d

SHA512
32ba8131e38039fad9bf44a61b6f393e81557fc94c8d4993c10186480c19669a2f3697aaac123e084712d4c4a3c8c182a82dcf08405247a7010e455bde707c17

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG
Filesize
1KB

MD5
a446d4015f66de165c4bc5fb3eae6bde

SHA1
bf5c7fd6783dd31a0188282f3fcd45f96b6923ac

SHA256
3dfd2ca144a10e1cedd9294753d561df3f28cc50b6682971f06de4bc6c9a58b0

SHA512
0907a019b280a41f7bb913e478c7d2df94eabdaa65674ab9ff0170557e747e4f1e8e4a2792d1669bb400e471359eca81127dc53a7ee412cfcc793b642ace0d52

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
33KB

MD5
1fa79f7b019b5f1d8f784291ea22ba4d

SHA1
399c45296835259a509289f0cb04a7910ed3ae85

SHA256
ed4dfd33db699d353526289eece2b7f8beccc2be8d7c17dae10bba928d273a21

SHA512
dd45b56296bbd4c1615ad3ebfd03e38d718b0b5ff979240bb1b6f027066f34dfb2d83f8e0b8b87dc470333c8e339d777fa514502efcabddfe0105cfea3b1e3c4

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
6KB

MD5
586146cddeb390d3af2c14b3fd0e6e66

SHA1
c1a2cd2b2091ecb74bab37f09ba9ad2d6642f4ef

SHA256
e825639de1c58f49c9e74dd0b99739ef347efaa46bd072688713947dc448f3f0

SHA512
8bfe25cb105010519677f10f0d68f8feec56cb854dcaaa8258c3f0d947b5939826f572b5f8d5700391cbde7b54c56ad702affda67fbe4482dabc0f63b8ae758a

Download Submit
C:\Windows\Installer\f777cba.msi
Filesize
660KB

MD5
4afca17a0a4d54c04b8c3af40fb2a775

SHA1
96934a0657f09b25640b6ad18f26af6bd928d62f

SHA256
b15d3a450b7b3e5ce3194ab9e518796cc5f164c3e28762ffe36966990dcd2fe8

SHA512
ee76f5fcfdd9c1202fd5abdc2bbde8fb2543cee83265f6d2fb5458d1a086152ff6bdd4bf62a88150d325ea282bd2ecd66dd5f127bdd847cfa69cdb88985a8305

Download Submit
\Program Files\Java\jre1.8.0_51\bin\unpack200.exe
Filesize
192KB

MD5
5b071854133d3eb6848a301a2a75c9b2

SHA1
ffa1045c55b039760aa2632a227012bb359d764f

SHA256
cc8d67216b1e04d7a41bf62f9c1088cd65a3d21796c5a562851e841b3afa28cf

SHA512
f9858ec0a1bfb7540512ede3756653d094ff9fe258d13a8431599280db945e8d9ea94c57595c6a21aa4fbfcd733eea9b887bfcf87e84279a7e632db55380920c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
8f36e70842e3210b8725f210554e2c91

SHA1
dc91404cf9dd570a06895af5873c82d37d1a92c9

SHA256
2f79e6a69bb38839d9e07cfeb0a9295ccd08f907cef3f47142db8d5ec792599c

SHA512
3661caee41c90f687f30ae72e7104ed4cbababb99d44c2d9c68f195c57ef7f1a88ea8f4e07eb7b0df167de28cd5534f2ebf8e4ecc6e725457306c6c21b82bdc2

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe
Filesize
41.2MB

MD5
b9919195f61824f980f4a088d7447a11

SHA1
447fd1f59219282ec5d2f7a179ac12cc072171c3

SHA256
3895872bc4cdfb7693c227a435cf6740f968e4fa6ce0f7449e6a074e3e3a0f01

SHA512
d9f4e268531bd48f6b6aa4325024921bca30ebfff3ae6af5c069146a3fc401c411bdeceb306ba01fbf3bcdc48e39a367e78a1f355dc3dd5f1df75a0d585a10c6

Download Submit
memory/112-453-0x0000000000A60000-0x0000000000E48000-memory.dmp

Filesize
3.9MB

Download
memory/112-517-0x0000000000A60000-0x0000000000E48000-memory.dmp

Filesize
3.9MB

Download
memory/960-1960-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/1248-21-0x0000000003270000-0x0000000003658000-memory.dmp

Filesize
3.9MB

Download
memory/1248-424-0x0000000003270000-0x0000000003658000-memory.dmp

Filesize
3.9MB

Download
memory/1248-19-0x0000000003270000-0x0000000003658000-memory.dmp

Filesize
3.9MB

Download
memory/1248-17-0x0000000003270000-0x0000000003658000-memory.dmp

Filesize
3.9MB

Download
memory/1260-1878-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/1568-2118-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1568-2120-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1748-2047-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1748-2053-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2072-1383-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2072-1462-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-2475-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-526-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-527-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2072-425-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-1343-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2072-1490-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-426-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2072-596-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-375-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-376-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2072-1478-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-1479-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2072-308-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/2072-307-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2072-1928-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-1382-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-1384-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-1459-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2072-20-0x0000000001260000-0x0000000001648000-memory.dmp

Filesize
3.9MB

Download
memory/2088-2515-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2088-2582-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2088-2581-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2088-2533-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2088-2521-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2088-2516-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2088-2514-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2088-2483-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2088-2506-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2088-2489-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2096-2007-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2096-1964-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2096-2001-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2280-2364-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2540-448-0x0000000003080000-0x0000000003468000-memory.dmp

Filesize
3.9MB

Download
memory/2540-449-0x0000000003080000-0x0000000003468000-memory.dmp

Filesize
3.9MB

Download
memory/2540-450-0x0000000003080000-0x0000000003468000-memory.dmp

Filesize
3.9MB

Download
memory/2612-2101-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2612-2098-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2708-1615-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2708-1614-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2708-1617-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2708-1621-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2708-1610-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download