Malware Analysis Report

2025-01-18 21:40

Sample ID 240415-waqg6acc69
Target TLauncher-2.919-Installer-1.3.3.exe
SHA256 1127fd6ea53d54feb45168d7e98488387e11b0673123142cf8a8f84fbe73140d
Tags
adware discovery persistence stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1127fd6ea53d54feb45168d7e98488387e11b0673123142cf8a8f84fbe73140d

Threat Level: Likely malicious

The file TLauncher-2.919-Installer-1.3.3.exe was found to be: Likely malicious.

Malicious Activity Summary

adware discovery persistence stealer upx

Downloads MZ/PE file

UPX packed file

Executes dropped EXE

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Registers COM server for autorun

Checks installed software on the system

Blocklisted process makes network request

Enumerates connected drives

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies Internet Explorer settings

Modifies registry class

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 17:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 17:43

Reported

2024-04-15 17:52

Platform

win7-20240221-en

Max time kernel

473s

Max time network

478s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\installer.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\installer.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\installer.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0211-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0270-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0348-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0159-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0087-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0207-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0245-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0097-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0133-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0249-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0382-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0091-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0131-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0085-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0091-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0398-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0183-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0128-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBA}\INPROCSERVER32 C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0154-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0280-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0045-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0114-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0328-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0400-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0231-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0331-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0305-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0329-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0048-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}\INPROCSERVER32 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0108-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0051-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBC}\INPROCSERVER32 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBB}\INPROCSERVER32 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0380-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0088-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0026-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0090-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0161-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0198-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0250-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0296-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0124-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0074-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0156-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0166-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0314-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0184-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0178-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0307-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0087-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0153-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0384-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0084-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} C:\Windows\system32\rundll32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" C:\Program Files\Java\jre-1.8\installer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\WindowsAccessBridge-64.dll C:\Program Files\Java\jre-1.8\installer.exe N/A
File opened for modification C:\Windows\system32\WindowsAccessBridge-64.dll C:\Program Files\Java\jre-1.8\installer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Paris C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\java.security C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Niue C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Java\jre-1.8\LICENSE C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\gstreamer-lite.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Miquelon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fontconfig.bfc C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\psfont.properties.ja C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\glib.md C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_sv.properties C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\calendars.properties C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Zurich C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\dom.md C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14 C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI20BD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIEF03.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f770c58.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF3BA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFD41.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f770517.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF447.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2020.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f770c58.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA50E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF812.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f770c5d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f770c5b.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI21D7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA4DE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF1B4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF36B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f770517.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF126.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC0F9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF29F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIF165.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF468.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f770c5b.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF7E2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8FB2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7702d0.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI703.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7702d0.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI713.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\msiexec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\msiexec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "19" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\jds259572403.tmp\jre-windows.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7} C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" C:\Program Files\Java\jre-1.8\installer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0374-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_374" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0113-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0220-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0052-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0212-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0312-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0119-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_119" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0155-ABCDEFFEDCBC} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0069-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0387-ABCDEFFEDCBC} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0057-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0072-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBB} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBB} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0108-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0036-ABCDEFFEDCBC} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0137-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0206-ABCDEFFEDCBC}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0124-ABCDEFFEDCBB} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0090-ABCDEFFEDCBB} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0190-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_190" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_35" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0317-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBB} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_51" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0088-ABCDEFFEDCBC} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0147-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0270-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0188-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0209-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_101" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_26" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_21" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0132-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0104-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0241-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0160-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0280-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0298-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_298" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0391-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBB}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0297-ABCDEFFEDCBB}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBB} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0264-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0097-ABCDEFFEDCBB} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0215-ABCDEFFEDCBC}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0212-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0090-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBA}\INPROCSERVER32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0108-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_20" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\installer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0145-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0200-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0217-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0386-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0072-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_57" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0246-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0091-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0338-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0277-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0128-ABCDEFFEDCBC} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0189-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_189" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0104-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0152-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0125-ABCDEFFEDCBC} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0051-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0239-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0304-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0047-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0221-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0044-ABCDEFFEDCBB} C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0160-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0179-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0154-ABCDEFFEDCBC} C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0087-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBB} C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0257-ABCDEFFEDCBC}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0302-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_302" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0352-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBC} C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBA} C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0143-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_143" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0337-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\installer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBB} C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0140-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0364-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_364" C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0300-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_300" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0093-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0280-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0069-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0082-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0192-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0393-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_393" C:\Program Files\Java\jre-1.8\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0344-ABCDEFFEDCBB}\InprocServer32 C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0296-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0227-ABCDEFFEDCBA} C:\Program Files\Java\jre-1.8\bin\ssvagent.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBB}\INPROCSERVER32 C:\Windows\system32\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jds259572403.tmp\jre-windows.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\MSI20BD.tmp N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2068 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2068 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2068 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2068 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2068 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2068 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2460 wrote to memory of 2848 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2848 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2848 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2848 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2848 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 532 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20BD.tmp
PID 2460 wrote to memory of 532 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20BD.tmp
PID 2460 wrote to memory of 532 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20BD.tmp
PID 2460 wrote to memory of 2116 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\rundll32.exe
PID 2460 wrote to memory of 2116 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\rundll32.exe
PID 2460 wrote to memory of 2116 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\rundll32.exe
PID 2460 wrote to memory of 2080 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2080 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2080 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2080 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2080 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2092 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2092 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2092 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2092 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 2092 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1268 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 1268 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 1268 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 1268 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 1268 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 1268 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 1268 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
PID 1380 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1380 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1380 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1380 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1380 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1380 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1380 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1268 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 1268 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 1268 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 1268 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 2324 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe C:\Users\Admin\AppData\Local\Temp\jds259572403.tmp\jre-windows.exe
PID 2324 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe C:\Users\Admin\AppData\Local\Temp\jds259572403.tmp\jre-windows.exe
PID 2324 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe C:\Users\Admin\AppData\Local\Temp\jds259572403.tmp\jre-windows.exe
PID 2460 wrote to memory of 1872 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 1872 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 1872 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 1872 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 1872 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2460 wrote to memory of 812 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre-1.8\installer.exe
PID 2460 wrote to memory of 812 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre-1.8\installer.exe
PID 2460 wrote to memory of 812 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre-1.8\installer.exe
PID 812 wrote to memory of 832 N/A C:\Program Files\Java\jre-1.8\installer.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 812 wrote to memory of 832 N/A C:\Program Files\Java\jre-1.8\installer.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 812 wrote to memory of 832 N/A C:\Program Files\Java\jre-1.8\installer.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 812 wrote to memory of 1344 N/A C:\Program Files\Java\jre-1.8\installer.exe C:\Program Files\Java\jre-1.8\bin\javaws.exe
PID 812 wrote to memory of 1344 N/A C:\Program Files\Java\jre-1.8\installer.exe C:\Program Files\Java\jre-1.8\bin\javaws.exe
PID 812 wrote to memory of 1344 N/A C:\Program Files\Java\jre-1.8\installer.exe C:\Program Files\Java\jre-1.8\bin\javaws.exe
PID 1344 wrote to memory of 2516 N/A C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-1658372521-4246568289-2509113762-1000"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "00000000000004E0"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding F3A7DF56E951F8424DC127C429D93822

C:\Windows\Installer\MSI20BD.tmp

"C:\Windows\Installer\MSI20BD.tmp" C:\Program Files\Java\jre7\;C;3

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000005C4" "0000000000000494"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding B6B7876EDBA0C2B6DB8CADD75E5E5131

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 356FA8D45E856324F3340E3F8924C745 M Global\MSI0000

C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1708464" "__IRSID:S-1-5-21-1658372521-4246568289-2509113762-1000"

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1

C:\Users\Admin\AppData\Local\Temp\jds259572403.tmp\jre-windows.exe

"C:\Users\Admin\AppData\Local\Temp\jds259572403.tmp\jre-windows.exe" "STATIC=1"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 57173479DC96053C7C25F5A1A3290381

C:\Program Files\Java\jre-1.8\installer.exe

"C:\Program Files\Java\jre-1.8\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre-1.8\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={71024AE4-039E-4CA4-87B4-2F64180401F0}

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking

C:\Program Files\Java\jre-1.8\bin\ssvagent.exe

"C:\Program Files\Java\jre-1.8\bin\ssvagent.exe" -doHKCUSSVSetup

C:\Program Files\Java\jre-1.8\bin\javaws.exe

"C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -permissions -silent

C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe

"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==

C:\Program Files\Java\jre-1.8\bin\javaws.exe

"C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -shortcut -silent

C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe

"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 15E2C4A5E1D01C32DF5C2124DECEAE29 M Global\MSI0000

C:\Program Files\Java\jre-1.8\bin\javaw.exe

-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus

C:\Program Files\Java\jre-1.8\bin\javaw.exe

-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl2.tlauncher.org udp
US 104.20.65.88:443 dl2.tlauncher.org tcp
US 8.8.8.8:53 tlauncher.org udp
US 104.20.64.88:443 tlauncher.org tcp
US 8.8.8.8:53 javadl.oracle.com udp
GB 104.103.251.196:80 javadl.oracle.com tcp
GB 104.103.251.196:443 javadl.oracle.com tcp
US 8.8.8.8:53 sdlc-esd.oracle.com udp
US 23.220.112.104:443 sdlc-esd.oracle.com tcp
US 8.8.8.8:53 javadl-esd-secure.oracle.com udp
GB 104.103.251.196:443 javadl-esd-secure.oracle.com tcp
US 8.8.8.8:53 rps-svcs.oracle.com udp
GB 104.103.251.196:443 rps-svcs.oracle.com tcp
GB 104.103.251.196:80 rps-svcs.oracle.com tcp
GB 104.103.251.196:443 rps-svcs.oracle.com tcp
US 23.220.112.104:443 sdlc-esd.oracle.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.java.com udp
NL 23.62.61.163:443 www.java.com tcp

Files

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 85772cc6142fd068e316f5bcdfb9fa18
SHA1 2b6169f71860685189abef7c46a271b43a6af36b
SHA256 b5e561a9e6aa55cdde55a182aa753b726dd9ce299d1734824ea4ef4f0a1775a8
SHA512 0f03c69813b366ee352c5fc0209fe4a7dc257230f82afdda75d97d7676ff1abf30bc09cb900ce28916e9ee07e5b9f850c4f3ec803c0d23cd572ffee928d0418d

memory/2068-5-0x0000000002D30000-0x0000000003119000-memory.dmp

memory/2068-15-0x0000000002D30000-0x0000000003119000-memory.dmp

memory/2068-16-0x0000000002D30000-0x0000000003119000-memory.dmp

memory/2068-18-0x0000000002D30000-0x0000000003119000-memory.dmp

memory/1268-20-0x0000000001390000-0x0000000001779000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 c333af59fa9f0b12d1cd9f6bba111e3a
SHA1 66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0
SHA256 fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34
SHA512 2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

MD5 e043a9cb014d641a56f50f9d9ac9a1b9
SHA1 61dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA256 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA512 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

memory/1268-600-0x00000000009F0000-0x00000000009F3000-memory.dmp

memory/1268-598-0x0000000010000000-0x0000000010051000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 dabd469bae99f6f2ada08cd2dd3139c3
SHA1 6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b
SHA256 89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606
SHA512 9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar857D.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

MD5 83a8f0546164c9ba1a248acedefd6e5d
SHA1 7652f353ed74015e7e78bc9f9e305a48d336b6d1
SHA256 e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9
SHA512 111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d

memory/1268-682-0x0000000001390000-0x0000000001779000-memory.dmp

memory/1268-683-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2068-684-0x0000000002D30000-0x0000000003119000-memory.dmp

memory/1268-685-0x0000000001390000-0x0000000001779000-memory.dmp

memory/1268-686-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2068-687-0x0000000002D30000-0x0000000003119000-memory.dmp

memory/1268-688-0x0000000001390000-0x0000000001779000-memory.dmp

memory/1268-695-0x0000000001390000-0x0000000001779000-memory.dmp

C:\Windows\Installer\MSI713.tmp

MD5 16cae7c3dce97c9ab1c1519383109141
SHA1 10e29384e2df609caea7a3ce9f63724b1c248479
SHA256 8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2
SHA512 5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

C:\Windows\Installer\MSI20BD.tmp

MD5 8b285b5164ac3dbd6f6c97c81c77fb59
SHA1 2d846f00f4a1533d93d9f7fcf797cf406b7a79e5
SHA256 7c932b844dd505281a0eb1e3cb3c1b27be9ca47866655cc3bfd6ae660d4f6b2c
SHA512 2669938f68238a5e68accdd2c3f7dcdbafacd58e00418f32769bd452580e4a4fa0169b001652801ec3ec0ec67f093997a87f1bb80bd83c20cbf1145d3249e2b8

C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

MD5 515c45d9da4c615f7aa931fe67941121
SHA1 71582470022487dc37cbcae8395bf9614ee8b365
SHA256 251c6dcbaff7129aba535ab84bba4e4828f2eacee8172d6b07acb4db2714c6c9
SHA512 587c416a401848ee7306a26c8a3100f778e71ccf1cbccdb04be9b405f85201120c2a1aac7551d6d119153d52b464eace7bf78fd4b0a81b8952700d30cb44f06f

\Program Files\Java\jre7\bin\deploy.dll

MD5 2b652299b9967a6d7f9c321b04cd9c5b
SHA1 f26f9e22a1ba45fc5fd68b975889a1a637781056
SHA256 26b9a76128153429f3f5d668b134fe3c14b8b8430ae0e671191033bdda296097
SHA512 4e0bd2a70b6f82eb2ab80d5992d65455defb3b38021231e3d7cafa63e82634661bf9aa9eaee3b3e26d03c60fdc6666a59bdeee8c0bab0ef12740de6727366c2b

\Program Files\Java\jre7\bin\wsdetect.dll

MD5 a06336b79db4da78f4af955e26f7c0c6
SHA1 3c24fb0f8bf38999ccffc75a0f5710878bc40fc1
SHA256 2d96fc7ddb77288f05b78340cf6ac85dd604a2e5d53d6fcb825eead1a9b008d8
SHA512 c664e9259db49075cedd933f64ab4247384a117c5be609958e440a44cf2bfba13a10ade36f7c8bcacdec063c3ca63b3c70c5392e5b7d2ea02fd5be06a62c180a

C:\Config.Msi\f7702d1.rbs

MD5 74c190be8b85a0fc9fa965149df0370d
SHA1 347fa4cf351ecc9eb075c367e2ac3f5c5c49299b
SHA256 bd0c56b41a80d914cedcc11634f8afa76c82c0a5acbeeeecbac146bc8e7be878
SHA512 7f81990dbd536def97743aba484b7902c290efaca501b3a6b7d148400e6a6b7ca505e73d285bad60e38dcc48fe739d989581799379b06d117168e594a54bf3ca

memory/1268-777-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

MD5 4754bcd3fd7f57b217c230b95e5e8e07
SHA1 73397176da6281de201a336b8646e1e3703d918f
SHA256 bbdf5d14005c3484f510166e82afdf16230d0ecf5ea5a84cb934b7d897d16266
SHA512 0f33db1172ab21459421ff4afa4e6e5dd6df54c426d7ecc7916d86cf8fdfe98e72ba794a4a0156956ff03194f9270ff3aef6ca474a58331951a1103eb3392660

C:\Config.Msi\f770518.rbs

MD5 9a825467a75d98facb010639ad559c6d
SHA1 8327295011be03477c4086a7444500615bd06c38
SHA256 8304c80e3d9e6921a1af6d1a573ae3c4cd734131400030c2f5f2b2b3775c4459
SHA512 c0830237fcc473e309ef9d34344706d47339f13178a46c7943eff566292202b3568d9e4f8a369495d25b73b22446c49d8b80517d9866e03901ac0328281893b3

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

MD5 f5d6a81635291e408332cc01c565068f
SHA1 72fa5c8111e95cc7c5e97a09d1376f0619be111b
SHA256 4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26
SHA512 33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

MD5 f35117734829b05cfceaa7e39b2b61fb
SHA1 342ae5f530dce669fedaca053bd15b47e755adc2
SHA256 9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3
SHA512 1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

memory/1268-840-0x0000000001390000-0x0000000001779000-memory.dmp

memory/1268-847-0x0000000002F60000-0x0000000002F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 a266e0ae1001da0023f9664afbcaee99
SHA1 f943c180e5221a5943039c21b21f394dd99cbe14
SHA256 819b9a02a788445ad6c4d8f38e05abe911e289e71e4d2c2e37923c9f66f576cf
SHA512 525b8473b17732ba94942df63b0e43b26ee0157b137a1a39f52034b04ce686097e92ec8d9ea422acf02edc4385863c0179a6af73af01dfcfc1cb6d7c9dad1e7c

memory/1492-877-0x0000000000B40000-0x0000000000F29000-memory.dmp

memory/1380-876-0x0000000002AC0000-0x0000000002EA9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

MD5 3adf5e8387c828f62f12d2dd59349d63
SHA1 bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a
SHA256 1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0
SHA512 e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

MD5 5dbdcc7cd23da279e429083635bf07e1
SHA1 6ef68f6cd1156056dbc7a464892dcb13cccf0e4e
SHA256 d1ef350b5a146edf1aafb25cb2f6c74896ba3297c12b48620173816fb336db09
SHA512 e62fc0760f434558e70bfa609fd9a45846e3332c9ee009e4d3146d80c1d86049744fcc9bdc58e98a34a9eb97ea1d186416d2658fba1d513356250c04de1875d5

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

MD5 1ffd93751bc3400074dc0affa49ddfaf
SHA1 81be618514bdb88161333386f326cfcac2075517
SHA256 e65cc17886b8632c1ff12ff8a97128d3ca379a6b9ad2c0300788f43958c458be
SHA512 b2aefcf3a2f3e4da57c3507f7b419d229985cee88c782232dd90a96a6e9dbe46c18a7a58c7c4d1a3fe4b8b4b187f884fa09ac9e9a70d179e941704d7cbfddb30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcd0772b6e00747de174409020b3970f
SHA1 5b2ccb5b1166c5c3a61dbcf66ff15b838943d298
SHA256 fe5a95659772ac77a021268538f7d9a09eddf38a2b33667688cb5ffae3c71ae3
SHA512 830a9c8f9f121c0941916eb6203223a47239ece58becf37c4d77920adb6413cb71e03d5a007c8779ea1f2ceebf30dde681b09d576485a3eca2996edd10957bf4

memory/1492-952-0x0000000000B40000-0x0000000000F29000-memory.dmp

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

MD5 4f7fa4dee62924a4fd3b726cc150c256
SHA1 684319e7c90f8101980c88e9b327eaf3e00c3aa1
SHA256 16ee6b2cb0ad4b9e862bc8511dc916c6fcfa3e1898e4f8d96ee3ce98a1e84401
SHA512 a3a38b96e7376d083edeef681a5eec21baee2e736547840ed6e41397f85c917e25c57d9201df9fdc9c0140a7fac4cf775d7af2d218646cd921d5b468b21a1c66

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG13.PNG

MD5 44b7f88f828cb198ef4d3bb74c491da9
SHA1 e152b950eae01d9f8a3255bfc1576f63239d73ea
SHA256 4f0d9bddf74090d9deaf5fa332e93ce98ab673ca9d4a7ae722a8641bfb572c2f
SHA512 9d97e8d8e93112f93d21428fbb8170d699973bcb28604b49541c0f20d6b0b803fcc9bb4ce0c55f03912675c08963d33490c0dabc9bba9524f2d6bc224e95ec78

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG

MD5 e5d58eadbf836dd10e686eebc3a5be5c
SHA1 d1ca91793d766019ddb08e92e8734b0dcc866c46
SHA256 1d55e1a2619072c43fde1846479bdf096de360fe157939569965e75bebd1a4b2
SHA512 c52187077ef449bcd85424cd629390752998e4fc492dbe22ad3a9ec1b757e68d2901d491dffdfaed1269f8c8022adafa3987c4c2b55428262d0dc9052b6ce60d

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

MD5 9a922807c184a7f18f808735ac851f3b
SHA1 142c5e76464e31ce99795f0126e284c25d11040c
SHA256 a576357ae47d4bb1aa07fb6a503c1f88e55467c97275e85f48792c0351f7e408
SHA512 38f2c9c5881ba07fccebcef28c5a7b75b72fea8d30e7049b62142868c803be6e01409d8bd6e371c5bb6188eef505e268274894a9a8ebd65053f35f8d53f1ed3a

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

MD5 ff54bcac65743e803865f43f041284b2
SHA1 4ab743a7d2a0a9a5237c1d503f134339e4d31f7a
SHA256 c0506574d1b5b01f7906fd8c6baf99e9631f6a204d1ab5b8c5bd8f6bbd907743
SHA512 3b21c743ffdec316597c143cd293bb98fb58da911ba9af5c1df8e602082b75b131ec3d8bb3b07d89bbe589f3e062fbe1bb70e57176ee1de10bfc5f30b76f63c6

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

MD5 300bf5341502ba7eee93c2b16c63af7a
SHA1 c0b30be839455dfe2f514c07c52dd085392bb022
SHA256 046d24487296987dd7126d52df2bcf36040bb573f8fa695018e255b48200f7b2
SHA512 7720d9e1b94bcd4480100d430bb103d332214b7062212a33e066e60457659645251b86c1e331b1afd872ac5cae1835b826c94f9400c56bc40fd43ba1c4daa6a7

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

MD5 797d44585917c2718110366ca9e14031
SHA1 96e9bb5902460023ba88600c287d6a9d75ec632e
SHA256 e89ea690a865a67ed38e2ea7b5ac65239e0cf05f87ee51bf81f0f23be570406b
SHA512 d6ea6c70d084b41f32624a370f3be53ffffeb0b9412d56e210ac05ec4ad1d77944598bcd6886597bb0808f2c8878a713dd92544e3faa439fb866c809a8da923c

memory/1268-980-0x0000000001390000-0x0000000001779000-memory.dmp

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

MD5 02e6fc8f292c669bc9794b628abd767a
SHA1 b065e4078f17114f7470e9ec49bafea859de943a
SHA256 12cd3aa17b60ce65d0454ecb2970f8eb1cb644829ae4da0af8512ac166f692d3
SHA512 b964fdf0987a6c567258df2104422d019873f0c6c846520b744b5f7c98154b92a31c420e6a25115abbb5864a377ed322d1be6e5946e57883c542697ec444845f

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG

MD5 121558ff4a60cbdd63a2c563f64e3a8d
SHA1 c5a58189193a6dd14ecea5e8f9abfa534182afab
SHA256 57e4e472dd3e5a8d82a63b607d79e9d96ed42c69bca5d3f9aa4b1a338ff7318c
SHA512 36b2366bd1fa8597c20ff43b041c5dc1c62183ba536dea31ca1125cc1f99ff1dcb7e907959d6f0672e57ed82be585615ceaa6b963a8b5e540510d329c610a267

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG14.PNG

MD5 75decfe97d92fa34481d3b502316fd2f
SHA1 b98065fcacb2e19cb67eec0bf6f2fce53403b38b
SHA256 247a19e724dc8cf8ff5d3dce60fdc12c839e55149670d0366b362d827f7d0a91
SHA512 10dfd147f5366143357de272b0f2ff2db517c0a9b6b5da2956b52a5bd141c8d6898d0575d3efec3b146fe194eafa3b8cc968bbc5dcf6776de2d16cb62eb85aea

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

MD5 e9f67b64d881a992b1cfd8e3530cca32
SHA1 2a94600e58d1d88e7ddd19419b98c58cb3202be3
SHA256 b1b65f3ef3b45ea3d98a19c8b1b2dcc25c54a2a5887525724434ec64d7677089
SHA512 0d1bf5b51368132b9bae5510227e15ff9d4c68716b2760950adef49735553f4c721067ee4867255607d492a9f756e5501ea1095dd0ed35b65aba6a7122b16635

memory/1268-1492-0x0000000001390000-0x0000000001779000-memory.dmp

memory/1268-1497-0x0000000002F60000-0x0000000002F70000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d92ae243c1b6eec131cae82b1017930
SHA1 4474963d719277e665b5c8761e9b81deb1e12707
SHA256 3f9768041300a9376fde488c2fd52b562d667ea99203440c3a0a95748332eccf
SHA512 3864fdd4399065751aac81f062e218d03ccf197e184821dbf08bd1ad58558cb0ab7671f4c6c0199ad837312c616f7aba560a472e0076ef981e02b042aa14f201

memory/1268-1514-0x0000000001390000-0x0000000001779000-memory.dmp

memory/1268-1515-0x0000000010000000-0x0000000010051000-memory.dmp

\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 af1d24091758f1e02d51dc5f5297c932
SHA1 dc3f98dded6c1f1e363db6752c512e01ac9433f3
SHA256 e52a8d0337bae656b01cb76c03975ac3d75ac4984c028ba2a6531396dea6dddd
SHA512 8d4264a6b17f7bbfd533b11ec30d7754a960a9f2fbef10c9977b620051c5538d8eb6080ea78e070904c7c52a6ce998736fad2037f6389ad4c5c0ce3f1d09e756

memory/1268-1527-0x0000000001390000-0x0000000001779000-memory.dmp

\Users\Admin\AppData\Local\Temp\jds259572403.tmp\jre-windows.exe

MD5 96d622d62567def49ad8999324a66709
SHA1 5a4749631631d97e9db816f5cca2392e69d0b7d9
SHA256 953b06705f72bfffac774c41ceb359fe1d3f8a0c5d6a44f93597ce9c39399994
SHA512 c2d350895f47c5164138d2e3befbeb0acda8097a7904a28d9ad9db70ea0aabb3ec54a476dcb2746a41308fb79616d810305c53f7e23a4856a3f9eb656896de0d

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 5760004377be9c3cbe1e39a45f1199bc
SHA1 d38467fc0c449fab72c1469dfd92725f2c2999c8
SHA256 0d543d3c07ae43d5241eef27f5111d2045db4ad2117fe72f8e01807d3fba5d57
SHA512 4c4f453fbe7715705846d25887fb829fd5aee0967092233dd9bc705435efcc3e447f1797adbfb92921dcc3ed22e7c168b503c614f9724df51f903cb74862718f

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 a5f3a8fd41e0005575d7e789d6859b91
SHA1 735e34f3f7f94096ad1fe224a9b1efaca0aa92a1
SHA256 bef0a7ff877d565d77def5f81c67b181d178baa9e065725bdc4280ce67879b13
SHA512 543baf863d031cf0febbb5837f40e44646fa82dbc2b205ef5a11425efe39d89c072006ca8dabd4bac19f8a02d5c9ffd2142e3385fe9a9197f7dd0025e6d63176

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KOTV78OE.txt

MD5 19048172b851173b33d7acfae1861682
SHA1 413229af4a78a80839d4f586ba23a7bb02a5f565
SHA256 cb46700aa075114bb09939506700b4da4fc6f31a79c79017e6375102fb10fd6b
SHA512 8aaac0199e109e7ab61045baa6e8e39881663f7e85148952640332a8a2e8779ae850d76a6bd7e5dfd3ffd94af2781d37193cd58001bf3d6b6f22e1724830c3f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 baf7ad1089ae39dbd51c9b7307fa1315
SHA1 1f1ccfb4170f30d39b245a83fd692e4cb133f88b
SHA256 fe75cd088f81c240212740e50c476b39dba3ec16c973023d50a9ef270c9c4d89
SHA512 f99bbc8e6e2c034c4ea324386bd72ebb6d461425ad6e6708e0af22bf5e22d912a8fdc5018745e7e0a03eb3911b257046f2b6d9507a029999e3383a082476ffd6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 17965f5ac37a3d2a0e07c0d41f7d4196
SHA1 b82ccf16459772f471d2fe330dd3376d09bb6eec
SHA256 819ce2088812aa36c3ab0ad9884d57ce81db03be13aa1200c9ea6abe06d5f9d1
SHA512 0b84bbac81ace00a670ad65cc73edb6cd87234dc795d03263f1d4dacef440fbc424544ab1d3fa97b8766b01b44fdcef92f2ac9b0b258059fc223175b8f497492

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 caaa894bd0b543c9615ad0f75cc8cda6
SHA1 d6f61b83c48a035e1fed1c4160bca2e2fd8fe72b
SHA256 98ad7e44f3d306d8492bf6e4f8747efde418cf15e84e1c889c7c5f9b08af7219
SHA512 693022556ac9176d51e861969a7f5367d7cb269fdaeef93da66da12b9da0e742fd81b27b3a9aea873c21c1663ec5cd08e1a7982c9479e24acc96dc49e5bbd3ef

memory/1268-1623-0x0000000001390000-0x0000000001779000-memory.dmp

memory/1268-1638-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG17.PNG

MD5 7c707de88ac21b3c96714ec7518a23e3
SHA1 c0ad9f5ad7e0584a1734c6c8123883c3c938a3e8
SHA256 a4ea28436ddb281bd848406fc8136a15738ff86ebf5f7e1925f69accb97d6dc2
SHA512 403fd9ef1071ed76fd25a9d67e8084de0f5954d1864bc49cdfd68b24c6869c5b079f46a11ee086c57f831a61db27394f7b96c5355f0fe111ddc1284971e53ad1

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_401_x64\jre1.8.0_40164.msi

MD5 4b80c230492aedab6757f904167b4e17
SHA1 ca169fc089c12341ac8a023e98e5f7d58a1d5d90
SHA256 0d961da2bc9f0fe029c31beb616d5069b718abd7f494f28a86fc6ace8e4718ea
SHA512 fcfbaa9c987bda1143f2596aca5bb3c04eebbb8ff7cacb9f855ef66d4c1b433a0a07c9694dcaff56f481df0234e8cc833e0c4b66aa52c2541db5fc562a741aca

memory/1268-1736-0x0000000001390000-0x0000000001779000-memory.dmp

C:\Windows\Installer\MSIEF03.tmp

MD5 64a261a6056e5d2396e3eb6651134bee
SHA1 32a34baf051b514f12b3e3733f70e608083500f9
SHA256 15c1007015be7356e422050ed6fa39ba836d0dd7fbf1aa7d2b823e6754c442a0
SHA512 d3f95e0c8b5d76b10b61b0ef1453f8d90af90f97848cad3cb22f73878a3c48ea0132ecc300bfb79d2801500d5390e5962fb86a853695d4f661b9ea9aae6b8be8

memory/832-2203-0x00000000022C0000-0x00000000032C0000-memory.dmp

memory/832-2204-0x0000000000220000-0x0000000000221000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

MD5 625bd85c8b8661c2d42626fc892ee663
SHA1 86c29abb8b229f2d982df62119a23976a15996d9
SHA256 63c2e3467e162e24664b3de62d8eeb6a290a8ffcdf315d90e6ca14248bc0a13a
SHA512 07708de888204e698f72d8a8778ed504e0fe4d159191efb48b815852e3997b50a27ba0bc8d9586c6fb4844166f38f5f9026a89bbbc3627e78121373982656f12

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

MD5 6684bd30905590fb5053b97bfce355bc
SHA1 41f6b2b3d719bc36743037ae2896c3d5674e8af7
SHA256 aa4868d35b6b3390752a5e34ab8e5cba90217e920b8fb8a0f8e46edc1cc95a20
SHA512 1748ab352ba2af943a9cd60724c4c34b46f3c1e6112df0c373fa9ba8cb956eb548049a0ac0f4dccff6b5f243ff2d6d210661f0c77b9e1e3d241a404b86d54644

memory/1268-2331-0x0000000001390000-0x0000000001779000-memory.dmp

memory/2516-2339-0x0000000002480000-0x0000000003480000-memory.dmp

memory/2516-2351-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2516-2359-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2516-2366-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2516-2367-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2516-2369-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2516-2384-0x0000000002480000-0x0000000003480000-memory.dmp

memory/1924-2419-0x00000000022D0000-0x00000000032D0000-memory.dmp

memory/1924-2446-0x00000000022D0000-0x00000000032D0000-memory.dmp

memory/1924-2459-0x0000000002580000-0x0000000002590000-memory.dmp

memory/1924-2460-0x0000000002590000-0x00000000025A0000-memory.dmp

memory/1924-2462-0x00000000025A0000-0x00000000025B0000-memory.dmp

C:\Config.Msi\f770c5c.rbs

MD5 c9493d7b3d9c6eed6759755a74bf8a93
SHA1 59be0f6b8a29d6a0f525d24c5fde28cba6a6663e
SHA256 fe52a1d4b129980ef475f694dc13186c51dfc1e1b5df17dbf221286cf5ca1bc7
SHA512 5fdab8a9db6e8867bbbe7056b4587fc2c6a327b6ea2b66a401410a4ffa4a95bf7565b5335f2042e70777cd4f62bebac29ef6d8d00e7642de12d55d06749cd9b6

memory/880-2565-0x00000000021D0000-0x00000000031D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

MD5 eb0e30a3f9fc2dbc3f3e9ace396131c7
SHA1 158756f79e79f4a50cc15510fe73e999f6f0c7c3
SHA256 e1b95245c16b4d1178a60bf85370b1b0b4932b72cfd58a943064dc52f3e9a52a
SHA512 5a6c2b01e4ec311bca7785b217a1c77f44e2b8c5e9019c3093846bd56083eb9c4d07c4fca17ddfe0cb883770bead5e7942bdb1d04f0cf60d1a0c2598dea161f1

memory/1668-2586-0x00000000021C0000-0x0000000002430000-memory.dmp

memory/2488-2639-0x0000000002230000-0x0000000003230000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 17:43

Reported

2024-04-15 17:50

Platform

win10v2004-20240412-en

Max time kernel

392s

Max time network

400s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4084619521-2220719027-1909462854-1000\{4CE80A15-4958-4C55-B796-F566ADAC759E} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 542454.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 3016 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 3016 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 3376 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3376 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3376 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3376 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3376 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3376 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3376 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3376 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3376 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3376 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3376 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2868 wrote to memory of 3372 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-4084619521-2220719027-1909462854-1000"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\werfault.exe

werfault.exe /h /shared Global\515004542a5d4676a77b503b192ab6c9 /t 876 /p 3420

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.0.1228229175\520720536" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f89dc637-ff12-4400-a6c2-06628286886d} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 1836 1d49ca0ee58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.1.515332813\2005320785" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1332fed-f2ac-495f-b38b-405bbd2e3d98} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 2404 1d48fd88d58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.2.1556525951\735010926" -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 2964 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab079856-e670-47fb-8512-66a9f3502592} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 2980 1d49f8edb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.3.1209212337\1783483486" -childID 2 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5abfac29-03a5-4b77-9a17-7c080f95318a} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 3988 1d4a1b46558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.4.1662370508\621343641" -childID 3 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {088c3525-4c95-4132-af0d-fbbb2e48f528} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 5168 1d4a3e66158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.5.2053481274\1594978448" -childID 4 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b02a870-051d-4b4d-9174-a5c8f58f58ca} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 5296 1d4a3e66758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.6.802818947\2042195371" -childID 5 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46aff685-30d6-4fd0-90e8-c92df9dd2752} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 5484 1d4a3e67f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.7.643523807\2086537567" -childID 6 -isForBrowser -prefsHandle 5876 -prefMapHandle 5872 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11a2dc2f-f1c6-418b-ae21-3eea5cd7ff87} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 5888 1d4a354e658 tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac4d046f8,0x7ffac4d04708,0x7ffac4d04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7000 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7124 /prefetch:8

C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe

"C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"

C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe

"C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-4084619521-2220719027-1909462854-1000"

C:\Windows\SysWOW64\werfault.exe

werfault.exe /h /shared Global\e17a32795ed2427c822b9c510b215c86 /t 5636 /p 5928

C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe

"C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-4084619521-2220719027-1909462854-1000"

C:\Windows\SysWOW64\werfault.exe

werfault.exe /h /shared Global\9b670e8ca714427896e4807c5aea1450 /t 6140 /p 5124

C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe

"C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_3\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_3\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-4084619521-2220719027-1909462854-1000"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9461182241412293018,3809705104178592081,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2692 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl2.tlauncher.org udp
US 104.20.65.88:443 dl2.tlauncher.org tcp
US 8.8.8.8:53 88.65.20.104.in-addr.arpa udp
N/A 127.0.0.1:61276 tcp
N/A 127.0.0.1:61282 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 52.10.78.57:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 209.100.149.34.in-addr.arpa udp
US 8.8.8.8:53 57.78.10.52.in-addr.arpa udp
US 8.8.8.8:53 93.243.107.34.in-addr.arpa udp
US 8.8.8.8:53 221.5.120.34.in-addr.arpa udp
US 8.8.8.8:53 191.144.160.34.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 23.62.61.89:443 r.bing.com tcp
NL 23.62.61.89:443 r.bing.com tcp
NL 23.62.61.160:443 r.bing.com tcp
NL 23.62.61.160:443 r.bing.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.2:443 login.microsoftonline.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 tlauncher.org udp
US 104.20.64.88:443 tlauncher.org tcp
US 104.20.64.88:443 tlauncher.org tcp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 88.64.20.104.in-addr.arpa udp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 hcaptcha.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 104.18.124.91:443 hcaptcha.com tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.171:80 apps.identrust.com tcp
US 8.8.8.8:53 73.80.16.104.in-addr.arpa udp
US 8.8.8.8:53 229.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 91.124.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 171.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 mc.yandex.ru udp
RU 87.250.250.119:443 mc.yandex.ru tcp
RU 87.250.250.119:443 mc.yandex.ru tcp
RU 87.250.250.119:443 mc.yandex.ru tcp
US 104.20.64.88:443 tlauncher.org tcp
US 8.8.8.8:53 mc.webvisor.org udp
RU 87.250.250.119:443 mc.webvisor.org tcp
US 8.8.8.8:53 119.250.250.87.in-addr.arpa udp
US 8.8.8.8:53 89.33.18.104.in-addr.arpa udp
US 8.8.8.8:53 dl2.tlauncher.org udp
US 8.8.8.8:53 ssl.trustwave.com udp
US 40.143.178.190:80 ssl.trustwave.com tcp
US 8.8.8.8:53 ocsp.securetrust.com udp
NL 23.62.61.59:80 ocsp.securetrust.com tcp
US 8.8.8.8:53 190.178.143.40.in-addr.arpa udp
US 8.8.8.8:53 154.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 59.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 dl2.tlauncher.org udp
US 104.20.64.88:443 dl2.tlauncher.org tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 104.20.64.88:443 dl2.tlauncher.org tcp
US 104.20.64.88:443 dl2.tlauncher.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 85772cc6142fd068e316f5bcdfb9fa18
SHA1 2b6169f71860685189abef7c46a271b43a6af36b
SHA256 b5e561a9e6aa55cdde55a182aa753b726dd9ce299d1734824ea4ef4f0a1775a8
SHA512 0f03c69813b366ee352c5fc0209fe4a7dc257230f82afdda75d97d7676ff1abf30bc09cb900ce28916e9ee07e5b9f850c4f3ec803c0d23cd572ffee928d0418d

memory/3420-12-0x0000000000E80000-0x0000000001269000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 c333af59fa9f0b12d1cd9f6bba111e3a
SHA1 66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0
SHA256 fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34
SHA512 2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

MD5 e043a9cb014d641a56f50f9d9ac9a1b9
SHA1 61dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA256 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA512 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

memory/3420-592-0x0000000010000000-0x0000000010051000-memory.dmp

memory/3420-597-0x00000000039B0000-0x00000000039B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 dabd469bae99f6f2ada08cd2dd3139c3
SHA1 6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b
SHA256 89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606
SHA512 9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

MD5 83a8f0546164c9ba1a248acedefd6e5d
SHA1 7652f353ed74015e7e78bc9f9e305a48d336b6d1
SHA256 e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9
SHA512 111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d

memory/3420-617-0x0000000000E80000-0x0000000001269000-memory.dmp

memory/3420-618-0x0000000010000000-0x0000000010051000-memory.dmp

memory/3420-642-0x0000000010000000-0x0000000010051000-memory.dmp

memory/3420-644-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json.tmp

MD5 7dcf9c03a3c218d4cabb98ac8e5581fb
SHA1 e805f269e74d3613f85b99442775fce5df4b8970
SHA256 ccad81e2cd3048425990ab6e4336a5834ae3e4a6b0b7519996e75a22e3a753f1
SHA512 4a58be99edb4a7cefbe1701fd42fde8d87352577ff5eb32a4c5e4b9881b3f6701c0694c14b1b532b4c9abdecaa21f152b0ad7a77ec74a986ce22dc129aa4bafe

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json.tmp

MD5 0f7aa9333f1d83eff701d3a653a15cd4
SHA1 dd0de04f2a186028a71267a13fee49084faa6f17
SHA256 ad25624d9452c22bce0357476648f02b7ce476eb472f765bd797ba264e29b977
SHA512 8238ccd0cdc9c886e9f4e59dd97bb992f3637df38c2791707f696a5003c1e3679102311dfaf184dae53c60c5aef55f9adaa0c31236163114c06908ef9f3b47a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.js

MD5 8b8488cf0d0f582f8e50277f4d468c84
SHA1 34d21ae266fadf08e8a9435c20696d7d4586eef5
SHA256 bfcc643756263fa683093b8d5ef0fa7629c21443e9bba11a58716917219244f4
SHA512 be4ca04bd7d41879bb6cd28a720c1b713a686e031a2c09dc89f44c9c621285748c6b90a915f11f12c6272bf92e5ceb251a91014a2ef7bcf4939effac0f09ca48

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4

MD5 1d09bb605a0f88b453edc1e0e98b2ed5
SHA1 b5b19b11318db5f5e137866f027eacd1519cc566
SHA256 3eb66f76511d623656d3eb4d516d219601f9b064681f4dc5cbf3e86eabbdd099
SHA512 7752f0e4e4655085cb96c8d9f6851b187bea256a55b513c07bd01817085476dc2b6a6942e11e0bf0c1e52024c429634c3cf57dbba2405daaede57f635dc12d8c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4

MD5 aefa7003e09d72a52f7d9ac8ecafad9d
SHA1 689fb6112e7796c78d586d9c17b4b1dc7572c353
SHA256 005c519ab95ebbc6db13e9cf411d79b969ffefa2631bf22cbfcd50abf416a9d3
SHA512 05fb75c83a084f9ac687db99163d8b849f9e1fe3d46a4cc1ded4b5123be1cebee3e401c9252b1f052d6f9f765a87ef81932e000afb634370cd0fad5a53b5bd9f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.js

MD5 9caa61ae1bce8445f51c4658bc4cf46f
SHA1 ccbd3f5d9575d536d3506dc5b243f1693398576d
SHA256 630e9a4bc67cab434d1d7009b31a1a7d332af06c5893a20a6cc3e335ba3d616d
SHA512 69b769ef15ba420abb29a9a4b0643edd5e1d8683086fe2ed4c1fb2a8fdd56d5d66542fb857f47ace57582beec6131cd7922a0b5b0b97579ef351a4f952962675

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 cb138796dbfb37877fcae3430bb1e2a7
SHA1 82bb82178c07530e42eca6caf3178d66527558bc
SHA256 50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd
SHA512 287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

\??\pipe\LOCAL\crashpad_788_BNYXZJZCAAMHHKLB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a9519bc058003dbea34765176083739e
SHA1 ef49b8790219eaddbdacb7fc97d3d05433b8575c
SHA256 e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b
SHA512 a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 169637b5ad78db2e90529ef2811090de
SHA1 b76a1341e6720bb2805c7b1ed526c058a6e1bc6f
SHA256 b16bfdbdb5e6ffc66d0e4e6da2258595e0c3769b22d42d196ea300e28733b513
SHA512 d5a4a257bc5cf884ffa509dfe553b3d6788b18a1c077d82faf213b7c26bf2016b4578c25e91f69ad87cdbcc7d59218913bad7f3b46199a3aaaabc4fc27d1f175

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore.jsonlz4

MD5 acef6a43820306f94001a4f7e740fae5
SHA1 f0fa736ed5a2f88586c2cdf69b33cf682ab66ab1
SHA256 270bdd2bde58c94a5bc87a8f1945764edac9b355eddd35f794eef6496e817789
SHA512 051f1270a360862a9f3d67ce9336557019fe1dd1705404759567e22f1e9223201e9b8bda5a5d5a0611ca983c2b9c9370180d9c31d56c50fd806998b5041e42d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

MD5 319e0c36436ee0bf24476acbcc83565c
SHA1 fb2658d5791fe5b37424119557ab8cee30acdc54
SHA256 f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1
SHA512 ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f0afeed77c8a38c72fa7674014b8e433
SHA1 1e9f88236872551f39bd578fe071f255b879bac5
SHA256 8f2e6c4e29dbeafa9bd64fb4dd3da1c091a71adde9264cddd3702c5533dd108f
SHA512 8dfef3561de98e0e3fd351b775348ad71f304ce721446a9846d872fb28731d62fb05d82860d7dea939a8ca6ef52435844cc8775498160ab75af616263fe2f4d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 430f8d6c4717560b1715b3289e4899cb
SHA1 4e311de82b217076a2b84b309e760bb36f13ddd2
SHA256 99478c91805a0d0d93c9a7c9a5641124ae8767db1cd6b9f64aec92b0bc9a02ca
SHA512 9820710ee3a7fc0cce253e7dd86e7d1875e9804d7041b1c51e8504634eaaf26a39bb2c42e1be6cc53d25212d4f22c8476ca935923e0d54a60fc6744a4b5b8fda

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8a46bab80b92941f75247b64e1c7cab6
SHA1 8693a61c5718803e8e6b19fead72cfb3b665850f
SHA256 e6f6a1b3f93d9074b4a04c817bdc284f1b142e8ed443320a2b2d179828e89efa
SHA512 50d817af04638774d495a325028cb991e5f649ad24463c83a1880e04dafe87f8abe141d510bce7303a3ff055ac3e6146f480f6df69869d27a229421fb1342bc1

C:\Users\Admin\Downloads\Unconfirmed 542454.crdownload

MD5 38d4740072a8962d2301b482c96ad41d
SHA1 f4058683b559f1a3cac9e19ff6121a3d990a5909
SHA256 1127fd6ea53d54feb45168d7e98488387e11b0673123142cf8a8f84fbe73140d
SHA512 77b981c49fdcb351a5b6cbe0a0feae3c702b98d68c71ae28b570f0e8a449c664f284059887fbf3f7d32d7e3ea0ae54ce63cd7c2c4ecfdcb89b9a9d0aab2179b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f73563ac66885a077a815746eb876f36
SHA1 f38d4530aef29b7d0261fd2ea22a7ef97405c80c
SHA256 6b55d0e94eb470829dc47e637e06837bbed4f817c8ff44840162b88c21705f33
SHA512 37519a4c2a9678a3810e9cad9c663a49eacdf236fe58bd9b432e63e4f6e7ff899d02957e8b937b82b3c876e2dce1b1523e9aec55065f4512b72087f588492c81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c70b3.TMP

MD5 b5b32a8e9caf9e87e072cbe2913a1f15
SHA1 cd87d9868eace720bc48e11dd68071abb5571f47
SHA256 107828b0d4502a29a633b1bda3764939fb513e02529d0de176b775695d52b083
SHA512 0d261790778e7c3949f292738e336f0c66f0f8fb2f5a327aea48a82304366be73e8bc277b634f2aff8bcbe6484ce42c18e6b72804dd3636d397418596592fa38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 740910f21e830658f18033fef9fa5b9b
SHA1 4540bea9d9f8de31837e51b560fedbe956639350
SHA256 49269be48430dec505d4469e5ff805a70f964989d06624bcc353010a44de5056
SHA512 8c820193855dd4dd874763027ac821b4cf5bf241d59577b104713f5a3372db4a73a9cbedf69340d93e235ecf67508bdf53843f1299db097389e06aeb85929f62

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 87a046a8015f7288906e90cc22396e25
SHA1 2a5c8323c508c3e6ac9edd893150744cc20ff04d
SHA256 845eec8f1e30f6ca57221fe3186be0eb2642c0ab02978690492eecf6f08e5001
SHA512 87529c57bf7d0998887a5e41f4dae996cbf4bb35b1414519d23d97b7068b34b14d40ba82f95b42502f8e39157fa5830a35b967b2dc1b3aaac67cbf0f0dde355e

memory/5928-1267-0x0000000000200000-0x00000000005E9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9da0bfe043cd743dde5fdc139a2945a8
SHA1 2f63986b86d650e83d65cfb9559a90180fb8ff8b
SHA256 b0d1cd4652bb53ee9c863df5646436e840ef775b16f081fc3201a602d4187df9
SHA512 8091e405a1bb9f2eebb8348077664ae0e718e70711d6b60df481a87fdf6917e54cc8fe286ec6b80e2455803b2b5ed9df0ca1b0871993700cd62c0dd4dafae13f

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.dat

MD5 e7282fc5d2847e3cdee0dae1ea32d1b3
SHA1 3b347cda4ff7f6f21d71d59927716b1778b10c03
SHA256 71d73df9b43ac108be553e4ff4e74e399245df4994dd845cb6183757b3a6c54a
SHA512 8908ba25038334f89c1af67918e3afb69ace1ad8f4c2ea1937d7384f39b247a2aeebefe04306ee0625f3888013e3b3e4853fba76b8f5f1c5926f19fca6f5136f

memory/5928-1850-0x0000000010000000-0x0000000010051000-memory.dmp

memory/5928-1856-0x0000000006DA0000-0x0000000006DA3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\check_latest_tl.txt

MD5 79d2c55e39e9f6f35e25678fb5fa2419
SHA1 2e987d70a56b1d2f5838330f4e031fda7ac51bd8
SHA256 08ef10a513966ccf7674296c66aff6c215120f56e20b2673d121030bee162dbc
SHA512 476dbf61aaba40a3989bf3abb201186aeba9943b1564c582c633fe382002e7be155e906ae0ee2d1de8f5d1a804b76a5ad76c9cb90d07205e7d05e1dc4f25098d

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\IRIMG1.BMP

MD5 3adf5e8387c828f62f12d2dd59349d63
SHA1 bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a
SHA256 1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0
SHA512 e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\IRIMG1.PNG

MD5 300bf5341502ba7eee93c2b16c63af7a
SHA1 c0b30be839455dfe2f514c07c52dd085392bb022
SHA256 046d24487296987dd7126d52df2bcf36040bb573f8fa695018e255b48200f7b2
SHA512 7720d9e1b94bcd4480100d430bb103d332214b7062212a33e066e60457659645251b86c1e331b1afd872ac5cae1835b826c94f9400c56bc40fd43ba1c4daa6a7

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\IRIMG3.BMP

MD5 f5d6a81635291e408332cc01c565068f
SHA1 72fa5c8111e95cc7c5e97a09d1376f0619be111b
SHA256 4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26
SHA512 33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\IRIMG2.BMP

MD5 f35117734829b05cfceaa7e39b2b61fb
SHA1 342ae5f530dce669fedaca053bd15b47e755adc2
SHA256 9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3
SHA512 1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e407031196e6203d323be53bcfbe0af4
SHA1 e36c0756644249ffe8ab343388ec6de5691ef325
SHA256 f8c0897c1643a4b63bb583720f680d309d557876d48de094f123d6882b90827c
SHA512 96169ea6dc381aa3cbfa0822dd3e3ed375febbd09fb38ab04fa0e4707c6b66996a9aea237ebd50ee571db038bc345148afe9ae33810037abbe069444d1bb0d97

memory/5928-1886-0x0000000000200000-0x00000000005E9000-memory.dmp

memory/5928-1887-0x0000000010000000-0x0000000010051000-memory.dmp

memory/5124-1901-0x0000000000590000-0x0000000000979000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\Menu1Text1EN.html

MD5 afd9d86cd13fb4992a691eb6b7b669f8
SHA1 0bdfb5a6af9acf4b93d1c68a16c0afb4d0ba713f
SHA256 61290ab69926cd585fc7c2bd413657e138f86927d9ce119c13d6ef691ee808cc
SHA512 880340ef1d89260337955ab2e1b8f59525ecf7551c6111b048b067d9879a36a0e9caea6b650e8eefe1a1cc6be4a5084b49e8ecd2d6819229a0a9d86bc8b1612d

memory/5124-2495-0x0000000010000000-0x0000000010051000-memory.dmp

memory/5124-2496-0x0000000002D30000-0x0000000002D33000-memory.dmp

memory/5124-2522-0x0000000000590000-0x0000000000979000-memory.dmp

memory/5124-2523-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 035c44509e6169f5e972c3cb137e84db
SHA1 49972ef8b48dece4e87eed3372f4303f4a6c4279
SHA256 75ade053fc4930c5b74ce36be004dd60e9e8ec2748b2bc027fb67e8e6d476d25
SHA512 ddb210c097a89c925bb5a96ae730b62525f77b80f6aa8a851315de4d816fa706cb1cc3b2c155911f5dad0127bd7d844de7c4ab373e1543a37dc8eca150982670

memory/5568-2562-0x0000000000D40000-0x0000000001129000-memory.dmp

memory/5568-3148-0x0000000006C70000-0x0000000006C73000-memory.dmp

memory/5568-3147-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 86acef5e6bd2eac2fb02e29166378236
SHA1 95261fbe3f1e38bbd8c3c6ae7d9ea45d249abad5
SHA256 f8029e8d42eea558076465e639283167891745264552a1d4b479af23a141d4a3
SHA512 d879757e03f26dc847e6f5fc9cae93f6be16dd1c48248f08b386c5222b584f305a7108ac0fcdf2ba496bc72b13217c6f463e63976780c6a49223711e7b4b34f6

memory/5568-3177-0x0000000000D40000-0x0000000001129000-memory.dmp

memory/5568-3178-0x0000000010000000-0x0000000010051000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-15 17:43

Reported

2024-04-15 17:50

Platform

win11-20240412-en

Max time kernel

403s

Max time network

279s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.919-Installer-1.3.3.exe" "__IRCT:3" "__IRTSS:24067351" "__IRSID:S-1-5-21-4041115548-3858121278-1660933110-1000"

Network

Country Destination Domain Proto
US 104.20.65.88:443 dl2.tlauncher.org tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.65.20.104.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 85772cc6142fd068e316f5bcdfb9fa18
SHA1 2b6169f71860685189abef7c46a271b43a6af36b
SHA256 b5e561a9e6aa55cdde55a182aa753b726dd9ce299d1734824ea4ef4f0a1775a8
SHA512 0f03c69813b366ee352c5fc0209fe4a7dc257230f82afdda75d97d7676ff1abf30bc09cb900ce28916e9ee07e5b9f850c4f3ec803c0d23cd572ffee928d0418d

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 c333af59fa9f0b12d1cd9f6bba111e3a
SHA1 66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0
SHA256 fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34
SHA512 2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

memory/2144-11-0x0000000000130000-0x0000000000519000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

MD5 e043a9cb014d641a56f50f9d9ac9a1b9
SHA1 61dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA256 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA512 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 dabd469bae99f6f2ada08cd2dd3139c3
SHA1 6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b
SHA256 89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606
SHA512 9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

memory/2144-598-0x0000000006FA0000-0x0000000006FA3000-memory.dmp

memory/2144-592-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

MD5 83a8f0546164c9ba1a248acedefd6e5d
SHA1 7652f353ed74015e7e78bc9f9e305a48d336b6d1
SHA256 e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9
SHA512 111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d

memory/2144-617-0x0000000000130000-0x0000000000519000-memory.dmp

memory/2144-618-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2144-642-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2144-656-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2144-662-0x0000000010000000-0x0000000010051000-memory.dmp