9aaa326da7ca2d0d7015742e3ffe5bce7df63cae147166e52f094a1c20897856

Analysis

max time kernel
153s
max time network
157s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.3.5.exe
Size

23.0MB
MD5

1a2ce8f6f111d438d4467a84d8c74351
SHA1

6f2b6d316eb820ae6875b84df9615e412ae0773a
SHA256

9aaa326da7ca2d0d7015742e3ffe5bce7df63cae147166e52f094a1c20897856
SHA512

8f276c77a73f4035513d463be939e056a67cfcfb28df078b7e63a3f524a5c66d02128ac6a267e84226dfc2916ae74d0f945a12f7326fa89fa97070329d828193
SSDEEP

393216:y25KVUfIscQ5+LTc2rr6of5MJ7ZWqxPAIgtMIMlFRqUX0OT2Hx8HcAobUAKN+:jKVaIsN+LtrrKJBH5lFRq0RD1obUAK0

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

java.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation java.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation	java.exe

Executes dropped EXE 21 IoCs

Processes:

irsetup.exeBrowserInstaller.exeirsetup.exejre-windows.exejre-windows.exeinstaller.exejavaw.exessvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exejavaw.exejavaw.exeTLauncher.exejavaw.exeTLauncher.exejavaw.exeTLauncher.exejavaw.exejava.exe

pid	process
2472	irsetup.exe
2284	BrowserInstaller.exe
1432	irsetup.exe
2556	jre-windows.exe
328	jre-windows.exe
2872	installer.exe
1872	javaw.exe
2700	ssvagent.exe
628	javaws.exe
2304	jp2launcher.exe
2180	javaws.exe
1992	jp2launcher.exe
1944	javaw.exe
768	javaw.exe
1412	TLauncher.exe
3964	javaw.exe
2640	TLauncher.exe
1412	javaw.exe
1576	TLauncher.exe
2652	javaw.exe
1728	java.exe

Loads dropped DLL 64 IoCs

Processes:

TLauncher-Installer-1.3.5.exeirsetup.exeBrowserInstaller.exeirsetup.exejre-windows.exeMsiExec.exemsiexec.exeinstaller.exejavaw.exe

pid	process
1700	TLauncher-Installer-1.3.5.exe
1700	TLauncher-Installer-1.3.5.exe
1700	TLauncher-Installer-1.3.5.exe
1700	TLauncher-Installer-1.3.5.exe
2472	irsetup.exe
2472	irsetup.exe
2472	irsetup.exe
2472	irsetup.exe
2472	irsetup.exe
2472	irsetup.exe
2472	irsetup.exe
2472	irsetup.exe
2284	BrowserInstaller.exe
2284	BrowserInstaller.exe
2284	BrowserInstaller.exe
2284	BrowserInstaller.exe
1432	irsetup.exe
1432	irsetup.exe
1432	irsetup.exe
2472	irsetup.exe
2556	jre-windows.exe
1136
1136
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1132	msiexec.exe
2872	installer.exe
2872	installer.exe
2872	installer.exe
860
860
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe
1872	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4076 icacls.exe

pid	process
4076	icacls.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

ssvagent.exeinstaller.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0092-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0296-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0401-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0248-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0238-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0161-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0175-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0156-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0129-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0072-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0140-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0028-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0073-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0220-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0238-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0124-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0374-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0243-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0278-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0073-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0343-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0355-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0243-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0315-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0173-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0120-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0122-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0176-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0321-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0171-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0083-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0358-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0052-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0113-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0383-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0148-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0124-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0389-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/2472-21-0x0000000001150000-0x0000000001539000-memory.dmp	upx
behavioral1/memory/2472-662-0x0000000001150000-0x0000000001539000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/1432-734-0x0000000000FA0000-0x0000000001389000-memory.dmp	upx
behavioral1/memory/2472-729-0x0000000001150000-0x0000000001539000-memory.dmp	upx
behavioral1/memory/1432-758-0x0000000000FA0000-0x0000000001389000-memory.dmp	upx
behavioral1/memory/2472-759-0x0000000001150000-0x0000000001539000-memory.dmp	upx
behavioral1/memory/2472-1312-0x0000000001150000-0x0000000001539000-memory.dmp	upx
behavioral1/memory/2472-1474-0x0000000001150000-0x0000000001539000-memory.dmp	upx
behavioral1/memory/2472-2206-0x0000000001150000-0x0000000001539000-memory.dmp	upx
behavioral1/memory/2472-2422-0x0000000001150000-0x0000000001539000-memory.dmp	upx
behavioral1/memory/2472-2537-0x0000000001150000-0x0000000001539000-memory.dmp	upx
behavioral1/memory/2472-3198-0x0000000001150000-0x0000000001539000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

25 1132 msiexec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
25	1132	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exemsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259447446\javaw.exe	installer.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\management.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll	msiexec.exe

Drops file in Windows directory 27 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSID1F0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF9D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A94.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B81.tmp	msiexec.exe
File created	C:\Windows\Installer\f76c8e6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD28.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDA5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF1F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76c8e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCAA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B31.tmp	msiexec.exe
File created	C:\Windows\Installer\f76c8db.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB9F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE23.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c8de.ipi	msiexec.exe
File created	C:\Windows\Installer\f76c8e0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c8e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c8db.msi	msiexec.exe
File created	C:\Windows\Installer\f76c8de.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID163.tmp	msiexec.exe
File created	C:\Windows\Installer\f76c8e4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c8e4.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exejava.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exeirsetup.exejre-windows.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0212-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0115-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0039-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0180-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_180"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0030-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0148-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0195-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_195"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0307-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0162-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0163-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0194-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0396-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0195-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0158-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0312-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0181-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0097-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0132-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0268-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0171-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_34"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0192-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0274-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_274"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0315-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0056-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0071-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_71"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0359-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0401-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0094-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0075-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0114-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0357-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0392-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0168-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0306-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0364-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0323-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0220-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0185-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0328-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0119-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0248-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0074-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0068-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_68"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0107-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0231-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0302-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0365-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0086-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0130-ABCDEFFEDCBA}	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exessvagent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0250-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0311-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0207-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0067-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0087-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0363-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0093-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0280-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0305-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_305"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0109-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0135-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0181-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0160-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0180-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0320-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0115-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0248-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0052-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0144-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0086-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0184-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0204-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0271-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_271"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_73"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0366-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0005-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0224-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0304-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_304"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0018-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_09"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0253-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0076-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_76"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0166-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0201-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0191-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_191"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0257-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_257"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0370-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0136-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0227-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_227"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0383-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_383"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0049-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_65"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0223-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_223"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0302-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_64"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0159-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_159"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0317-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0228-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0111-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0173-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

irsetup.exeirsetup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	irsetup.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

irsetup.exemsiexec.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exe

pid	process
1432	irsetup.exe
1432	irsetup.exe
1132	msiexec.exe
1132	msiexec.exe
628	javaws.exe
2304	jp2launcher.exe
2180	javaws.exe
1992	jp2launcher.exe
1132	msiexec.exe
1132	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

jre-windows.exe

pid process

328 jre-windows.exe

pid	process
328	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	328	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	328	jre-windows.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeSecurityPrivilege	1132	msiexec.exe
Token: SeCreateTokenPrivilege	328	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	328	jre-windows.exe
Token: SeLockMemoryPrivilege	328	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	328	jre-windows.exe
Token: SeMachineAccountPrivilege	328	jre-windows.exe
Token: SeTcbPrivilege	328	jre-windows.exe
Token: SeSecurityPrivilege	328	jre-windows.exe
Token: SeTakeOwnershipPrivilege	328	jre-windows.exe
Token: SeLoadDriverPrivilege	328	jre-windows.exe
Token: SeSystemProfilePrivilege	328	jre-windows.exe
Token: SeSystemtimePrivilege	328	jre-windows.exe
Token: SeProfSingleProcessPrivilege	328	jre-windows.exe
Token: SeIncBasePriorityPrivilege	328	jre-windows.exe
Token: SeCreatePagefilePrivilege	328	jre-windows.exe
Token: SeCreatePermanentPrivilege	328	jre-windows.exe
Token: SeBackupPrivilege	328	jre-windows.exe
Token: SeRestorePrivilege	328	jre-windows.exe
Token: SeShutdownPrivilege	328	jre-windows.exe
Token: SeDebugPrivilege	328	jre-windows.exe
Token: SeAuditPrivilege	328	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	328	jre-windows.exe
Token: SeChangeNotifyPrivilege	328	jre-windows.exe
Token: SeRemoteShutdownPrivilege	328	jre-windows.exe
Token: SeUndockPrivilege	328	jre-windows.exe
Token: SeSyncAgentPrivilege	328	jre-windows.exe
Token: SeEnableDelegationPrivilege	328	jre-windows.exe
Token: SeManageVolumePrivilege	328	jre-windows.exe
Token: SeImpersonatePrivilege	328	jre-windows.exe
Token: SeCreateGlobalPrivilege	328	jre-windows.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

irsetup.exeirsetup.exejre-windows.exejp2launcher.exejp2launcher.exejavaw.exejavaw.exejavaw.exejava.exe

pid	process
2472	irsetup.exe
2472	irsetup.exe
2472	irsetup.exe
2472	irsetup.exe
1432	irsetup.exe
1432	irsetup.exe
328	jre-windows.exe
328	jre-windows.exe
328	jre-windows.exe
328	jre-windows.exe
2304	jp2launcher.exe
1992	jp2launcher.exe
3964	javaw.exe
3964	javaw.exe
1412	javaw.exe
1412	javaw.exe
1412	javaw.exe
1412	javaw.exe
2652	javaw.exe
2652	javaw.exe
1728	java.exe
1728	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-Installer-1.3.5.exeirsetup.exeBrowserInstaller.exejre-windows.exemsiexec.exeinstaller.exejavaws.exejavaws.exe

description	pid	process	target process
PID 1700 wrote to memory of 2472	1700	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1700 wrote to memory of 2472	1700	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1700 wrote to memory of 2472	1700	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1700 wrote to memory of 2472	1700	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1700 wrote to memory of 2472	1700	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1700 wrote to memory of 2472	1700	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 1700 wrote to memory of 2472	1700	TLauncher-Installer-1.3.5.exe	irsetup.exe
PID 2472 wrote to memory of 2284	2472	irsetup.exe	BrowserInstaller.exe
PID 2472 wrote to memory of 2284	2472	irsetup.exe	BrowserInstaller.exe
PID 2472 wrote to memory of 2284	2472	irsetup.exe	BrowserInstaller.exe
PID 2472 wrote to memory of 2284	2472	irsetup.exe	BrowserInstaller.exe
PID 2472 wrote to memory of 2284	2472	irsetup.exe	BrowserInstaller.exe
PID 2472 wrote to memory of 2284	2472	irsetup.exe	BrowserInstaller.exe
PID 2472 wrote to memory of 2284	2472	irsetup.exe	BrowserInstaller.exe
PID 2284 wrote to memory of 1432	2284	BrowserInstaller.exe	irsetup.exe
PID 2284 wrote to memory of 1432	2284	BrowserInstaller.exe	irsetup.exe
PID 2284 wrote to memory of 1432	2284	BrowserInstaller.exe	irsetup.exe
PID 2284 wrote to memory of 1432	2284	BrowserInstaller.exe	irsetup.exe
PID 2284 wrote to memory of 1432	2284	BrowserInstaller.exe	irsetup.exe
PID 2284 wrote to memory of 1432	2284	BrowserInstaller.exe	irsetup.exe
PID 2284 wrote to memory of 1432	2284	BrowserInstaller.exe	irsetup.exe
PID 2472 wrote to memory of 2556	2472	irsetup.exe	jre-windows.exe
PID 2472 wrote to memory of 2556	2472	irsetup.exe	jre-windows.exe
PID 2472 wrote to memory of 2556	2472	irsetup.exe	jre-windows.exe
PID 2472 wrote to memory of 2556	2472	irsetup.exe	jre-windows.exe
PID 2556 wrote to memory of 328	2556	jre-windows.exe	jre-windows.exe
PID 2556 wrote to memory of 328	2556	jre-windows.exe	jre-windows.exe
PID 2556 wrote to memory of 328	2556	jre-windows.exe	jre-windows.exe
PID 1132 wrote to memory of 1728	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1728	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1728	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1728	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1728	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 2872	1132	msiexec.exe	installer.exe
PID 1132 wrote to memory of 2872	1132	msiexec.exe	installer.exe
PID 1132 wrote to memory of 2872	1132	msiexec.exe	installer.exe
PID 2872 wrote to memory of 1872	2872	installer.exe	javaw.exe
PID 2872 wrote to memory of 1872	2872	installer.exe	javaw.exe
PID 2872 wrote to memory of 1872	2872	installer.exe	javaw.exe
PID 2872 wrote to memory of 628	2872	installer.exe	javaws.exe
PID 2872 wrote to memory of 628	2872	installer.exe	javaws.exe
PID 2872 wrote to memory of 628	2872	installer.exe	javaws.exe
PID 628 wrote to memory of 2304	628	javaws.exe	jp2launcher.exe
PID 628 wrote to memory of 2304	628	javaws.exe	jp2launcher.exe
PID 628 wrote to memory of 2304	628	javaws.exe	jp2launcher.exe
PID 2872 wrote to memory of 2180	2872	installer.exe	javaws.exe
PID 2872 wrote to memory of 2180	2872	installer.exe	javaws.exe
PID 2872 wrote to memory of 2180	2872	installer.exe	javaws.exe
PID 2180 wrote to memory of 1992	2180	javaws.exe	jp2launcher.exe
PID 2180 wrote to memory of 1992	2180	javaws.exe	jp2launcher.exe
PID 2180 wrote to memory of 1992	2180	javaws.exe	jp2launcher.exe
PID 1132 wrote to memory of 1884	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1884	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1884	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1884	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1884	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1888	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1888	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1888	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1888	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1888	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1888	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1888	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 2776	1132	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.5.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.5.exe" "__IRCT:3" "__IRTSS:24068259" "__IRSID:S-1-5-21-2721934792-624042501-2768869379-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1708464" "__IRSID:S-1-5-21-2721934792-624042501-2768869379-1000"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\jds259435497.tmp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jds259435497.tmp\jre-windows.exe" "STATIC=1"
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:328

C:\Program Files\Java\jre-1.8\bin\javaw.exe
-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
5⤵
- Executes dropped EXE
PID:1944

C:\Program Files\Java\jre-1.8\bin\javaw.exe
-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
5⤵
- Executes dropped EXE
PID:768

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
3⤵
- Executes dropped EXE
PID:1412

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3964

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
5⤵
- Modifies file permissions
PID:4076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding ADC0F15EDC8986BB31D70276A74615A3
2⤵
- Loads dropped DLL
PID:1728

C:\Program Files\Java\jre-1.8\installer.exe
"C:\Program Files\Java\jre-1.8\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre-1.8\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={71024AE4-039E-4CA4-87B4-2F64180401F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872

C:\Program Files\Java\jre-1.8\bin\ssvagent.exe
"C:\Program Files\Java\jre-1.8\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:2700

C:\Program Files\Java\jre-1.8\bin\javaws.exe
"C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:628

C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Program Files\Java\jre-1.8\bin\javaws.exe
"C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180

C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 7DC734323C24A08185B4DEDCC1243FA8 M Global\MSI0000
2⤵
PID:1884

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AD484ECF5F5218B6CEFC27AA75DDA759
2⤵
PID:1888

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BDA4A17B0F24082757A404C115475C81 M Global\MSI0000
2⤵
PID:2776

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:2640

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:1576

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\bin\java.exe
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\bin\java.exe -Xmx1024m -Dfile.encoding=UTF8 -Djava.net.preferIPv4Stack=true --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED --add-opens=java.desktop/java.awt=ALL-UNNAMED --add-opens=java.desktop/sun.awt.image=ALL-UNNAMED --add-opens=java.desktop/sun.java2d=ALL-UNNAMED --add-opens=java.desktop/java.awt.color=ALL-UNNAMED --add-opens=java.desktop/java.awt.image=ALL-UNNAMED --add-opens=java.desktop/com.apple.eawt=ALL-UNNAMED --add-opens=java.base/java.util.regex=ALL-UNNAMED --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.desktop/java.beans=ALL-UNNAMED --add-opens=javafx.web/com.sun.webkit.network=ALL-UNNAMED -cp C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\aopalliance-1.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\checker-qual-3.12.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-codec-1.9.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-compress-1.23.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-io-2.11.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-lang3-3.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-logging-1.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-logging-api-1.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-vfs2-2.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\desktop-common-util-1.11.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\DiscordIPC-0.5.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\dnsjava-2.1.8.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\error_prone_annotations-2.18.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\failureaccess-1.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\fluent-hc-4.5.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\gson-2.8.8.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\guava-31.0.1-jre.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\guice-7.0.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\guice-assistedinject-7.0.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\hamcrest-core-1.3.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\http-download-1.11.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\httpclient-4.5.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\httpcore-4.4.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\j2objc-annotations-1.3.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jakarta.inject-api-2.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-base-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-base-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-controls-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-controls-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-graphics-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-graphics-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-media-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-media-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-swing-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-swing-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-web-17.0.0.1-win.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-web-17.0.0.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javax.annotation-api-1.3.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jaxb-api-2.3.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jaxb-core-2.3.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jaxb-impl-2.3.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jcl-over-slf4j-1.7.25.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jopt-simple-5.0.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\json-20230227.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jsr305-3.0.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\junit-4.13.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\junixsocket-common-2.6.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\junixsocket-native-common-2.6.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\junrar-0.7.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\log4j-1.2.17.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\logback-classic-1.2.10.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\logback-core-1.2.10.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\lombok-1.18.30.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\maven-scm-api-1.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\maven-scm-provider-svn-commons-1.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\maven-scm-provider-svnexe-1.4.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\MinecraftServerPing-1.0.2.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\mockserver-netty-no-dependencies-5.14.0.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\modpack-dto-2.2914.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\picture-bundle-3.72.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\plexus-utils-1.5.6.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\regexp-1.3.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\skin-server-API-1.3.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\slf4j-api-1.7.25.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\statistics-dto-1.73.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\tlauncher-resource-1.6.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\url-cache-1.1.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\xz-1.9.jar;C:\Users\Admin\AppData\Roaming\.tlauncher\starter\original-TLauncher-2.921.jar; org.tlauncher.tlauncher.rmo.TLauncher -starterConfig=C:\Users\Admin\AppData\Roaming\.tlauncher\starter\starter.json -requireUpdate=false -currentAppVersion=2.921
3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Windows\system32\cmd.exe
cmd.exe /C chcp 437 & wmic CPU get NAME
4⤵
PID:1536

C:\Windows\system32\chcp.com
chcp 437
5⤵
PID:2752

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
5⤵
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76c8df.rbs
Filesize
962KB

MD5
630092c725b5a6b278b2bc34dbd2bfeb

SHA1
f1620c71e886cf0886a9374e4eea9409475415b1

SHA256
83f87c3a576fe79df9c4eec78416a32bd4a42be31120dbf87ab111899a6fefd0

SHA512
d6c5f50a15f74c7f3da250f6e4699a630773bff40ebdb7f65e72bd840124e33f48a9691ffaac556bf7af1249dccfeeffcbba4de8ac0d9b796049f1cbb8d59e73

Download Submit
C:\Config.Msi\f76c8e5.rbs
Filesize
7KB

MD5
312aae4d80c6266d5bb2d6c6c273cac3

SHA1
c6b3d8c3cac4e4937bd9022304be86429be702c1

SHA256
9c51222adf82f373212bc30c96667faaffee1429395bba924653a62f22ae9c90

SHA512
90e545a0bf04f82071f8fbe96826c4cf5fcc39bb2d39837d9284d479dc24200e625f619cf03d9e885ac47e0cdf30b537a27ca30e94e6025937d057121475aef6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk
Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url
Filesize
177B

MD5
6684bd30905590fb5053b97bfce355bc

SHA1
41f6b2b3d719bc36743037ae2896c3d5674e8af7

SHA256
aa4868d35b6b3390752a5e34ab8e5cba90217e920b8fb8a0f8e46edc1cc95a20

SHA512
1748ab352ba2af943a9cd60724c4c34b46f3c1e6112df0c373fa9ba8cb956eb548049a0ac0f4dccff6b5f243ff2d6d210661f0c77b9e1e3d241a404b86d54644

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url
Filesize
173B

MD5
625bd85c8b8661c2d42626fc892ee663

SHA1
86c29abb8b229f2d982df62119a23976a15996d9

SHA256
63c2e3467e162e24664b3de62d8eeb6a290a8ffcdf315d90e6ca14248bc0a13a

SHA512
07708de888204e698f72d8a8778ed504e0fe4d159191efb48b815852e3997b50a27ba0bc8d9586c6fb4844166f38f5f9026a89bbbc3627e78121373982656f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
de89ac8bdade03160bb40c74e76ec7d1

SHA1
39fc8033533711c0852c72378d823d86a4813d4f

SHA256
2995000e5fa6a13830a94d3afe96c1f0453e4bd7a8ee6182ac1db67ecbb0d727

SHA512
2bb2dd473aa3e364148cc7f1e48ebe4b7f578d0d54699e8c602d74a115c5adeffb74f0b7529d977b023ee6064f0e0c6e963cb96a8c4ec1c92f92698b1be70f88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f3aa448b8effb113bbc42ae435ff2d07

SHA1
81d5936681c3e71e5e5ead54c888802d24a2f31b

SHA256
b3279289a2f158de9e82ddf0ca00e5851274d0c19def7f293f1f535d4859c1c3

SHA512
ace8030296193d033c320618abcba8ab4a43d05aa2cc33c5df40d3abda4f6dd17a18a0be80595cda9c8ba7af48529d9169dc21e25c5cde0e20ff03f6afd35e59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0782461412583b12df97adf42d0c0119

SHA1
e80137d519f8e82735d2b0d47ba9e4ddb446c513

SHA256
6812de36424adbcec101767b98ef51afcc85840d1ce612c73964d1773219cbfb

SHA512
afee18a7aecbf266d6ae2fd0cac6d91cd7256fc6a5bcc2f80ec6a63e514ed4a0281d779c55a6bee8ee29f96a488684e1819c165a7030b98ad870cc905f066b53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
cc3fb64142c3db7e12352745ae3da22d

SHA1
8e8fe388a1a2112fec29ceff454fc35a03991595

SHA256
ade178176c91c43c16ce6b841f4367285e3224bea532b27ec29af1ee2b9c8abc

SHA512
0482acc96791de3231cf0b96ce7c9d836be89d885d5235d64d1a9fa82903d7db207c3e68799da788db3421f9fd6e0e246983c1f440444c27ed82ffa474209ea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_401_x64\jre1.8.0_40164.msi
Filesize
60.9MB

MD5
4b80c230492aedab6757f904167b4e17

SHA1
ca169fc089c12341ac8a023e98e5f7d58a1d5d90

SHA256
0d961da2bc9f0fe029c31beb616d5069b718abd7f494f28a86fc6ace8e4718ea

SHA512
fcfbaa9c987bda1143f2596aca5bb3c04eebbb8ff7cacb9f855ef66d4c1b433a0a07c9694dcaff56f481df0234e8cc833e0c4b66aa52c2541db5fc562a741aca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\host[1]
Filesize
1KB

MD5
a752a4469ac0d91dd2cb1b766ba157de

SHA1
724ae6b6d6063306cc53b6ad07be6f88eaffbab3

SHA256
1e67043252582aea0e042f5a7be4a849b7cd01b133a489c3b2e67c10ade086f3

SHA512
abc2899705a23f15862acf3d407b700bb91c545722c02c7429745ab7f722507285c62614dcb87ea846f88fc0779345cb2e22dc3ad5f8113f6907821505be2c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\layout[1]
Filesize
2KB

MD5
cc86b13a186fa96dfc6480a8024d2275

SHA1
d892a7f06dc12a0f2996cc094e0730fe14caf51a

SHA256
fab91ced243da62ec1d938503fa989462374df470be38707fbf59f73715af058

SHA512
0e3e4c9755aa8377e00fc9998faab0cd839dfa9f88ce4f4a46d8b5aaf7a33e59e26dbf55e9e7d1f8ef325d43302c68c44216adb565913d30818c159a182120fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\masthead_left[1]
Filesize
4KB

MD5
b663555027df2f807752987f002e52e7

SHA1
aef83d89f9c712a1cbf6f1cd98869822b73d08a6

SHA256
0ce32c034dfb7a635a7f6e8152666def16d860b6c631369013a0f34af9d17879

SHA512
b104ed3327fed172501c5aa990357b44e3b31bb75373fb8a4ea6470ee6a72e345c9dc4bcf46a1983c81adb567979e6e8e6517d943eb204c3f7fac559cd17c451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\l10n[1]
Filesize
4KB

MD5
1fd5111b757493a27e697d57b351bb56

SHA1
9ca81a74fa5c960f4e8b3ad8a0e1ec9f55237711

SHA256
85bbec802e8624e7081abeae4f30bd98d9a9df6574bd01fe5251047e8fdaf59f

SHA512
80f532e4671d685fa8360ef47a09efcb3342bcfcf929170275465f9800bfbfffc35728a1ba496d4c04a1fdefb2776af02262c3774f83fea289585a5296d560b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\masthead_fill[1]
Filesize
1KB

MD5
91a7b390315635f033459904671c196d

SHA1
b996e96492a01e1b26eb62c17212e19f22b865f3

SHA256
155d2a08198237a22ed23dbb6babbd87a0d4f96ffdc73e0119ab14e5dd3b7e00

SHA512
b3c8b6f86ecf45408ac6b6387ee2c1545115ba79771714c4dd4bbe98f41f7034eae0257ec43c880c2ee88c44e8fc48c775c5bb4fd48666a9a27a8f8ac6bcfdcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\common[1]
Filesize
1KB

MD5
f5bb484d82e7842a602337e34d11a8f6

SHA1
09ea1dee4b7c969771e97991c8f5826de637716f

SHA256
219108bfef63f97562c4532681b03675c9e698c5ae495205853dbcbfd93faf1a

SHA512
a23cc05b94842e1f3a53c2ea8a0b78061649e0a97fcd51c8673b2bcb6de80162c841e9fdde212d3dfd453933df2362dcb237fe629f802bafaa144e33ca78b978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\rtutils[1]
Filesize
244B

MD5
c0a4cebb2c15be8262bf11de37606e07

SHA1
cafc2ccb797df31eecd3ae7abd396567de8e736d

SHA256
7da9aa32aa10b69f34b9d3602a3b8a15eb7c03957512714392f12458726ac5f1

SHA512
cc68f4bc22601430a77258c1d7e18d6366b6bf8f707d31933698b2008092ba5348c33fa8b03e18c4c707abf20ce3cbcb755226dc6489d2b19833809c98a11c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\runtime[1]
Filesize
42KB

MD5
5d4657b90d2e41960ebe061c1fd494b8

SHA1
71eca85088ccbd042cb861c98bccb4c7dec9d09d

SHA256
93a647b1f2cadcbdb0fe9c46b82b2b4baf7685167de05933811549145c584ee0

SHA512
237738c0a6cb25efe29effc9c3637245e3e2397207ed51e67bae5a1b54749f88e090de524f7868d964debbb29a920a68205ccbd2dfceed4a1f3cd72d08b16fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF1358750087380663564.tmp
Filesize
424KB

MD5
4c41e856744eb797e9936359a6509287

SHA1
0959e6f4dd535eb6fae388b6b9ac179dcf3afd76

SHA256
83ff53f599acefc11f5cf63fd0516d4db72aacf7f0125a5f79c9ff222cbf9dd7

SHA512
07ae284caa316315da74246c960198a7d549acf86f96cec550f41109fcd870a69ccac9818361657fb859e89d2bdc8398c7731c80d274d99a768102022a5f6e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF14612041874621803351.tmp
Filesize
141KB

MD5
54a91b0619ccf9373d525109268219dc

SHA1
1d1d41fcadc571decb6444211b7993b99ce926e2

SHA256
b2efabca5ea4bc56eea829713706b5cd0788b82aca153bd4adde9b1573933b4f

SHA512
7f79ff3b42a672371814f42814aa5646328b1a314691d30ce09ffdc7a322adcb1af66625274f7fac024ca2f22a42b625001735711c430faef6e077e1f1d24887

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF16561320954912550898.tmp
Filesize
156KB

MD5
607fc518b9f6506e5ef66c2839c69149

SHA1
55be7d31240add9837da746369bf0bb5c52e0f6f

SHA256
7149f8f1d8b0386ab74427c78d660e211c572ffd901897f86475319d28248083

SHA512
05785828204fab7789aac12c10fa4d77673ac89741e6749424f863d69f13ac6731ff215eb80eee84820ad0461f754e863c9cb8045beb25efde5179a2c5ccb1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF18280506218725233467.tmp
Filesize
477KB

MD5
ec5d243a9958b3858b5a71fb9a690da7

SHA1
d80b02c91addef2ef58136d1a7df0189f453388c

SHA256
a4ece920f221b78d43b550d615c5934db162b64a331ffa663a85199e74ef2e6b

SHA512
479512c6076249a63a822d307b3d8c65d44d19abfadc597f0293fedf2c4fbac2ba6f60ca98d2c1dbb638ad09f3eb1419b6ef391fb098c7d1b62237bce9d79931

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF9171527868344356327.tmp
Filesize
132KB

MD5
afa7a91dadd77b23634a0fdf18c148f3

SHA1
6cbb57ba2355cf442e06899898ff5af55867103e

SHA256
9287925cae90ac480804094ff0876832065e2db116470da1f524d79ed9c18b70

SHA512
84d123b67505522c256f4ff79c3822eabe2d63036023896e9854298ff39e050bef7894f6320ccf950592015760354683c4dbd19aa203d433a04a5d6bb28e8115

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2AFF.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe
Filesize
1.6MB

MD5
83a8f0546164c9ba1a248acedefd6e5d

SHA1
7652f353ed74015e7e78bc9f9e305a48d336b6d1

SHA256
e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9

SHA512
111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP
Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG14.PNG
Filesize
43KB

MD5
7d26a524b09feacb9db695415e1a66b2

SHA1
724f925c2663b623a9755bf722b3f297c8ff605a

SHA256
867072872533f9000508dafdd49f5b83e03de7b611b454290e062034a423dc74

SHA512
6adae2bb7c7e390f5e50df048fb3417c31b025c4d32abcb97ef8206ae3f0769997650cdba178bbad8c34f07a4e613666388e4b9bc465549b47a8f01f0dec4a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG
Filesize
644B

MD5
859d53eb6f971993774da3bccee533a4

SHA1
c51f8e6a9cbd749b77edfeb324ef18ffdfc8e4fc

SHA256
768c5aa62161f6ddcab82911e727bf7d902c8d3d24d7c62726542b32ae70f3e7

SHA512
5e2f6cd3ffd37a02b5d198046e422bd7c19acca91675a6c38f58d0a985dcc640aedbdab969df9afbc8be6367df071d8e77663c42d5529d9c798602e6c97d246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG17.PNG
Filesize
40KB

MD5
69862e8a82c503fbc5cea0c9e8a33876

SHA1
a69deda06d6224750bf1ab941bf934bf5250fe4b

SHA256
8fc3a97777dec1ab22f74f069354cab4880731b873452694921cac9814059858

SHA512
db86fbd4e1692de8a2dc6816d34e28b12badaed81ad07a7ce4fc225a212fee63eccd1f51c5ebdf7485ee8c0db716f9ac649cd2a4aae92218372582e7ab3d3951

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP
Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP
Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG
Filesize
438B

MD5
b7b32e3aeb677124b236d776ef443489

SHA1
3249a596e03148836131988b8ca9392f677a7470

SHA256
f60847a54bde74835d80bb41bc3c57ad211ca30d69c2eb48ef7bffc7c6b44d0c

SHA512
f9044d9da82099a0747b3de0382db0999a9f80cbfe894ed9c4961498c41c5db9055c32d699424b6c5835230a2d74df491151beb90f0ff959b580164b2defab2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
Filesize
136KB

MD5
1ffd93751bc3400074dc0affa49ddfaf

SHA1
81be618514bdb88161333386f326cfcac2075517

SHA256
e65cc17886b8632c1ff12ff8a97128d3ca379a6b9ad2c0300788f43958c458be

SHA512
b2aefcf3a2f3e4da57c3507f7b419d229985cee88c782232dd90a96a6e9dbe46c18a7a58c7c4d1a3fe4b8b4b187f884fa09ac9e9a70d179e941704d7cbfddb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1396463509157910543.tmp
Filesize
5KB

MD5
a439014382612e34b571515b64a71058

SHA1
6b5e3070b27d66e5be4fa719c2adf662ddcf9323

SHA256
ab54464948dec30d9d13e624bd5e5d0d59ef641b9efdab4eb869fb255a54e357

SHA512
e33c7b8b7aaa6fd551057f8dca9bf84686ef97b6a6b3653a4bc64129faeb3385e70d7f5e366e4f6536d61bf9ba69d64ba6a155962cb8763680e7e00f30632654

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1960299772856661352.tmp
Filesize
231B

MD5
794eb92e3b9d16b375d8e07b08ba29a6

SHA1
1e45467f771e3dc86de7c026d5239513db961367

SHA256
3aa536e4a0eaf52249c31ad4c033cf59af476d71682d0a14656059220f6fd217

SHA512
6a22fcc67788528fbe6cbe89eb166bde8d91dcf808f65cce948fdf040f22aba8b81d68e8e8beb987b8e5de554576678f5e7df9eeac0cd83454c20072fb396819

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio7998533888077121034.tmp
Filesize
239B

MD5
12010d9c529ad2ad3979c3a7e7ebb6d1

SHA1
185800c92cbfc1ca6978a663f15aa8bf47b664e5

SHA256
7e20b79a691e10fcd0d78f70723384a4a8d574310adc507d6babbe87ee4f9af5

SHA512
4fe1890ed691f81c5716da565150a408beb1c7a91f1dda3e9f65f665dd6744c624de45fc4c22e09ef8c9e99c84d6c6d60a6c199bb1cbe93c70a7b2da3abda7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
3KB

MD5
3a8f2cc432ad17a6a3b9b535107a8b00

SHA1
84a1c13b4d2fccd3b68fee7a3e21f1c588d3d509

SHA256
7c995566d2156daca6991b4d2a0ee8563215e6c699b7f913fff5c27e2fc2780d

SHA512
c549b08cebf98b19223ef20b846d839481b9c5b23ed2ced0e0337eb53cd4eea4f9829e27e2332589f0d28d23ff7bb34c409987526ff8ef23560622570abca442

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
4KB

MD5
a9c7b68be2605a78e5949aca2ded2433

SHA1
0e423049e2926d6e6f5500842c0ff2cc80e051d2

SHA256
52b3452facc700430e7656acb9324a6b993d58d30f395341cd3c47672ff0db74

SHA512
d32899d63cfcf00606d678b09bde6c7de3231d86a945feed11276de0d2dc0f96bfcc72d37334999c19d22ee53d04ee17818eeec33f0a3f50ae6629835ac29cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
23KB

MD5
be4baf6230de9336ab9c7803d79adca3

SHA1
427832929fab02f13dd22f76099a83c648b4c21d

SHA256
e44f2ed1a1ed614fc7643c2e275c9eb158532fcd3f6f7ba7546e7cfd5c397300

SHA512
bcb8d5dd8b05bb8a2843093709c2392258e55240f1e89eafe63479feb2e78bb6801fc56c59cdd7369817ef82f491fda9edb862bd1e0f02dd0efe221a548c8cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
Filesize
741B

MD5
f5daf011b1368b2f0eb882f187cc8682

SHA1
4c04befe10dd872e3c28f7de752ffb942ed90241

SHA256
00d7d8552bb98a4d6ad4fe4a259853200daeeb53887631d912a75ed7d7f856f2

SHA512
c106dabcb1ed89d0d9397c1464926c7e75f72e9f9018c63e71c953141b8793ce6d2d21156a0b3f821948c35d514d50fe8a591abdfebe0987b544ebf07d10615c

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
Filesize
9.1MB

MD5
fa9848f3cff6d80b5704c6d2ccb10c2b

SHA1
714c93f3fc2b915efae0cac6028d317711d59264

SHA256
63ff7897d3a90de887c1baebb2ef7b87e596f1749e07322090786c902bdd8d16

SHA512
9078f5e3583a2b2cd43f63f023908f652a4c6eb647b1bd8988d33e8f2f1d34d44192ce50b795ffd9764d94a343bdc2ecdb94483ceef79739a92ff8d6a0f9a41b

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG
Filesize
45KB

MD5
d1172f72e8fec2b8ddbfe964b7197dd6

SHA1
91b86d380b4cf7f3fc6dba2be364551f0194ceab

SHA256
a8f33799d6ea706548917b5686b7bd1c6f077fcb344cbd51e9af8d7b4ffbb7d3

SHA512
afa1b94831188a4d15314a9c2a7c528e7c748a51030bbf6dfb735de5288f5a5fbcd6db3c275a0346c69dd6e999b50df81c7bf63a0cc5cc5c563c49844d363acb

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG
Filesize
206B

MD5
982b81691cac850c2b98b252e4064660

SHA1
0c284934268046484921afa55587d863a3a241a3

SHA256
3aca81c52680324664bf3128976503ce73931444b956cb3127810661dccd1687

SHA512
5be188c92fd6dc8ff014f4f4ff3195edc69edb6142833a42ad49d45807ccb6bc5e7309a91d5a7f822f96f2951872f85d7a48328d123d2df59158af64a15e9f69

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG13.PNG
Filesize
41KB

MD5
2fe88aedf465ed13678cdbc685e44fa0

SHA1
624f5a00e7cb017e9bfdfab79f6594a7e02171db

SHA256
4351cce19e5189a474a3e5dfba8c1c33e51bd875c1d574e5069b49a752f9f665

SHA512
6fbff486e7064d083ba8d12d0bffa102fdd61a3f818bc85516ed12b287b582adfe7d358d6ace18b45978bbafd9d9a1df2e08dde8291cabb35677314e99ab299c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG
Filesize
475B

MD5
b0a5a3db3901023adfc16cff5a381ead

SHA1
dfa2662d731eba223ede334a6f875b33e0da964e

SHA256
88812d618bc05aea2f43fe26cc7fb24953883418e51d6ca14d6a57fead9b97fd

SHA512
8eb6e90e6884b6ae0fdf943f4326d3ecf34eb9cc5e73d87137ffdea7caaf11cbf48bb7571096d7ed1e0de6c5627cddc9e018eeab2bfbe6639b573ac4b5209960

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG
Filesize
368B

MD5
9d399665b43d4310c637b43ae523da04

SHA1
5984f23773322e93fb762168cc1924fdab9cca0b

SHA256
c64efebdbee0cba76aa97b61953cfeab0097443bafdddc840feeb81ab0b4f2f7

SHA512
b881e136b499b8a32a68273d476daa5b258823cceaccf73740341f2af366458e66e1e91d5da8cf8bb07dd8f67665774caef58f15031c3bcc0a2ddad41d0c6145

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
18KB

MD5
a60a7f703c372c536ef48c367634a90c

SHA1
2f598657194f2a3274559f15457559f3365f79f5

SHA256
f430c6514204819a1a8d4248855ec68524ab47b953de10145f0be4ee771e3ea6

SHA512
58a9a0dad6a73a317d8ed1d7b4074eb98d5a9fd3e1b44865b6c66b5aeb0ff68b3c024b36804253df83eedbfd263508a9a58706d735819a0cc854da1ced49f8a5

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml
Filesize
4KB

MD5
054aecf886611935c82cb961eb3ac31c

SHA1
7c79d08bd6cbaa60db2a645ebe542f670dd18fd9

SHA256
d92b458492dc534ee4d0ba3c24166164b14955c45329401885f64a2fb8e6ecb3

SHA512
0b82aceaec2a2a6528b22639d924cf1b21b5cb43f3a78026c020bed4e170398a5382951c1d043a2b976915aeca6f6f9ddfdc2a1d2ba143c7203b8eaa9f29b656

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\bootstrapper.jre_removed.json
Filesize
2KB

MD5
5e2f3f4a6d81d9370769128b16218fa1

SHA1
54bc3d355ee4c76da90bde7f290a20af1762b938

SHA256
66347d46051d314f0b02fc594e5a9c4e06f21e3adfa3ea36e593cba63afb313c

SHA512
b952c46efa6c32a9b4b77c8b48cfdc6d5aa5d24ab060f9313c1df792bc18913d286c148277c34c8ea7c9c8bd5a3d332509078f89583bee3ad847398b3a7272c1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\bootstrapper.libraries_removed.json
Filesize
13KB

MD5
656afe320bf34a8a79617a9740821eff

SHA1
88dd7d0e1331f159881458ccab29a81b93e11785

SHA256
4ae1e18c84222293da3912b6fc06dd66abb20612c984f915607bb90026718f1c

SHA512
532be539066de0b3124ea36f06c197de34cf056878c124f393f7f7ae6b32a80401f325a99c0ce282f468a83f4e9b9c8747018b2bac100e0bff70b49065c8a01e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.921\dependencies.json
Filesize
17KB

MD5
dd4d9eb42e26f86cdb8f58ac1401e217

SHA1
24fd4a27ca650aae032ad1ecc15f1b7560803822

SHA256
22127b008d98bf65a5fe9f846641eae124975eeb91b0af0285be977037c41993

SHA512
5df828b723041e41db19a58a20c8446a791a1dc07d3669b080c4d128b229dd8fa5b43f83f445ade20545339bc402372d7924861acdfecea1e609dbe7545fda1e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.921\resources.json
Filesize
17KB

MD5
d892039e33a914bdd174cbfdfd0e7331

SHA1
42754a8f3d087d09999d8b89ce6ea4eab522f1f9

SHA256
5acb848f36f188765ef517f67d90fda54892af1d5db3612ba8ed5d3802e2fbb6

SHA512
f21dd600db9140adc394b749485102a89723a7696101cf19ca6e365f2be9d3a7b0ad54a335985065165c07122415afb9a85170cc1144b8acf237f07538865511

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\appConfig.json
Filesize
3KB

MD5
91db38ec63d5ba27c2d84d1ce4f5950f

SHA1
0f981c54c5dc136c271387b919d0da1c043484d0

SHA256
4a21a1eada9a254e366a32670c65ae5e1fa9b12ac72b1be4e55be54347a1f38e

SHA512
299ea4bbf286e7f4d1eac2b9ed5e06d0deb25a79d3d8effd8524154b576c16b14074e6d6d4c8225cd633e2cccc74547a3ebeff1ced03e99b6879cba08e330356

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json
Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-codec-1.9.jar
Filesize
257KB

MD5
75615356605c8128013da9e3ac62a249

SHA1
9ce04e34240f674bc72680f8b843b1457383161a

SHA256
ad19d2601c3abf0b946b5c3a4113e226a8c1e3305e395b90013b78dd94a723ce

SHA512
b65531ead8500493e3dd14a860224851b80f438fc53bf8868b443a0557d839a2b0c868e4fedcf99579ae04b6b2bbd8cdb37f9921ad785983c37569aa9d2e8102

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\guava-31.0.1-jre.jar
Filesize
2.8MB

MD5
bb811ca86cba6506cca5d415cd5559a7

SHA1
119ea2b2bc205b138974d351777b20f02b92704b

SHA256
d5be94d65e87bd219fb3193ad1517baa55a3b88fc91d21cf735826ab5af087b9

SHA512
c8d8aa38e6fb04c409c37922efcbbe182f65156a853f691d8381d56eea208adf22f7a28873bb7895210e41857dd4411aaf952682a2692051220e281910d0798f

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\httpclient-4.5.2.jar
Filesize
719KB

MD5
e0a45df625cb96b69505e59bb25a0189

SHA1
733db77aa8d9b2d68015189df76ab06304406e50

SHA256
0dffc621400d6c632f55787d996b8aeca36b30746a716e079a985f24d8074057

SHA512
c75a4027ca5fe08a1d2b5ac1f632df2fa6d18725dcd45735ac021e19ba24f0438b53f34ee72282f5895a25d3493499bb60d03ccc215797413ca8613ac0918431

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\fix_log4j\1.12.json
Filesize
304B

MD5
c0aa9a1b0900982f72e072f6f85a0ce1

SHA1
922c8819eea3221d2c0d36071558707168d36fcb

SHA256
cf2131de69ea20ba705838999ff20a5e94dd888ec08c3230f90b09b7e5d1801b

SHA512
ebb26772bf7cb67297653f9dbda5478cb43f9c0575cb730797023374e6cb8b8b683fa8d11fc28b2bd09d4c33adc67203b92741e96d91e5a4010fb6f432da8527

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\fix_log4j\1.7.10.json
Filesize
300B

MD5
33386dab73eb261523775cbcac309300

SHA1
dfd076b6e8492a83e39c00fcdea9dbe282e3dba7

SHA256
9eab2926a13dc0e6d4889c0aa4d1f3b8f1df6c02f2ee087b5fcecb7a4f780c87

SHA512
445e1a1eee477d68c4bccd5ca942985d4485138622e4a2f48b3a1fc11fa70c4d9a7abf5f403a2989f78662de04fd3a38c0c6376fa0cd10bfd0ca1dcf5082267c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\COPYRIGHT
Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\java.logging\LICENSE
Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ADDITIONAL_LICENSE_INFO
Filesize
51B

MD5
494903d6add168a732e73d7b0ba059a0

SHA1
f85c0fd9f8b04c4de25d85de56d4db11881e08ca

SHA256
0a256a7133bd2146482018ba6204a4ecc75836c139c8792da53536a9b67071d4

SHA512
b6e0968c9fd9464623bfa595bf47faf8f6bc1c55b09a415724c709ef8a3bcf8a954079cce1e0e6c91d34c607da2cecc2a6454d08c370a618fb9a4d7d9a078b24

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\ASSEMBLY_EXCEPTION
Filesize
46B

MD5
c62a00c3520dc7970a526025a5977c34

SHA1
f81a2bcb42ccbf898d92f59a4dc4b63fef6c2848

SHA256
a4b7ad48df36316ddd7d47fcecc1d7a2c59cbfe22728930220ef63517fd58cb0

SHA512
60907d1910b6999b8210b450c6695b7cc35a0c50c25d6569cf8bb975a5967ca4e53f0985bee474b20379df88bb0891068347ecf3e9c42900ed19a1dcbc2d56ec

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-17.0.10-windows-x64\legal\javafx.web\LICENSE
Filesize
35B

MD5
f815ea85f3b4676874e42320d4b8cfd7

SHA1
3a2ddf103552fefe391f67263b393509eee3e807

SHA256
01a4ebd2a3b2671d913582f1241a176a13e9be98f4e3d5f2f04813e122b88105

SHA512
ddf09f482536966ac17313179552a5efc1b230fa5f270ebde5df6adebf07ee911b9ef433dfbfcb4e5236922da390f44e355709ecaf390c741648dd2a17084950

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\original-TLauncher-2.921.jar
Filesize
3.2MB

MD5
8c425bd3d3db69b2d3dfe63a07493a11

SHA1
2b5f2ad8649e9eeb0563e17ca6cabbb4073d0af8

SHA256
91c69c36ce1d2fb657b4f7bd90c592acd9e87e6d4825118b1183c737fa5a32ce

SHA512
90c09a18deddb620542232cf3807223012469a2e2ba91c5aa7a63a4c97f935dd71a4f361a38b68541ad9a570d3fb76cea3067de22855488722773bce6accb088

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CX4Y0V18.txt
Filesize
869B

MD5
61d2730f1599440e8fca98c673935d3e

SHA1
5cb6606d02e5afe0e2abdc0a2b70aac2552b6e90

SHA256
d1c2e6d3e2bd1542ef9933200be204dc6fb9c2d7039424b7a86717784b58b48f

SHA512
08de05f876431fcd8a67d06a971ed6b4d21e61f85031fa3deee796eeb067fc69465b7b6b5486cda85034a46ee796d573ad8899c0e499e6592ac76e09a939c587

Download Submit
C:\Windows\Installer\f76c8e1.msi
Filesize
1.0MB

MD5
d7390d55b7462787b910a8db0744c1e0

SHA1
b0c70c3ec91d92d51d52d4f205b5a261027ba80c

SHA256
4a2f7d9d33e4ad643bf72722587f2b268d92dab3bb1d9bc56af316672e34728a

SHA512
64f3837dd6099561ce9be97d6fae0b11f3f6cc08281f1a3266d5a6f3ca8baf13bbd780735ef62b449b577d62d086f942b48519671226c60f0e1480f9dbdde434

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.2MB

MD5
d795ef2a7b1d60d78cf3d4d083346a7c

SHA1
68a623b6b821476e543ea8dadb02ee3a78c55762

SHA256
c367e0f3b55b16ff6f167f19a3885b9dc7e9e34c0ccdf1df06af5ce7656bd61a

SHA512
bbc4161586240074989c56c9abed3bb36cc68516f03a741438a07633c21343a2a3c2ce43d741f83096e28a541ffb58e56c348cf8ebaa3dc91ae8953bb72c1666

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.2MB

MD5
a266e0ae1001da0023f9664afbcaee99

SHA1
f943c180e5221a5943039c21b21f394dd99cbe14

SHA256
819b9a02a788445ad6c4d8f38e05abe911e289e71e4d2c2e37923c9f66f576cf

SHA512
525b8473b17732ba94942df63b0e43b26ee0157b137a1a39f52034b04ce686097e92ec8d9ea422acf02edc4385863c0179a6af73af01dfcfc1cb6d7c9dad1e7c

Download Submit
\Users\Admin\AppData\Local\Temp\jds259435497.tmp\jre-windows.exe
Filesize
64.0MB

MD5
96d622d62567def49ad8999324a66709

SHA1
5a4749631631d97e9db816f5cca2392e69d0b7d9

SHA256
953b06705f72bfffac774c41ceb359fe1d3f8a0c5d6a44f93597ce9c39399994

SHA512
c2d350895f47c5164138d2e3befbeb0acda8097a7904a28d9ad9db70ea0aabb3ec54a476dcb2746a41308fb79616d810305c53f7e23a4856a3f9eb656896de0d

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe
Filesize
64.4MB

MD5
af1d24091758f1e02d51dc5f5297c932

SHA1
dc3f98dded6c1f1e363db6752c512e01ac9433f3

SHA256
e52a8d0337bae656b01cb76c03975ac3d75ac4984c028ba2a6531396dea6dddd

SHA512
8d4264a6b17f7bbfd533b11ec30d7754a960a9f2fbef10c9977b620051c5538d8eb6080ea78e070904c7c52a6ce998736fad2037f6389ad4c5c0ce3f1d09e756

Download Submit
\Windows\Installer\MSICB9F.tmp
Filesize
953KB

MD5
64a261a6056e5d2396e3eb6651134bee

SHA1
32a34baf051b514f12b3e3733f70e608083500f9

SHA256
15c1007015be7356e422050ed6fa39ba836d0dd7fbf1aa7d2b823e6754c442a0

SHA512
d3f95e0c8b5d76b10b61b0ef1453f8d90af90f97848cad3cb22f73878a3c48ea0132ecc300bfb79d2801500d5390e5962fb86a853695d4f661b9ea9aae6b8be8

Download Submit
memory/328-2379-0x000007FFFFF70000-0x000007FFFFF80000-memory.dmp

Filesize
64KB

Download
memory/768-2527-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1412-3266-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1412-4200-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download
memory/1412-3265-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download
memory/1412-3264-0x0000000001F70000-0x0000000001F7A000-memory.dmp

Filesize
40KB

Download
memory/1412-3231-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1412-3195-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1432-734-0x0000000000FA0000-0x0000000001389000-memory.dmp

Filesize
3.9MB

Download
memory/1432-758-0x0000000000FA0000-0x0000000001389000-memory.dmp

Filesize
3.9MB

Download
memory/1700-20-0x0000000003330000-0x0000000003719000-memory.dmp

Filesize
3.9MB

Download
memory/1700-19-0x0000000003330000-0x0000000003719000-memory.dmp

Filesize
3.9MB

Download
memory/1700-14-0x0000000003330000-0x0000000003719000-memory.dmp

Filesize
3.9MB

Download
memory/1700-15-0x0000000003330000-0x0000000003719000-memory.dmp

Filesize
3.9MB

Download
memory/1728-5275-0x0000000063350000-0x000000006335A000-memory.dmp

Filesize
40KB

Download
memory/1728-5276-0x0000000063350000-0x000000006335A000-memory.dmp

Filesize
40KB

Download
memory/1728-5210-0x000000001BCB0000-0x000000001BCBA000-memory.dmp

Filesize
40KB

Download
memory/1728-5274-0x0000000063350000-0x000000006335A000-memory.dmp

Filesize
40KB

Download
memory/1872-2048-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1944-2516-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1944-2513-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1992-2313-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1992-2289-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1992-2275-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1992-2286-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2284-731-0x00000000032A0000-0x0000000003689000-memory.dmp

Filesize
3.9MB

Download
memory/2284-730-0x00000000032A0000-0x0000000003689000-memory.dmp

Filesize
3.9MB

Download
memory/2284-733-0x00000000032A0000-0x0000000003689000-memory.dmp

Filesize
3.9MB

Download
memory/2284-732-0x00000000032A0000-0x0000000003689000-memory.dmp

Filesize
3.9MB

Download
memory/2304-2221-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2304-2263-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2304-2237-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2304-2234-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2472-2422-0x0000000001150000-0x0000000001539000-memory.dmp

Filesize
3.9MB

Download
memory/2472-3198-0x0000000001150000-0x0000000001539000-memory.dmp

Filesize
3.9MB

Download
memory/2472-729-0x0000000001150000-0x0000000001539000-memory.dmp

Filesize
3.9MB

Download
memory/2472-760-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2472-2537-0x0000000001150000-0x0000000001539000-memory.dmp

Filesize
3.9MB

Download
memory/2472-2206-0x0000000001150000-0x0000000001539000-memory.dmp

Filesize
3.9MB

Download
memory/2472-1474-0x0000000001150000-0x0000000001539000-memory.dmp

Filesize
3.9MB

Download
memory/2472-759-0x0000000001150000-0x0000000001539000-memory.dmp

Filesize
3.9MB

Download
memory/2472-1313-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2472-21-0x0000000001150000-0x0000000001539000-memory.dmp

Filesize
3.9MB

Download
memory/2472-698-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/2472-662-0x0000000001150000-0x0000000001539000-memory.dmp

Filesize
3.9MB

Download
memory/2472-1312-0x0000000001150000-0x0000000001539000-memory.dmp

Filesize
3.9MB

Download
memory/2472-1325-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/2472-663-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2472-599-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2472-600-0x0000000000590000-0x0000000000593000-memory.dmp

Filesize
12KB

Download
memory/2640-3209-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2652-5059-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2652-5058-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/3964-4011-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/3964-3263-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3964-3234-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3964-3229-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/3964-3230-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/3964-3213-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download