d896da5d7f9f64d5375d41081a29f93dce7bf14c1974c9cde8979ee7a98b522f

Resubmissions

07/07/2024, 06:56

240707-hqjsnawerp 8

07/07/2024, 06:53

240707-hntj3sydqb 7

07/07/2024, 06:51

240707-hmjngswenm 7

Analysis

max time kernel
155s
max time network
308s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.8.exe
Size

24.1MB
MD5

ff77de2eb5a4366f68735e22ce263d3c
SHA1

8758fe1d1ab6359e3011a41e35529185f75a0b99
SHA256

d896da5d7f9f64d5375d41081a29f93dce7bf14c1974c9cde8979ee7a98b522f
SHA512

30ef806a6dd951ae33e05e40f99577675bc4dfab0a8fe6d239ebbb46e026899484e140af36e41959ea29886e54d49022cbe5c7e4dcdaffcdab67ae85f7976e60
SSDEEP

786432:WKqHyU7V5bJmM9irrKJBH5lFRqH0fYk/pUJ8a:WKay+sMQPKJBZlCUfYSpUJ8

Score

8^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
1320	irsetup.exe
2948	BrowserInstaller.exe
1536	irsetup.exe
2840	jre-windows.exe
2904	jre-windows.exe
3044	installer.exe
828	javaw.exe
2056	ssvagent.exe

Loads dropped DLL 64 IoCs

pid	Process
2352	TLauncher-Installer-1.4.8.exe
2352	TLauncher-Installer-1.4.8.exe
2352	TLauncher-Installer-1.4.8.exe
2352	TLauncher-Installer-1.4.8.exe
1320	irsetup.exe
1320	irsetup.exe
1320	irsetup.exe
1320	irsetup.exe
1320	irsetup.exe
1320	irsetup.exe
1320	irsetup.exe
1320	irsetup.exe
2948	BrowserInstaller.exe
2948	BrowserInstaller.exe
2948	BrowserInstaller.exe
2948	BrowserInstaller.exe
1536	irsetup.exe
1536	irsetup.exe
1536	irsetup.exe
1320	irsetup.exe
2840	jre-windows.exe
1240	Process not Found
1240	Process not Found
1508	MsiExec.exe
1508	MsiExec.exe
1508	MsiExec.exe
1508	MsiExec.exe
1508	MsiExec.exe
1508	MsiExec.exe
1508	MsiExec.exe
1508	MsiExec.exe
1508	MsiExec.exe
1508	MsiExec.exe
1508	MsiExec.exe
1780	msiexec.exe
3044	installer.exe
3044	installer.exe
3044	installer.exe
848	Process not Found
848	Process not Found
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe
828	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4028	icacls.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016c7d-3.dat	upx
behavioral1/memory/2352-6-0x0000000003620000-0x0000000003A09000-memory.dmp	upx
behavioral1/memory/1320-19-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1320-693-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1320-768-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1320-770-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1320-793-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1320-810-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx
behavioral1/files/0x000c00000001e227-848.dat	upx
behavioral1/memory/1320-861-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/2948-860-0x0000000003650000-0x0000000003A39000-memory.dmp	upx
behavioral1/memory/1536-866-0x00000000013A0000-0x0000000001789000-memory.dmp	upx
behavioral1/memory/1536-933-0x00000000013A0000-0x0000000001789000-memory.dmp	upx
behavioral1/memory/1320-1667-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1320-1685-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1320-1797-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1320-2584-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/1320-3683-0x00000000000C0000-0x00000000004A9000-memory.dmp	upx

Blocklisted process makes network request 1 IoCs

flow	pid	Process
26	1780	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\jsse.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzmappings	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\installer.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\accessibility.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\plugin.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f78aadf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB92F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB797.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA87.tmp	msiexec.exe
File created	C:\Windows\Installer\f78aae2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF0B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC370.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB301.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB6AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB892.tmp	msiexec.exe
File created	C:\Windows\Installer\f78aae4.msi	msiexec.exe
File created	C:\Windows\Installer\f78aadf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB489.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDE2.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre-1.8\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0009-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0222-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0352-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_352"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_14"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0144-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0094-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0145-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0181-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_181"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0349-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0067-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0105-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0148-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0097-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0258-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0182-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0085-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_85"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0189-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0328-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0147-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_147"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0113-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0259-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_259"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0091-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0129-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0200-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0223-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0116-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_116"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0155-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0370-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0087-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_87"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0048-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0226-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0148-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0332-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0232-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_232"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0096-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0085-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0216-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0346-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0060-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0353-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0387-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_51"	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0123-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0301-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0305-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.0"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0171-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0361-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0122-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0357-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0218-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0126-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0072-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0024-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0248-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0304-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0248-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_248"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0099-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0362-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_362"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0121-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0129-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.10802	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0073-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0352-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0358-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0175-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0240-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0229-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0206-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0259-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0082-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_56"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0092-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0405-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0377-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_26"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0182-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0103-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0163-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_163"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0088-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0110-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0235-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	ssvagent.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1536	irsetup.exe
1536	irsetup.exe
1780	msiexec.exe
1780	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2904	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2904	jre-windows.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeSecurityPrivilege	1780	msiexec.exe
Token: SeCreateTokenPrivilege	2904	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	2904	jre-windows.exe
Token: SeLockMemoryPrivilege	2904	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	2904	jre-windows.exe
Token: SeMachineAccountPrivilege	2904	jre-windows.exe
Token: SeTcbPrivilege	2904	jre-windows.exe
Token: SeSecurityPrivilege	2904	jre-windows.exe
Token: SeTakeOwnershipPrivilege	2904	jre-windows.exe
Token: SeLoadDriverPrivilege	2904	jre-windows.exe
Token: SeSystemProfilePrivilege	2904	jre-windows.exe
Token: SeSystemtimePrivilege	2904	jre-windows.exe
Token: SeProfSingleProcessPrivilege	2904	jre-windows.exe
Token: SeIncBasePriorityPrivilege	2904	jre-windows.exe
Token: SeCreatePagefilePrivilege	2904	jre-windows.exe
Token: SeCreatePermanentPrivilege	2904	jre-windows.exe
Token: SeBackupPrivilege	2904	jre-windows.exe
Token: SeRestorePrivilege	2904	jre-windows.exe
Token: SeShutdownPrivilege	2904	jre-windows.exe
Token: SeDebugPrivilege	2904	jre-windows.exe
Token: SeAuditPrivilege	2904	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	2904	jre-windows.exe
Token: SeChangeNotifyPrivilege	2904	jre-windows.exe
Token: SeRemoteShutdownPrivilege	2904	jre-windows.exe
Token: SeUndockPrivilege	2904	jre-windows.exe
Token: SeSyncAgentPrivilege	2904	jre-windows.exe
Token: SeEnableDelegationPrivilege	2904	jre-windows.exe
Token: SeManageVolumePrivilege	2904	jre-windows.exe
Token: SeImpersonatePrivilege	2904	jre-windows.exe
Token: SeCreateGlobalPrivilege	2904	jre-windows.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1320	irsetup.exe
1320	irsetup.exe
1320	irsetup.exe
1320	irsetup.exe
1536	irsetup.exe
1536	irsetup.exe
2904	jre-windows.exe
2904	jre-windows.exe
2904	jre-windows.exe
2904	jre-windows.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1320	2352	TLauncher-Installer-1.4.8.exe	30
PID 2352 wrote to memory of 1320	2352	TLauncher-Installer-1.4.8.exe	30
PID 2352 wrote to memory of 1320	2352	TLauncher-Installer-1.4.8.exe	30
PID 2352 wrote to memory of 1320	2352	TLauncher-Installer-1.4.8.exe	30
PID 2352 wrote to memory of 1320	2352	TLauncher-Installer-1.4.8.exe	30
PID 2352 wrote to memory of 1320	2352	TLauncher-Installer-1.4.8.exe	30
PID 2352 wrote to memory of 1320	2352	TLauncher-Installer-1.4.8.exe	30
PID 1320 wrote to memory of 2948	1320	irsetup.exe	33
PID 1320 wrote to memory of 2948	1320	irsetup.exe	33
PID 1320 wrote to memory of 2948	1320	irsetup.exe	33
PID 1320 wrote to memory of 2948	1320	irsetup.exe	33
PID 1320 wrote to memory of 2948	1320	irsetup.exe	33
PID 1320 wrote to memory of 2948	1320	irsetup.exe	33
PID 1320 wrote to memory of 2948	1320	irsetup.exe	33
PID 2948 wrote to memory of 1536	2948	BrowserInstaller.exe	34
PID 2948 wrote to memory of 1536	2948	BrowserInstaller.exe	34
PID 2948 wrote to memory of 1536	2948	BrowserInstaller.exe	34
PID 2948 wrote to memory of 1536	2948	BrowserInstaller.exe	34
PID 2948 wrote to memory of 1536	2948	BrowserInstaller.exe	34
PID 2948 wrote to memory of 1536	2948	BrowserInstaller.exe	34
PID 2948 wrote to memory of 1536	2948	BrowserInstaller.exe	34
PID 1320 wrote to memory of 2840	1320	irsetup.exe	36
PID 1320 wrote to memory of 2840	1320	irsetup.exe	36
PID 1320 wrote to memory of 2840	1320	irsetup.exe	36
PID 1320 wrote to memory of 2840	1320	irsetup.exe	36
PID 2840 wrote to memory of 2904	2840	jre-windows.exe	37
PID 2840 wrote to memory of 2904	2840	jre-windows.exe	37
PID 2840 wrote to memory of 2904	2840	jre-windows.exe	37
PID 1780 wrote to memory of 1508	1780	msiexec.exe	40
PID 1780 wrote to memory of 1508	1780	msiexec.exe	40
PID 1780 wrote to memory of 1508	1780	msiexec.exe	40
PID 1780 wrote to memory of 1508	1780	msiexec.exe	40
PID 1780 wrote to memory of 1508	1780	msiexec.exe	40
PID 1780 wrote to memory of 3044	1780	msiexec.exe	41
PID 1780 wrote to memory of 3044	1780	msiexec.exe	41
PID 1780 wrote to memory of 3044	1780	msiexec.exe	41
PID 3044 wrote to memory of 828	3044	installer.exe	42
PID 3044 wrote to memory of 828	3044	installer.exe	42
PID 3044 wrote to memory of 828	3044	installer.exe	42

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.8.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.8.exe" "__IRCT:3" "__IRTSS:25232442" "__IRSID:S-1-5-21-1385883288-3042840365-2734249351-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1709878" "__IRSID:S-1-5-21-1385883288-3042840365-2734249351-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1536
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\jds259549939.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds259549939.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2904
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
        5⤵
        
        PID:1680
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre-1.8\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
        5⤵
        
        PID:1348
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    PID:2680
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      PID:1932
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:4028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A5F5059FDC431281D00396E9DED70F60
  2⤵
  - Loads dropped DLL
  PID:1508
- C:\Program Files\Java\jre-1.8\installer.exe
  "C:\Program Files\Java\jre-1.8\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre-1.8\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={71024AE4-039E-4CA4-87B4-2F64180401F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:828
- - C:\Program Files\Java\jre-1.8\bin\ssvagent.exe
    "C:\Program Files\Java\jre-1.8\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2056
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:552
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:1528
- - C:\Program Files\Java\jre-1.8\bin\javaws.exe
    "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    PID:2704
  - - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
      "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW5camF2YXcuZXhl -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:1364
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 85F4F40E812E592924B1007103B620AF M Global\MSI0000
  2⤵
  PID:964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A34E5EB2D0D0E9DBD4745E5A41D9C954
  2⤵
  PID:1044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F34DCE231724BA87A4560015C218FC57 M Global\MSI0000
  2⤵
  PID:2560

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
PID:2636
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f78aae3.rbs

Filesize
962KB

MD5
092a2491a26a491a2503c9e364b9e529

SHA1
e42d361233cf650fcbff5a1ad3915b1d07e795ca

SHA256
abce132572a1caac8161bf82ad5b610c8ca9c90db069c827b21ce77fce28c5e6

SHA512
ea53f93acdb645a57ade563c4c669ad69e6b44fe2fda75bfbeccb685dfbed1d47df66f475027e8a449c6219524355265f73ec124ad8293d8298e8ad4b1eedd7e

Download Submit
C:\Config.Msi\f78aae9.rbs

Filesize
7KB

MD5
8f8fc7cdd537d4d88738490d021491b1

SHA1
19d6484b5afd4a8b6e9c14558b9ee4763929b5a9

SHA256
03bfa28f6c4cf80cadca4430959b87832ac1d1bd1e53f2b9d60bd8eb88f53de0

SHA512
55fc62c56572f5abd95155942d909ed27714ff9aa82fd615af57daaa4b29f75dd707d5f6fbe9ba8358a892946b203a4ef1d73e55521e79806754fc986c6e8044

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk

Filesize
197B

MD5
b5e1de7d05841796c6d96dfe5b8b338c

SHA1
c7c64e5b35d0cca1a5c98a1c68e1e5d4c8b72547

SHA256
062cb9dec2b2ce02c633fc442d1a23e910e602548a54a54c8310b0dde9ae074d

SHA512
963a89b04f34bc00fea5b8e0f9648596c428beac2db30d8b0932974b15c0eb90b7c801ba6fa1082ea9d133258f393ae27e61f27fd3b3951f5c2e4b8c6a212c2d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
177B

MD5
6684bd30905590fb5053b97bfce355bc

SHA1
41f6b2b3d719bc36743037ae2896c3d5674e8af7

SHA256
aa4868d35b6b3390752a5e34ab8e5cba90217e920b8fb8a0f8e46edc1cc95a20

SHA512
1748ab352ba2af943a9cd60724c4c34b46f3c1e6112df0c373fa9ba8cb956eb548049a0ac0f4dccff6b5f243ff2d6d210661f0c77b9e1e3d241a404b86d54644

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
173B

MD5
625bd85c8b8661c2d42626fc892ee663

SHA1
86c29abb8b229f2d982df62119a23976a15996d9

SHA256
63c2e3467e162e24664b3de62d8eeb6a290a8ffcdf315d90e6ca14248bc0a13a

SHA512
07708de888204e698f72d8a8778ed504e0fe4d159191efb48b815852e3997b50a27ba0bc8d9586c6fb4844166f38f5f9026a89bbbc3627e78121373982656f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
81c04dff935d96eb135b8d32e554c1e6

SHA1
a4977d45ef02bed7f0012928f807e7614589bfc6

SHA256
afb27598bd54a19f89b0b51c3f61a2b13206ad163a5a21b9631050923e78cceb

SHA512
ebce5b1ae76efa3d246eccd4a881c5a39610a3509e799e6bd26be795846303c0179e48ad1752c71f01031710510cba003874917bf53f347335b4f8f216e947f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7b602ad4a3ceb6385127e45d4e7bb0e

SHA1
3514b97d62c62c3ca859520cc7a037ceac37becc

SHA256
f89b04dee1bdf2a07c404faa21a82bca238453642122474348ce3e22c17d395b

SHA512
36e994b1f833e6ac48580a862677b05e655cc6a9c6ea3dae49cda8b233b102541cb4bc9191fbf94ebb537a87f49e28fe769efed67ce7e348bd1c2dc2fade6b66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dbec835f6acd01cf1857c332336d5f5

SHA1
bff8bb91600047fe6361ed51277453e8da277542

SHA256
ca9896ebdd5e9cf911d37985de1b7d93a3aeb5ae006885bf94f7e08047445f65

SHA512
dbccb6276aff2ff50f176f14c9360513ec8f71835cb6e6ebee42164a61b0cda5456c97477842a1bc3f876c43874138c22a4dc8231fa26dc832c2a21bbc05e49d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2398c46f89cb1bdf5f10e85ce3ae78ac

SHA1
dfdc2cfdc8f37be64567238b65c89f0d1d73c948

SHA256
41258f9a2fb90c2c98d8bb0710abc980fcf9cf859854160cdc7485b947e3da92

SHA512
26e702bb4335869ef75605d460c5deffc8437033061ed46dc60376a6494f40c9b8199ff6dc7098463152d1c9181011e37cab736c6b6e736052aa23f25f997816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
ea716b79adc64cf85229c04f3ad74991

SHA1
98c90d80c73bedc336cf37fd2ec1404c174ce633

SHA256
a1f27d1237e9dd2e1ac2d22a5b67219ef51d7293185e997504fd63dd2b0080ad

SHA512
25386a858a89fc18c5cda269a0fb8374de247a7f4f1c2f6c537ee7d24dd19e2d777b6cb2b34ebff83e9a00b0b89df4c4b9d2df85f1bbb1f5adec71c224d456ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VX38S3F\rtutils[1]

Filesize
244B

MD5
c0a4cebb2c15be8262bf11de37606e07

SHA1
cafc2ccb797df31eecd3ae7abd396567de8e736d

SHA256
7da9aa32aa10b69f34b9d3602a3b8a15eb7c03957512714392f12458726ac5f1

SHA512
cc68f4bc22601430a77258c1d7e18d6366b6bf8f707d31933698b2008092ba5348c33fa8b03e18c4c707abf20ce3cbcb755226dc6489d2b19833809c98a11c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VX38S3F\runtime[1]

Filesize
42KB

MD5
5d4657b90d2e41960ebe061c1fd494b8

SHA1
71eca85088ccbd042cb861c98bccb4c7dec9d09d

SHA256
93a647b1f2cadcbdb0fe9c46b82b2b4baf7685167de05933811549145c584ee0

SHA512
237738c0a6cb25efe29effc9c3637245e3e2397207ed51e67bae5a1b54749f88e090de524f7868d964debbb29a920a68205ccbd2dfceed4a1f3cd72d08b16fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BVY7RUMW\common[1]

Filesize
1KB

MD5
f5bb484d82e7842a602337e34d11a8f6

SHA1
09ea1dee4b7c969771e97991c8f5826de637716f

SHA256
219108bfef63f97562c4532681b03675c9e698c5ae495205853dbcbfd93faf1a

SHA512
a23cc05b94842e1f3a53c2ea8a0b78061649e0a97fcd51c8673b2bcb6de80162c841e9fdde212d3dfd453933df2362dcb237fe629f802bafaa144e33ca78b978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNGGU6NJ\host[1]

Filesize
1KB

MD5
a752a4469ac0d91dd2cb1b766ba157de

SHA1
724ae6b6d6063306cc53b6ad07be6f88eaffbab3

SHA256
1e67043252582aea0e042f5a7be4a849b7cd01b133a489c3b2e67c10ade086f3

SHA512
abc2899705a23f15862acf3d407b700bb91c545722c02c7429745ab7f722507285c62614dcb87ea846f88fc0779345cb2e22dc3ad5f8113f6907821505be2c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNGGU6NJ\layout[1]

Filesize
2KB

MD5
cc86b13a186fa96dfc6480a8024d2275

SHA1
d892a7f06dc12a0f2996cc094e0730fe14caf51a

SHA256
fab91ced243da62ec1d938503fa989462374df470be38707fbf59f73715af058

SHA512
0e3e4c9755aa8377e00fc9998faab0cd839dfa9f88ce4f4a46d8b5aaf7a33e59e26dbf55e9e7d1f8ef325d43302c68c44216adb565913d30818c159a182120fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNGGU6NJ\masthead_left[1]

Filesize
4KB

MD5
b663555027df2f807752987f002e52e7

SHA1
aef83d89f9c712a1cbf6f1cd98869822b73d08a6

SHA256
0ce32c034dfb7a635a7f6e8152666def16d860b6c631369013a0f34af9d17879

SHA512
b104ed3327fed172501c5aa990357b44e3b31bb75373fb8a4ea6470ee6a72e345c9dc4bcf46a1983c81adb567979e6e8e6517d943eb204c3f7fac559cd17c451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\l10n[1]

Filesize
4KB

MD5
1fd5111b757493a27e697d57b351bb56

SHA1
9ca81a74fa5c960f4e8b3ad8a0e1ec9f55237711

SHA256
85bbec802e8624e7081abeae4f30bd98d9a9df6574bd01fe5251047e8fdaf59f

SHA512
80f532e4671d685fa8360ef47a09efcb3342bcfcf929170275465f9800bfbfffc35728a1ba496d4c04a1fdefb2776af02262c3774f83fea289585a5296d560b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\masthead_fill[1]

Filesize
1KB

MD5
91a7b390315635f033459904671c196d

SHA1
b996e96492a01e1b26eb62c17212e19f22b865f3

SHA256
155d2a08198237a22ed23dbb6babbd87a0d4f96ffdc73e0119ab14e5dd3b7e00

SHA512
b3c8b6f86ecf45408ac6b6387ee2c1545115ba79771714c4dd4bbe98f41f7034eae0257ec43c880c2ee88c44e8fc48c775c5bb4fd48666a9a27a8f8ac6bcfdcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF682.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF6E3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG10.PNG

Filesize
206B

MD5
bdb247c44cbe2d5f63ac51a2378734f3

SHA1
024844330b6cc23986de94e2b80bc3c2e32c08de

SHA256
53f406badad3465d216d3f0b6f5a87adddec77b04f0bdc585d2de1e786d0aa13

SHA512
23bc82934d62081f6e662624990f2e823da11938d407ab1c0d1c00f4e0377527160ac82cce036b8804f8e76b0505ab7664bce2bfbe96e480baa466ab772820a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
92a58d4723329aef02eca2b8a6e93024

SHA1
dc8d96efd202343e40a12a1b51adcc8328b436fc

SHA256
7d75bce82c63370307200c2528783b8b6e460ad7f2386c82faf23e028896620b

SHA512
3a7824203b4a12d6257a4a54f8ffeebe11f81b964a6fbd373efa01dddb6d3b80f159dad385f454a5ebab257d0aa7621f19f367b2987407b9206859c159483104

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
1468502e3f45c3c0a2ffe773591382be

SHA1
be58257e0f5142e6410a22546cc1b6ac0ef0ebc5

SHA256
4845843e4d406900aee87be95ddf84a9272d6660d294f8166b6012657b7a5849

SHA512
2e7f3b52a75d961c39fca45f0a8d2868374f3a543419a4d15fea5b874553ae15052740aa93e04e1a5966c97b4d182ff5171e4237b4e283304af819ab771408d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
10435cc0577cbd746d1855b1d0941e2e

SHA1
61c54d525919dc92540157fb856253d22514a46f

SHA256
d67c14da63fbf4e571195999898f593becb59783f7b9360417d890c2edf3cbef

SHA512
35d1aa70cdc8f791d1f327bcd2b51d3a88448f338762fc87ff97459c7c1a5860127e8bc66ad9cf5f5f4fc9a5bf752b8749c88c86eee13817d24a5a615bc26ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG

Filesize
438B

MD5
c62000dc4b635684ceca46116344bcd8

SHA1
9202be85e22535f2312b7db7c77707a05e803336

SHA256
dd7f7f45410e999f2bc0147dc120974c574028a1507ddb14eaeaccb49479bdf1

SHA512
dcce6fa45ac77a99e52079308972d8f44c79cb8c036efb25171ff04b09e52af8cb99830391acbe2f5ee7b5c1240215432b1f88e82f6332a297cdd953bf6a74cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
151KB

MD5
c2be5f72a6cb93af45f70fcd786149a6

SHA1
91a3250d829e7019c7b96dc2886f1d961169a87f

SHA256
f616ad0cc12e4c8c01b1af5dd208aae46a5fdb1b02e8a192dfe84283e1161ca6

SHA512
522b82e48fc4d6c94236f6598352ef198500ef83f2b8d890dd14901173b35d179c567e9540908a9bf145f2492043fa6848182634ee4c58956418884449f223bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
31b52f87e4fa273d040a26763d1f0d37

SHA1
f6a12597cabc57ad7fbbc56a9d0bdddb8a63848f

SHA256
224b11aca3c73341eecd344bdaa2435fcb22b84c5eca7a4956c4844140c84fbe

SHA512
22819f79c86d69c63fbcd42a411adc3fcb7ab117be3feaf33b033d2edd12685efdf1cb47f6a41a3365ff2c0ab6c2d338f748cf522942b11debe7779c10079b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
5867575695f98bbef5d2264c7a03948b

SHA1
8cef37480359779889ee1b2c5dfe16e4f7c2bd9f

SHA256
3e0085902b5160df89c4e28c1598cc1effccce485b22bea3e22d65782de183a0

SHA512
22a56a3251cd231453336ae3c5e7ce8f5dcbdac7940d6def105cf39e102c9aa0aff08ae8703ad06643fb864ba39836f1f8380d0cdbea8d013bae449b0f45ece7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
24KB

MD5
55c56e460eb292710731e21eb5e4f49a

SHA1
69fd2a259c18e6cc52deeb612ed0f08e23b41974

SHA256
a4bc4e418fef93922cb4ca0bd584852b1971bcb17a99c9adde79c0f681ee73de

SHA512
9c1ef97c9dc1df105dfbc6baa41a8dd1af46fa13492d87a26d077fa7ee8ff56b019c28db916414f8621e3b04fe24d1ecbfc70489dcc1c636c8501781c785ac11

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
751B

MD5
4bb5a93168a9f395b98c71cfe5bf71e4

SHA1
9e177d6d4841ee14f9eb1f69128ce093c4d08833

SHA256
e67dbf28dc616fdd8e0de0b510755e1e72bbbdbadbe071e79d99cd0f46de5920

SHA512
18fc6f29da2aad270644df8ca6425cd670d61582b0301b583b845f223f83354ddcc5aedb0ff0ddb90f95560ca363c851ded4dea5b4922cec121f790a04a894da

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
833512c89f1ab92c80131d415f89f442

SHA1
dd9953ddcc33278bb97502ffdc6e7462e8005680

SHA256
717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

SHA512
f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
75271ec49105bb1ad1f2808eff816b2f

SHA1
3f5d1487b681fca37f61c136b5a82b601a9cee24

SHA256
8ce00af9dafad204fe53683a468465b18d6659ff2f2b067b481da2f1a519ec0d

SHA512
5cbf55741a58fb476712b27a321243f1b0d4bd445386bfded6a115eacff488691d7dd482f17849942da00d19e8f2afc3c922a7606dbef7fb345ad467e58f969b

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG12.PNG

Filesize
22KB

MD5
41ab50b3934447b580a3f05a0919de5b

SHA1
a7f811516242d5ec9ec9897f2a7f1af5363705a7

SHA256
49c7cee51e5cc0dabb2cd026c4ab58ac24e8a511619379795806c9aa1f0ad21f

SHA512
63de6de7cd1f087b69e5f69d78266d0d14aee0e22d085eb460b029af053b3a76e39910b26f4486c258d498105f8213574f5a9810ae4f779d3c4310c48dee2687

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
36c744011f2c71f2caa553236b339d03

SHA1
1739c336922e03a8a138999d8247668a279c6d95

SHA256
a7eab595e57de5a17cfe132117b4fef50234dc9a15e452d900b63f9c377f6aa1

SHA512
b1b236dbaf45c78fbdfc5441ec05f95fbf4a64be45d07baf30a70a0c962921d436137e8d618ee872662476615740e88f05cc18d45f0af48511a886c2c165a3a8

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
c4aba50a1fac1d4d5e13c5bcd9e852c9

SHA1
9c74e687194c16c8853298b75f1e859392280a1d

SHA256
09aee04971d4f9bb30f0b9fd17b0c6c17fd8a2d3d0a78d9a9b580bc73f1b7f2e

SHA512
88c1b12eb8d915386ecb1145fcd913e3648fc881adaed7264a7ed41ef4993b3d69fb09466464955a93895a65957a6e77e68cc0d808e8f1bca97e362c3b104bbf

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
6ac0e4f3277501ec673ea0c50869f7ee

SHA1
7a469e8fb0f7cbbf9a3dd605c265961e8b939676

SHA256
e1f08449a822c655b834b5cb8cea3e1e78e1aab14d5f9b20743f1fb36a0a3759

SHA512
1b03065fa39fcc84c6bef735e7ce357960f7df29a64d72350ee54af34b5b3de579d00ec9b8f2297bcf48fd9f1d27834a1cb1bc5590afb39a148980740a4df121

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
1309abb4d7695b135de1bccb3d0383bd

SHA1
6435990c33f357ecdad2f72f11da62a766c4abd8

SHA256
d705428077945f54aea3cb29ccf04123369634444a578cd9f01ab1b947d454c3

SHA512
05440cbc9f24a56083a4ad63b42cc02b782c46abecdf4b23de9f7d6f8f66b196bcc9fa21920575ba1899735bd2bf398166151e95d2a802288d637ae4ec2ec83a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
23KB

MD5
8a44a96f6e22c84e0a9855c837175606

SHA1
6e2e9ca1df2dc3a064e3bcd0cc2abd6289e80e98

SHA256
6b952d9ad6d52dbae712f50475d62d794730c91627f007f429706405947306a3

SHA512
827a7d4402e57de56d0aedcf817cd34a7af7f5a84980e5a5989b360dcfc6ee251878974dbff38971e4fc33dbe989780ca0d1756d871db816150ae50b4be4abd9

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
2KB

MD5
d7a70e07debd2d7fa89f0b064cc34530

SHA1
187001b3189907aaa272f323c85a0486e73e2713

SHA256
3d6b3d89d12ded3e755eb70068873bdd867af63e566655a427e6084c1dfaf5e5

SHA512
000cfe4913f154ab781f55a1493264027a5119b99607a98f21316400969d201b0f2b5aab41e65c975e1b2920e2dab1404e6e821db87e8299b581c34f1f275543

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\NOT_RUN_TLAUNCHER.txt

Filesize
2KB

MD5
7e1f99bbaeab34cb3bbaf61bb56836fa

SHA1
30cca493f09b496fec5f3c83cd31113ee1683c52

SHA256
94df1e31e53e0bd37d0bc1e5df637c7bbf4a1f14b41a7603b8ccf05f61b697ea

SHA512
c5500ebde9754f376d7e4445230af79bdb03bafb48fd72cd5bd02558e93e524ba2f90c670ec1fe0717733d94bd99c89b35e004d23785358a107820a1a4b0b766

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\bootstrapper.jre_removed.json

Filesize
2KB

MD5
5e2f3f4a6d81d9370769128b16218fa1

SHA1
54bc3d355ee4c76da90bde7f290a20af1762b938

SHA256
66347d46051d314f0b02fc594e5a9c4e06f21e3adfa3ea36e593cba63afb313c

SHA512
b952c46efa6c32a9b4b77c8b48cfdc6d5aa5d24ab060f9313c1df792bc18913d286c148277c34c8ea7c9c8bd5a3d332509078f89583bee3ad847398b3a7272c1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\bootstrapper.libraries_removed.json

Filesize
13KB

MD5
656afe320bf34a8a79617a9740821eff

SHA1
88dd7d0e1331f159881458ccab29a81b93e11785

SHA256
4ae1e18c84222293da3912b6fc06dd66abb20612c984f915607bb90026718f1c

SHA512
532be539066de0b3124ea36f06c197de34cf056878c124f393f7f7ae6b32a80401f325a99c0ce282f468a83f4e9b9c8747018b2bac100e0bff70b49065c8a01e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.923\dependencies.json

Filesize
17KB

MD5
24817047786540dd5d8cbfb94132c84d

SHA1
ff45f1ae7748fab985e0580c5746b0327a4b59ac

SHA256
a5584b00241e6aa455dce9c0d584d61f8350a7bc07a4137e9289e23f46878721

SHA512
6e048803859517d052d88d8c96c382d481620c1d930e219051264cb2c4d096b5b68d8e8e66ba2244ef7343df99f120600f8763f67bcf060c3132743eca7934ef

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.923\resources.json

Filesize
17KB

MD5
8ab0113596cd48af76657e53d5d93e70

SHA1
3ab4244668932e0396022372d8f311c62ce1b89b

SHA256
b0a6157bb0f4da765f93d13ca167017144c5eb15955015b0b42f7d7c0b70599d

SHA512
55fb4d7ed644ae5e47ee376b00323199788baf596b493b4959ec4c88bdb37295ee59e34d3a7d4310fc9e35d776e1ae19fcead53c09d3a440dcfec8dc6736b170

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\appConfig.json

Filesize
3KB

MD5
a9bd1871a6a69e12bb017e1375b0a659

SHA1
0cc4c515fea150c982d02fa73acf73cfa68810e7

SHA256
f725e50dc4377a28b06589b028cd3cff58845d5ed882b22b17129c4413f8b9b3

SHA512
0595d54b19805f57a1b09a492c90c4c9f655d6a501179966b1a282b0aec90b27eeba634ee4a54fb9982f80ae046e6feb2b3e2097f14a0a3e051e80c162a83bd6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\javaConfig.json

Filesize
3KB

MD5
e2cbea0a8a22b79e63558273dded5e6c

SHA1
bfbbbba0679adcbcf9e079ed3c7c7a60cb0b2d61

SHA256
10d0f3646be0a7d73942d7bdd1e55c4b8df0c34cad7ad15a9dc23b2932155007

SHA512
a6aa26ff49c911fb4705df1e8e434c72e206b20fdaae0abc529e2734f5db49c75da35c3d75769e0ac1b6795de540de4c7e1089b387217fc58f8b19b023064e5a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-compress-1.23.0.jar

Filesize
2.0MB

MD5
d5ae6a8b6a25a1fe4c1d912d9e85c078

SHA1
a31428af213ff8fb3c427447e439a65432d87e72

SHA256
95c45e5331a7b28649f9b6b4d401284fa1046a3feb7f232c4c6f548641ded783

SHA512
6735f2b8c9ef0b1530377e7c7e677e51b77f40a726a6429e448013e625111594c7ae45784fe7df2a83bbc3075b1e87c0b3f5a4be2c0589241b32fbd8dab5ea0d

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-controls-17.0.0.1-win.jar

Filesize
2.4MB

MD5
00b29086fe3d8082f1cbdc0f2eca3aa7

SHA1
9d9af25816b58bb5e3f43f4693c2298f39789e7c

SHA256
603dd16fecd4046eac2bdc33b112f61a39503c6ceeee10f6ab9fce3010cf519b

SHA512
efd28d1521345d313854c1555711e45a62fef962b9ce9f72d02f6171304f31fc9b0d95da37111895afe4502fab79fa0c8428628e7dfcc41a62ff0166d1374ae8

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\jaxb-impl-2.3.0.jar

Filesize
941KB

MD5
5d6b1dc4f9ba545681a10b11090dde3e

SHA1
3a3c6a62719d967175b76b63925f1fb495f11437

SHA256
edd691fc6ad7c7f3167e1a6833372367bedf6f4f2a4b8230df444a59bb3718b1

SHA512
c8808d7309fc6404cb23aebe9c3a65247e9d177a9e1d02aeb9bec09b717ced15a63d06f7ea037ce1b11ad8823b05d46f596c98e93e538e437154d4db4ea160bc

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\lombok-1.18.30.jar

Filesize
1.9MB

MD5
14e90bb14cac804c1a6e2024e78f436d

SHA1
f195ee86e6c896ea47a1d39defbe20eb59cd149d

SHA256
14151b47582d570b4de16a147ece3bdbd19ace4aee5bde3a5578c87db9ecb998

SHA512
432978b662744078f86e2e808c692744be31a49ce5bd1ff9188158b1ed262da0b25adf5a5eff23cf6bce1f98df12e424e6e14e6ed34bc22e00b4cb9c8f743135

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\dependencies\tlauncher-resource-1.6.jar

Filesize
3.2MB

MD5
142ede4e6df26e5adb14d4748c09db1c

SHA1
d88c5a0be891dfc743968eaa31b62159fa9e82fe

SHA256
b7d3ac5a21e1b417d6386412f0073b124a51832cb83f1af900fc3a9ae0bf762f

SHA512
b7739eb5fc60634bd95ead6633189c9df0dce33c5140c00d08a22c20043b873a3fef670f36f22e394ed9298e35579b4e9845474244090ca49c2fda1f11e88b9a

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\fix_log4j\1.12.json

Filesize
304B

MD5
c0aa9a1b0900982f72e072f6f85a0ce1

SHA1
922c8819eea3221d2c0d36071558707168d36fcb

SHA256
cf2131de69ea20ba705838999ff20a5e94dd888ec08c3230f90b09b7e5d1801b

SHA512
ebb26772bf7cb67297653f9dbda5478cb43f9c0575cb730797023374e6cb8b8b683fa8d11fc28b2bd09d4c33adc67203b92741e96d91e5a4010fb6f432da8527

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\fix_log4j\1.7.10.json

Filesize
300B

MD5
33386dab73eb261523775cbcac309300

SHA1
dfd076b6e8492a83e39c00fcdea9dbe282e3dba7

SHA256
9eab2926a13dc0e6d4889c0aa4d1f3b8f1df6c02f2ee087b5fcecb7a4f780c87

SHA512
445e1a1eee477d68c4bccd5ca942985d4485138622e4a2f48b3a1fc11fa70c4d9a7abf5f403a2989f78662de04fd3a38c0c6376fa0cd10bfd0ca1dcf5082267c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\removedFolders.txt

Filesize
703B

MD5
66f2bf2a3cfc55320fdcbeadef07c78c

SHA1
2c34e9fdd3cc033a31b26d443b76c643013f0565

SHA256
342732fd5c95d6735b2567ca3638f53842ee19444fd7f36c2f2c437a835d5f1f

SHA512
fcb5d465f37de84bbcb0843e915c9f0ad1f661e2de1b5924d8274d19713754621d806a6bd49679459bf9c87a368efbcee7cff82a1c400b4cefb6c3b063ad6dfe

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\signatures.json

Filesize
8KB

MD5
1c836d1767b58a864ec401f0966914a0

SHA1
6014275288006534525ffa75ce1a1b66438e036a

SHA256
a19b7acbe605085ddee8df50268e1f9284c75ed9584e924f1474916d09d848b8

SHA512
dd43b3222a6398f69c71603762ca595d8a84d47b28d10b5ec0dc8da8fbf9d07deae656791f665de4a2df806a66203bb8ccd3bdf4f29d2596937b17e2c30eee3c

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\tl_dependencies.json

Filesize
1KB

MD5
107d05532cf0a58577ae6de603276a42

SHA1
54c12373677ab04e84cc2e7cb1930649ba38a952

SHA256
b32a5f902b1387192c76cc2d48540dc2b26534caab2d59b2fa054fd48c94a871

SHA512
0812455aae0d77692b903861ecdc1052d7106c387ce28adbfe4e8bca0841fe2d3865be3b16db4c9168ddcfc859370ce2402e2c5181ff34baaaeb9622bce74772

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\starter\НЕ_ЗАПУСТИЛСЯ_TLAUNCHER.txt

Filesize
3KB

MD5
4ddbbef4c1a0a004b853ee4ed7533601

SHA1
d12b2ab682eecc5e3a3b63618fd1c95e2ecbfc87

SHA256
04204513df6f55bd1d47893e0b041ca5284b45c514eda457f3622cd2b3136f4c

SHA512
d30709a61b85914947d89b1438888a29c9467f97171d7a617b36fe417c42e407d7837c9325a3c814690c8a5afdffd13c5de4e0bf26fa1a969f63e9ab0fb79f04

Download Submit
C:\Windows\Installer\MSIB1E7.tmp

Filesize
953KB

MD5
64a261a6056e5d2396e3eb6651134bee

SHA1
32a34baf051b514f12b3e3733f70e608083500f9

SHA256
15c1007015be7356e422050ed6fa39ba836d0dd7fbf1aa7d2b823e6754c442a0

SHA512
d3f95e0c8b5d76b10b61b0ef1453f8d90af90f97848cad3cb22f73878a3c48ea0132ecc300bfb79d2801500d5390e5962fb86a853695d4f661b9ea9aae6b8be8

Download Submit
C:\Windows\Installer\f78aae5.msi

Filesize
1.0MB

MD5
d7390d55b7462787b910a8db0744c1e0

SHA1
b0c70c3ec91d92d51d52d4f205b5a261027ba80c

SHA256
4a2f7d9d33e4ad643bf72722587f2b268d92dab3bb1d9bc56af316672e34728a

SHA512
64f3837dd6099561ce9be97d6fae0b11f3f6cc08281f1a3266d5a6f3ca8baf13bbd780735ef62b449b577d62d086f942b48519671226c60f0e1480f9dbdde434

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
b5043eda3b89c980a4957f3667d7d53b

SHA1
2c0a4c924a255e57cd00dc65ff5fe2db45050d49

SHA256
6041dcdad508a9063d182479cf2f25d75b4bc38cb3f0c6f2067843a6b7dcfa08

SHA512
b3b85f7d023b6b59409721d5c4016d436319dee693d036d4498dc68d46a778bdefc7b35aee661a9a1e179ac2fa469dc47c4d5cc45c17df3893b5404eccafbd71

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.2MB

MD5
07552732fa64db456300880d52e81b2f

SHA1
9a653ea405f5f26ec0c2d9a0bc9bcb11ba010efc

SHA256
94bc1aa272183daf13f24594493eea40e02cb9861c76f9de3711c139f5315226

SHA512
47e97e300330ec1523f4af6e87b9866fae2e90cd9b59fc4d02e53e29b223691f980daf1f221f5286dbc1a9a9ddf6e01e7a597c5cf763710c51d84c8d5bac60b0

Download Submit
memory/828-2426-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1320-693-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1320-861-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1320-769-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1320-770-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1320-772-0x00000000005F0000-0x00000000005F3000-memory.dmp

Filesize
12KB

Download
memory/1320-771-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1320-793-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1320-810-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1320-820-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/1320-687-0x00000000005F0000-0x00000000005F3000-memory.dmp

Filesize
12KB

Download
memory/1320-1667-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1320-1685-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1320-2584-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1320-686-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1320-768-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1320-19-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1320-2009-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1320-1687-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/1320-1686-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1320-694-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1320-1797-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1320-3683-0x00000000000C0000-0x00000000004A9000-memory.dmp

Filesize
3.9MB

Download
memory/1364-2653-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1364-2691-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1364-2671-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1364-2666-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1528-2615-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1528-2639-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1528-2620-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1528-2599-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1528-2612-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1536-933-0x00000000013A0000-0x0000000001789000-memory.dmp

Filesize
3.9MB

Download
memory/1536-866-0x00000000013A0000-0x0000000001789000-memory.dmp

Filesize
3.9MB

Download
memory/1932-4616-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1932-4617-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1932-3775-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1932-3780-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2352-15-0x0000000003620000-0x0000000003A09000-memory.dmp

Filesize
3.9MB

Download
memory/2352-767-0x0000000003620000-0x0000000003A09000-memory.dmp

Filesize
3.9MB

Download
memory/2352-6-0x0000000003620000-0x0000000003A09000-memory.dmp

Filesize
3.9MB

Download
memory/2352-16-0x0000000003620000-0x0000000003A09000-memory.dmp

Filesize
3.9MB

Download
memory/2360-4614-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2360-4615-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2360-3773-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2360-3774-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2904-2757-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download
memory/2948-860-0x0000000003650000-0x0000000003A39000-memory.dmp

Filesize
3.9MB

Download
memory/2948-865-0x0000000003650000-0x0000000003A39000-memory.dmp

Filesize
3.9MB

Download
memory/2948-875-0x0000000003650000-0x0000000003A39000-memory.dmp

Filesize
3.9MB

Download