27fd9a85f2b49ae6a11b15e36ab28c0493d5572357edf2990a65a2b56f1e1157

Analysis

max time kernel
147s
max time network
120s
platform
windows7_x64
resource
win7v20201028
submitted
22-01-2021 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jre-8u281-windows-x64.exe
Size

79.7MB
MD5

c6136758f1fec04a2f7f01249280c315
SHA1

5835e46596fe9f4dfe48fd5dd3947dc650d196ec
SHA256

27fd9a85f2b49ae6a11b15e36ab28c0493d5572357edf2990a65a2b56f1e1157
SHA512

045f33920fb3882d8f24c06e2179934601396636d2ddc360a2a6f03862e40b188506f8da530e4197e4a0e1c79cda48987e810425079377f357fbcf7950c6b030

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

11 1620 msiexec.exe
12 1620 msiexec.exe

flow	pid	process
11	1620	msiexec.exe
12	1620	msiexec.exe

Executes dropped EXE 17 IoCs

Processes:

jre-8u281-windows-x64.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exessvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exeMSI2CDD.tmp

pid	process
1384	jre-8u281-windows-x64.exe
792	installer.exe
304	bspatch.exe
1928	unpack200.exe
1880	unpack200.exe
1772	unpack200.exe
1484	unpack200.exe
336	unpack200.exe
1328	unpack200.exe
1164	unpack200.exe
1496	javaw.exe
948	ssvagent.exe
1644	javaws.exe
972	jp2launcher.exe
892	javaws.exe
1084	jp2launcher.exe
568	MSI2CDD.tmp

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe	upx
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe	upx

Loads dropped DLL 64 IoCs

Processes:

jre-8u281-windows-x64.exeMsiExec.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exe

pid	process
776	jre-8u281-windows-x64.exe
1248
1248
1228	MsiExec.exe
1228	MsiExec.exe
1228	MsiExec.exe
1620	msiexec.exe
304	bspatch.exe
304	bspatch.exe
304	bspatch.exe
792	installer.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1928	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe
1772	unpack200.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 5 IoCs

Processes:

rundll32.exeinstaller.exe

description	ioc	process
File created	C:\Windows\system32\javaw.exe	rundll32.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	rundll32.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\javaws.exe	rundll32.exe
File created	C:\Windows\system32\java.exe	rundll32.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exemsiexec.exejp2launcher.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_281\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\zip.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\deploy\messages_zh_HK.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\plugin2\npjp2.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Damascus	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Vancouver	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jaas_nt.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-processthreads-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\jdk\giflib.md	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\klist.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\lcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\ext\sunec.jar	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\profile.jfc	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\ext\access-bridge-64.jar	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\deploy\splash@2x.gif	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\w2k_lsa_auth.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\security\blacklist	installer.exe
File opened for modification	C:\Program Files\Java\jre7\LICENSE	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Manila	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\sound.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\GRAY.pf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-heap-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\wsdetect.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\deploy\messages_es.properties	installer.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Matamoros	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jvm.hprof.txt	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\deploy\messages_pt_BR.properties	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\hijrah-config-umalqura.properties	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Asuncion	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\glib-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\jdk\cldr.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File opened for modification	C:\Program Files\Java\jre7\bin\glib-lite.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\images\cursors\cursors.properties	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\plugin2\msvcp140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\fonts\LucidaTypewriterRegular.ttf	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Sydney	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\java.policy	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\hs_err_pid1084.log	jp2launcher.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\glass.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\javafx\directshow.md	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belem	msiexec.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f748c69.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CDD.tmp	msiexec.exe
File created	C:\Windows\Installer\f748c67.msi	msiexec.exe
File created	C:\Windows\Installer\f748c6b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI98D3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E4C.tmp	msiexec.exe
File created	C:\Windows\Installer\f748c6d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CCC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9890.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA002.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f748c67.msi	msiexec.exe
File created	C:\Windows\Installer\f748c69.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exerundll32.exejre-8u281-windows-x64.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "19"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	jre-8u281-windows-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0191-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_191"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0145-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_145"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0151-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0182-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_24"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0178-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0175-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0218-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0077-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0168-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0162-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_21"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0105-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0093-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0109-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0143-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_02"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0199-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0133-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_133"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0261-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0264-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0137-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0147-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0120-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0176-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_46"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0016-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0068-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0174-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0171-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0217-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0085-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0177-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0244-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0074-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0229-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_229"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0268-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0032-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0204-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe

Modifies registry class 64 IoCs

Processes:

rundll32.exessvagent.exeinstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0171-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0126-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0202-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_202"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0137-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_137"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0088-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0238-ABCDEFFEDCBA}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0068-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0201-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0227-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_227"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0255-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_75"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0031-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_25"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0092-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_92"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_52"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0170-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0277-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0137-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0177-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0252-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0190-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_190"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0049-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBB}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0198-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0021-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0090-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0117-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_93"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_80"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0028-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_04"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0184-ABCDEFFEDCBA}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0134-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_134"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBC}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jnlps	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0132-ABCDEFFEDCBB}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0152-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0167-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0262-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBA}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0109-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0148-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0176-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0129-ABCDEFFEDCBB}	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

jre-8u281-windows-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	jre-8u281-windows-x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	jre-8u281-windows-x64.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

javaws.exejp2launcher.exejavaws.exejp2launcher.exeMSI2CDD.tmp

pid process

1644 javaws.exe
972 jp2launcher.exe
892 javaws.exe
1084 jp2launcher.exe
568 MSI2CDD.tmp

pid	process
1644	javaws.exe
972	jp2launcher.exe
892	javaws.exe
1084	jp2launcher.exe
568	MSI2CDD.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-8u281-windows-x64.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeSecurityPrivilege	1620	msiexec.exe
Token: SeCreateTokenPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeLockMemoryPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeMachineAccountPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeTcbPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeSecurityPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeTakeOwnershipPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeLoadDriverPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeSystemProfilePrivilege	1384	jre-8u281-windows-x64.exe
Token: SeSystemtimePrivilege	1384	jre-8u281-windows-x64.exe
Token: SeProfSingleProcessPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeIncBasePriorityPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeCreatePagefilePrivilege	1384	jre-8u281-windows-x64.exe
Token: SeCreatePermanentPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeBackupPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeRestorePrivilege	1384	jre-8u281-windows-x64.exe
Token: SeShutdownPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeDebugPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeAuditPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeChangeNotifyPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeRemoteShutdownPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeUndockPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeSyncAgentPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeEnableDelegationPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeManageVolumePrivilege	1384	jre-8u281-windows-x64.exe
Token: SeImpersonatePrivilege	1384	jre-8u281-windows-x64.exe
Token: SeCreateGlobalPrivilege	1384	jre-8u281-windows-x64.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

jre-8u281-windows-x64.exejp2launcher.exejp2launcher.exe

pid	process
1384	jre-8u281-windows-x64.exe
1384	jre-8u281-windows-x64.exe
1384	jre-8u281-windows-x64.exe
1384	jre-8u281-windows-x64.exe
972	jp2launcher.exe
1084	jp2launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

jre-8u281-windows-x64.exemsiexec.exeinstaller.exejavaws.exejavaws.exe

description	pid	process	target process
PID 776 wrote to memory of 1384	776	jre-8u281-windows-x64.exe	jre-8u281-windows-x64.exe
PID 776 wrote to memory of 1384	776	jre-8u281-windows-x64.exe	jre-8u281-windows-x64.exe
PID 776 wrote to memory of 1384	776	jre-8u281-windows-x64.exe	jre-8u281-windows-x64.exe
PID 1620 wrote to memory of 1228	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 1228	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 1228	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 1228	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 1228	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 792	1620	msiexec.exe	installer.exe
PID 1620 wrote to memory of 792	1620	msiexec.exe	installer.exe
PID 1620 wrote to memory of 792	1620	msiexec.exe	installer.exe
PID 792 wrote to memory of 304	792	installer.exe	bspatch.exe
PID 792 wrote to memory of 304	792	installer.exe	bspatch.exe
PID 792 wrote to memory of 304	792	installer.exe	bspatch.exe
PID 792 wrote to memory of 304	792	installer.exe	bspatch.exe
PID 792 wrote to memory of 304	792	installer.exe	bspatch.exe
PID 792 wrote to memory of 304	792	installer.exe	bspatch.exe
PID 792 wrote to memory of 304	792	installer.exe	bspatch.exe
PID 792 wrote to memory of 1928	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1928	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1928	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1880	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1880	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1880	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1772	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1772	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1772	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1484	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1484	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1484	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 336	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 336	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 336	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1328	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1328	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1328	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1164	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1164	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1164	792	installer.exe	unpack200.exe
PID 792 wrote to memory of 1496	792	installer.exe	javaw.exe
PID 792 wrote to memory of 1496	792	installer.exe	javaw.exe
PID 792 wrote to memory of 1496	792	installer.exe	javaw.exe
PID 792 wrote to memory of 1644	792	installer.exe	javaws.exe
PID 792 wrote to memory of 1644	792	installer.exe	javaws.exe
PID 792 wrote to memory of 1644	792	installer.exe	javaws.exe
PID 1644 wrote to memory of 972	1644	javaws.exe	jp2launcher.exe
PID 1644 wrote to memory of 972	1644	javaws.exe	jp2launcher.exe
PID 1644 wrote to memory of 972	1644	javaws.exe	jp2launcher.exe
PID 792 wrote to memory of 892	792	installer.exe	javaws.exe
PID 792 wrote to memory of 892	792	installer.exe	javaws.exe
PID 792 wrote to memory of 892	792	installer.exe	javaws.exe
PID 892 wrote to memory of 1084	892	javaws.exe	jp2launcher.exe
PID 892 wrote to memory of 1084	892	javaws.exe	jp2launcher.exe
PID 892 wrote to memory of 1084	892	javaws.exe	jp2launcher.exe
PID 1620 wrote to memory of 748	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 748	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 748	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 748	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 748	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 1100	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 1100	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 1100	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 1100	1620	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 1100	1620	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\jre-8u281-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jre-8u281-windows-x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 71ADC49F15CEC242A5B2540F27DF1B0E
2⤵
- Loads dropped DLL
PID:1228

C:\Program Files\Java\jre1.8.0_281\installer.exe
"C:\Program Files\Java\jre1.8.0_281\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_281\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180281F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792

C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_281\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_281\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_281\lib/deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_281\lib/rt.jar"
3⤵
- Executes dropped EXE
PID:1484

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_281\lib/jsse.jar"
3⤵
- Executes dropped EXE
PID:336

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_281\lib/charsets.jar"
3⤵
- Executes dropped EXE
PID:1328

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_281\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
PID:1164

C:\Program Files\Java\jre1.8.0_281\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_281\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
PID:1496

C:\Program Files\Java\jre1.8.0_281\bin\ssvagent.exe
"C:\Program Files\Java\jre1.8.0_281\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Modifies registry class
PID:948

C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644

C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_281" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yODFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:972

C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892

C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_281" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yODFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 1CDC5156D9295322A315F586E5C0A4C1 M Global\MSI0000
2⤵
PID:748

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding B1F4431852DB20DEAD57B289D447908C
2⤵
PID:1100

C:\Windows\Installer\MSI2CDD.tmp
"C:\Windows\Installer\MSI2CDD.tmp" C:\Program Files\Java\jre7\;C;2
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:568

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint
2⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_281\bin\VCRUNTIME140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-file-l1-2-0.dll
MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-file-l2-1-0.dll
MD5
3bf4406de02aa148f460e5d709f4f67d

SHA1
89b28107c39bb216da00507ffd8adb7838d883f6

SHA256
349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e

SHA512
5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-localization-l1-2-0.dll
MD5
8acb83d102dabd9a5017a94239a2b0c6

SHA1
9b43a40a7b498e02f96107e1524fe2f4112d36ae

SHA256
059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413

SHA512
b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-processthreads-l1-1-1.dll
MD5
9c9b50b204fcb84265810ef1f3c5d70a

SHA1
0913ab720bd692abcdb18a2609df6a7f85d96db3

SHA256
25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40

SHA512
ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-synch-l1-2-0.dll
MD5
d175430eff058838cee2e334951f6c9c

SHA1
7f17fbdcef12042d215828c1d6675e483a4c62b1

SHA256
1c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a

SHA512
6076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-timezone-l1-1-0.dll
MD5
43e1ae2e432eb99aa4427bb68f8826bb

SHA1
eee1747b3ade5a9b985467512215caf7e0d4cb9b

SHA256
3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c

SHA512
40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-convert-l1-1-0.dll
MD5
285dcd72d73559678cfd3ed39f81ddad

SHA1
df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a

SHA256
6c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44

SHA512
84ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-environment-l1-1-0.dll
MD5
5cce7a5ed4c2ebaf9243b324f6618c0e

SHA1
fdb5954ee91583a5a4cbb0054fb8b3bf6235eed3

SHA256
aa3e3e99964d7f9b89f288dbe30ff18cbc960ee5add533ec1b8326fe63787aa3

SHA512
fc85a3be23621145b8dc067290bd66416b6b1566001a799975bf99f0f526935e41a2c8861625e7cfb8539ca0621ed9f46343c04b6c41db812f58412be9c8a0de

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-filesystem-l1-1-0.dll
MD5
41fbbb054af69f0141e8fc7480d7f122

SHA1
3613a572b462845d6478a92a94769885da0843af

SHA256
974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c

SHA512
97fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-heap-l1-1-0.dll
MD5
212d58cefb2347bd694b214a27828c83

SHA1
f0e98e2d594054e8a836bd9c6f68c3fe5048f870

SHA256
8166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989

SHA512
637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-math-l1-1-0.dll
MD5
fb79420ec05aa715fe76d9b89111f3e2

SHA1
15c6d65837c9979af7ec143e034923884c3b0dbd

SHA256
f6a93fe6b57a54aac46229f2ed14a0a979bf60416adb2b2cfc672386ccb2b42e

SHA512
c40884c80f7921addced37b1bf282bb5cb47608e53d4f4127ef1c6ce7e6bb9a4adc7401389bc8504bf24751c402342693b11cef8d06862677a63159a04da544e

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-runtime-l1-1-0.dll
MD5
883120f9c25633b6c688577d024efd12

SHA1
e4fa6254623a2b4cdea61712cdfa9c91aa905f18

SHA256
4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc

SHA512
f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-stdio-l1-1-0.dll
MD5
29680d7b1105171116a137450c8bb452

SHA1
492bb8c231aae9d5f5af565abb208a706fb2b130

SHA256
6f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af

SHA512
87dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-string-l1-1-0.dll
MD5
f816666e3fc087cd24828943cb15f260

SHA1
eae814c9c41e3d333f43890ed7dafa3575e4c50e

SHA256
45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a

SHA512
6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-time-l1-1-0.dll
MD5
143a735134cd8c889ec7d7b85298705b

SHA1
906ac1f3a933dd57798ae826bbefa3096c20d424

SHA256
b48310b0837027f756d62c37ea91af988baa403cbcbd01cb26b6fdae21ea96a2

SHA512
c9abe209508afae2d1776391f73b658c9a25628876724344023e0fc8a790ecb7dbce75fddae267158d08a8237f83336b1d2bd5b5ce0a8eed7dd41cbe0c031d48

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-utility-l1-1-0.dll
MD5
6f1a1dfb2761228ccc7d07b8b190054c

SHA1
117d66360c84a0088626e22d8b3b4b685cb70d56

SHA256
c81c4bba4e5f205359ad145963f6fbd074879047c66569f52b6d66711108e1ed

SHA512
480b4f9179d5da56010fa90e1937fe3a232f2f8682596c16eeaed08f57cf8cffeaa506060429501764f695cb6c5b3e56b0037de948c4d0e3933f022a0b4103d2

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\ucrtbase.DLL
MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
MD5
9bc8abeedf17b7e6bf826dd8ddeec12b

SHA1
5bdf9e3f1ccd272c20e85dc3782065ce2cda4285

SHA256
3122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1

SHA512
425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f

Download Submit
C:\Program Files\Java\jre1.8.0_281\installer.exe
MD5
fa4ee41538e227270b4c5043c5f01659

SHA1
c4f2b6ef6037e5b5b4bc7ac923ceafbd6fa9d34c

SHA256
a1444bfdcad52b76400b42d2df55ee42f065ed6c015c567c526fca634b29fb98

SHA512
41a54772f6fc3054b796104b73618342196b8d3eb0afad007f1915eb69c2a65f1aed8b9a5a80424c2096c4e719c733aeb7bd83f10e9f6e2367a10e7ea8467ccf

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\baseimagefam8
MD5
22646919b87d1a6dfc371464405b373b

SHA1
2296c69b12c3e0244fc59586f794457a4735e692

SHA256
0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11

SHA512
b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\diff
MD5
d5b61c2cfe78a2dd2a3504fe50f3a2af

SHA1
1367bdab2d2d4ca27e5821cb11183f25c091adfa

SHA256
547295e7e127d4b8e03dc8531ca96fbff3d4940a08a2e0237be30955c9f42288

SHA512
057b2deb59a559ec314d3aba0f3b44f35d6607ab5e9538a00cb58066d34a9ce989dbc0aa26b0ffdd20e3ddf60655086b4d4a879bb1f294f08f482734225b9319

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\newimage
MD5
26e47c6e1ea3599d0afc66fab66d1832

SHA1
cfde5aedc9d5f102a35e8c552fc1f8c1adf403f5

SHA256
c998e8ce2e242a54125e408b9d4ea8f9e055e0fe9282a27bb4a521853e140e4d

SHA512
93fff745724345809f74cc5373590b7ef3b9d8047d34de4144036f90dc4020a50ca268891d07ebd13fe32f5894128dd0f608d7aa2ef760bdb90b151b242e4cc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e19b6efae26c7844dc803e9707b2b1b0

SHA1
22ee25cd29e6f6cda5e6a67bf25a5105a992a6af

SHA256
ef30a12f1f4a2f2fbfe30dcab95e4ee63b14dc4cebb6cc9e35d0ca6a5361f069

SHA512
b78ae839111aa7c09ccf555e71075919cee3c1b3f0d0683372f7dc67bef713bf1124a33e4e0f6a2ae48026db991cdf87b0f1d8acccc0fe2ed2304bf64c15cc89

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281_x64\jre1.8.0_28164.msi
MD5
7e071988c06dfbe07b08d3101f529514

SHA1
15253d178036122e31c410a8775ac778d49554cd

SHA256
430e639c217fdcb57ba5cd09711a7701d589b313c0874d70dd53248191c2158d

SHA512
47d41aab59419874e1e2f8da0fb5f05951aa7901cf70a2dd5239e4ca504d5816caa4e02719ee468afb9438d79f5e2d4f6eae93e7d6fdc6c70f82f3feb5da0e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exe
MD5
fcd2bc341d811dd3ef5f76e88fcb4c23

SHA1
85738726745d049d85c8683f472ce0b400a37482

SHA256
dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773

SHA512
3363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exe
MD5
fcd2bc341d811dd3ef5f76e88fcb4c23

SHA1
85738726745d049d85c8683f472ce0b400a37482

SHA256
dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773

SHA512
3363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
e390fe14fddc2fba65fb306d65757725

SHA1
31414d2d2fdfb487d99a7dda22f9a136fa79e79c

SHA256
27ef8690caf3ac7b0095b8559995468a2899602181c5a6b6ece09ea2167b0186

SHA512
1ea787c682787b387bec6f2b41522455b14f0201f77aa6e2a56c5678dc121639f702ede51f70b33569c9d8ff9505c205b52103ecbaf1b7b7ecdfb40cd408b9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
eb7f3ed3de97d2bd538f57540dcb858b

SHA1
1487ae54ae9b9b33f99d51cc2cdc4777fa8448d0

SHA256
e2cb951a42248e3edec0dae249f66bc6c73a6eae62f87355cba87047732be870

SHA512
659825650eb7e78d6dc019b7bb4f79667abdda85d2df5987809f23e13f5aee9c7ef4a5c1d7182f7d2e03ea7a1bb2716d21e4fb637b7b4947564feb6d0ca064fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
6b73128d739a2cd96b5e10bb25c1e7de

SHA1
e0164bae6bfc75031b1139ec7208bd50ba325724

SHA256
3029aa85bdc6583f69c424721c0dc587645b205958cab204482e167039b17320

SHA512
0d1797ca60054310568e4bf94bd91c638f5f1afd4688576ca8b98cedd95028bb97f36be702a58083074eb8dcbcac8b25ca16a832b2711f6b070f0dd6e59b06ec

Download Submit
C:\Windows\Installer\MSI9890.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
C:\Windows\Installer\MSI9D71.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
C:\Windows\Installer\MSIA002.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
C:\Windows\Installer\f748c6b.msi
MD5
7e071988c06dfbe07b08d3101f529514

SHA1
15253d178036122e31c410a8775ac778d49554cd

SHA256
430e639c217fdcb57ba5cd09711a7701d589b313c0874d70dd53248191c2158d

SHA512
47d41aab59419874e1e2f8da0fb5f05951aa7901cf70a2dd5239e4ca504d5816caa4e02719ee468afb9438d79f5e2d4f6eae93e7d6fdc6c70f82f3feb5da0e25

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-file-l1-2-0.dll
MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-file-l2-1-0.dll
MD5
3bf4406de02aa148f460e5d709f4f67d

SHA1
89b28107c39bb216da00507ffd8adb7838d883f6

SHA256
349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e

SHA512
5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-localization-l1-2-0.dll
MD5
8acb83d102dabd9a5017a94239a2b0c6

SHA1
9b43a40a7b498e02f96107e1524fe2f4112d36ae

SHA256
059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413

SHA512
b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-processthreads-l1-1-1.dll
MD5
9c9b50b204fcb84265810ef1f3c5d70a

SHA1
0913ab720bd692abcdb18a2609df6a7f85d96db3

SHA256
25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40

SHA512
ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-synch-l1-2-0.dll
MD5
d175430eff058838cee2e334951f6c9c

SHA1
7f17fbdcef12042d215828c1d6675e483a4c62b1

SHA256
1c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a

SHA512
6076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-timezone-l1-1-0.dll
MD5
43e1ae2e432eb99aa4427bb68f8826bb

SHA1
eee1747b3ade5a9b985467512215caf7e0d4cb9b

SHA256
3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c

SHA512
40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-convert-l1-1-0.dll
MD5
285dcd72d73559678cfd3ed39f81ddad

SHA1
df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a

SHA256
6c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44

SHA512
84ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-environment-l1-1-0.dll
MD5
5cce7a5ed4c2ebaf9243b324f6618c0e

SHA1
fdb5954ee91583a5a4cbb0054fb8b3bf6235eed3

SHA256
aa3e3e99964d7f9b89f288dbe30ff18cbc960ee5add533ec1b8326fe63787aa3

SHA512
fc85a3be23621145b8dc067290bd66416b6b1566001a799975bf99f0f526935e41a2c8861625e7cfb8539ca0621ed9f46343c04b6c41db812f58412be9c8a0de

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-filesystem-l1-1-0.dll
MD5
41fbbb054af69f0141e8fc7480d7f122

SHA1
3613a572b462845d6478a92a94769885da0843af

SHA256
974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c

SHA512
97fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-heap-l1-1-0.dll
MD5
212d58cefb2347bd694b214a27828c83

SHA1
f0e98e2d594054e8a836bd9c6f68c3fe5048f870

SHA256
8166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989

SHA512
637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-runtime-l1-1-0.dll
MD5
883120f9c25633b6c688577d024efd12

SHA1
e4fa6254623a2b4cdea61712cdfa9c91aa905f18

SHA256
4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc

SHA512
f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-stdio-l1-1-0.dll
MD5
29680d7b1105171116a137450c8bb452

SHA1
492bb8c231aae9d5f5af565abb208a706fb2b130

SHA256
6f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af

SHA512
87dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-string-l1-1-0.dll
MD5
f816666e3fc087cd24828943cb15f260

SHA1
eae814c9c41e3d333f43890ed7dafa3575e4c50e

SHA256
45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a

SHA512
6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-time-l1-1-0.dll
MD5
143a735134cd8c889ec7d7b85298705b

SHA1
906ac1f3a933dd57798ae826bbefa3096c20d424

SHA256
b48310b0837027f756d62c37ea91af988baa403cbcbd01cb26b6fdae21ea96a2

SHA512
c9abe209508afae2d1776391f73b658c9a25628876724344023e0fc8a790ecb7dbce75fddae267158d08a8237f83336b1d2bd5b5ce0a8eed7dd41cbe0c031d48

Download Submit
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-utility-l1-1-0.dll
MD5
6f1a1dfb2761228ccc7d07b8b190054c

SHA1
117d66360c84a0088626e22d8b3b4b685cb70d56

SHA256
c81c4bba4e5f205359ad145963f6fbd074879047c66569f52b6d66711108e1ed

SHA512
480b4f9179d5da56010fa90e1937fe3a232f2f8682596c16eeaed08f57cf8cffeaa506060429501764f695cb6c5b3e56b0037de948c4d0e3933f022a0b4103d2

Download Submit
\Program Files\Java\jre1.8.0_281\bin\ucrtbase.dll
MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
MD5
9bc8abeedf17b7e6bf826dd8ddeec12b

SHA1
5bdf9e3f1ccd272c20e85dc3782065ce2cda4285

SHA256
3122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1

SHA512
425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f

Download Submit
\Program Files\Java\jre1.8.0_281\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_281\installer.exe
MD5
fa4ee41538e227270b4c5043c5f01659

SHA1
c4f2b6ef6037e5b5b4bc7ac923ceafbd6fa9d34c

SHA256
a1444bfdcad52b76400b42d2df55ee42f065ed6c015c567c526fca634b29fb98

SHA512
41a54772f6fc3054b796104b73618342196b8d3eb0afad007f1915eb69c2a65f1aed8b9a5a80424c2096c4e719c733aeb7bd83f10e9f6e2367a10e7ea8467ccf

Download Submit
\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exe
MD5
fcd2bc341d811dd3ef5f76e88fcb4c23

SHA1
85738726745d049d85c8683f472ce0b400a37482

SHA256
dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773

SHA512
3363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce

Download Submit
\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exe
MD5
fcd2bc341d811dd3ef5f76e88fcb4c23

SHA1
85738726745d049d85c8683f472ce0b400a37482

SHA256
dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773

SHA512
3363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce

Download Submit
\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exe
MD5
fcd2bc341d811dd3ef5f76e88fcb4c23

SHA1
85738726745d049d85c8683f472ce0b400a37482

SHA256
dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773

SHA512
3363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce

Download Submit
\Windows\Installer\MSI9890.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
\Windows\Installer\MSI9D71.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
\Windows\Installer\MSIA002.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
memory/304-33-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/304-30-0x0000000000000000-mapping.dmp

Download
memory/336-82-0x0000000000000000-mapping.dmp

Download
memory/568-127-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-131-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-151-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-120-0x0000000000000000-mapping.dmp

Download
memory/568-122-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-123-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-124-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-150-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-149-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-148-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-147-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-125-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-146-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-145-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-126-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-144-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-143-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-128-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-142-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-141-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-140-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-139-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-138-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-136-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-137-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-134-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-135-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-133-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-129-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-132-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-130-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-121-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/748-116-0x0000000000000000-mapping.dmp

Download
memory/792-89-0x0000000002BD0000-0x0000000002BD4000-memory.dmp

Filesize
16KB

Download
memory/792-85-0x0000000002BD0000-0x0000000002BD4000-memory.dmp

Filesize
16KB

Download
memory/792-41-0x0000000002BD0000-0x0000000002BD4000-memory.dmp

Filesize
16KB

Download
memory/792-28-0x0000000002BD0000-0x0000000002BD4000-memory.dmp

Filesize
16KB

Download
memory/792-115-0x0000000001BD0000-0x0000000001BD4000-memory.dmp

Filesize
16KB

Download
memory/792-29-0x0000000002BD0000-0x0000000002BD4000-memory.dmp

Filesize
16KB

Download
memory/792-24-0x0000000000000000-mapping.dmp

Download
memory/876-7-0x000007FEF72E0000-0x000007FEF755A000-memory.dmp

Filesize
2.5MB

Download
memory/892-103-0x0000000000000000-mapping.dmp

Download
memory/972-95-0x0000000002370000-0x00000000025E0000-memory.dmp

Filesize
2.4MB

Download
memory/972-101-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/972-93-0x0000000000000000-mapping.dmp

Download
memory/972-98-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/972-99-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/972-100-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/972-97-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/972-96-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/972-102-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/1084-112-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/1084-108-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/1084-104-0x0000000000000000-mapping.dmp

Download
memory/1084-107-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/1084-113-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/1084-111-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/1084-110-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/1084-109-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/1084-106-0x00000000021F0000-0x0000000002460000-memory.dmp

Filesize
2.4MB

Download
memory/1100-118-0x0000000000000000-mapping.dmp

Download
memory/1164-84-0x0000000000000000-mapping.dmp

Download
memory/1228-14-0x0000000000000000-mapping.dmp

Download
memory/1328-83-0x0000000000000000-mapping.dmp

Download
memory/1384-3-0x0000000000000000-mapping.dmp

Download
memory/1384-5-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1484-81-0x0000000000000000-mapping.dmp

Download
memory/1496-88-0x0000000002190000-0x0000000002400000-memory.dmp

Filesize
2.4MB

Download
memory/1496-86-0x0000000000000000-mapping.dmp

Download
memory/1644-92-0x0000000000000000-mapping.dmp

Download
memory/1652-152-0x0000000000000000-mapping.dmp

Download
memory/1772-80-0x0000000000000000-mapping.dmp

Download
memory/1880-79-0x0000000000000000-mapping.dmp

Download
memory/1928-42-0x0000000000000000-mapping.dmp

Download