2db7866798f1d612aab8fdccc3420096ab11f208a37bdaf3f8d49480da4c06a6

Analysis

max time kernel
300s
max time network
292s
platform
windows10_x64
resource
win10v20201028
submitted
10-02-2021 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r.exe
Size

7.8MB
MD5

939ba0623704350ce7c139aabee00df5
SHA1

4407dc92a0dbc8ef99035dc682a8752f793bf55b
SHA256

2db7866798f1d612aab8fdccc3420096ab11f208a37bdaf3f8d49480da4c06a6
SHA512

76c826928eaef2a80e804ee1fb7f4a2c3d6b6370eade5c2f82671611e3253b30596655b332d19f21af714adc8015db31c3fa5dd1aa76a81b7d7840d99dc16dd1

Score

10^/10

adware persistence ransomware stealer upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2592 created 692 2592 svchost.exe installer.exe

description	pid	process	target process
PID 2592 created 692	2592	svchost.exe	installer.exe

Executes dropped EXE 28 IoCs

Processes:

JavaSetup8u281.exeJavaSetup8u281.exeLZMA_EXELZMA_EXEJavaSetup8u281.exeinstaller.exeJavaSetup8u281.exebspatch.exeJavaSetup8u281.exeJavaSetup8u281.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exeLZMA_EXELZMA_EXEssvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exeakrien.exeakrien.exeakrien.exe

pid	process
1420	JavaSetup8u281.exe
4056	JavaSetup8u281.exe
1320	LZMA_EXE
2416	LZMA_EXE
2880	JavaSetup8u281.exe
692	installer.exe
908	JavaSetup8u281.exe
2280	bspatch.exe
4036	JavaSetup8u281.exe
1704	JavaSetup8u281.exe
3040	unpack200.exe
748	unpack200.exe
2540	unpack200.exe
3668	unpack200.exe
812	unpack200.exe
1152	unpack200.exe
1844	unpack200.exe
984	javaw.exe
2480	LZMA_EXE
2164	LZMA_EXE
2524	ssvagent.exe
4028	javaws.exe
2068	jp2launcher.exe
4104	javaws.exe
4120	jp2launcher.exe
4852	akrien.exe
2584	akrien.exe
3304	akrien.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Oracle\Java\installcache\259341953.tmp\bspatch.exe	upx
C:\ProgramData\Oracle\Java\installcache\259341953.tmp\bspatch.exe	upx

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exeinstaller.exessvagent.exejp2launcher.exe

pid	process
652	MsiExec.exe
652	MsiExec.exe
652	MsiExec.exe
3040	unpack200.exe
748	unpack200.exe
2540	unpack200.exe
3668	unpack200.exe
812	unpack200.exe
1152	unpack200.exe
1844	unpack200.exe
984	javaw.exe
984	javaw.exe
984	javaw.exe
984	javaw.exe
984	javaw.exe
984	javaw.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
692	installer.exe
2524	ssvagent.exe
2524	ssvagent.exe
2068	jp2launcher.exe
2068	jp2launcher.exe
2068	jp2launcher.exe
2068	jp2launcher.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

JavaSetup8u281.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	JavaSetup8u281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe"	JavaSetup8u281.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

akrien.exeakrien.exeakrien.exe

pid process

4852 akrien.exe
4852 akrien.exe
2584 akrien.exe
2584 akrien.exe
3304 akrien.exe

pid	process
4852	akrien.exe
4852	akrien.exe
2584	akrien.exe
2584	akrien.exe
3304	akrien.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exejp2launcher.exeunpack200.exemsiexec.exejp2launcher.exeunpack200.exe

description	ioc	process
File created	C:\Program Files (x86)\Java\jre1.8.0_281\README.txt	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\legal\jdk\icu.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\legal\jdk\mesa3d.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\rmid.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\deploy.pack	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-core-sysinfo-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-crt-math-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-crt-multibyte-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\ext\access-bridge-32.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\security\blacklist	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\dcpr.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\legal\jdk\pkcs11wrapper.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\legal\jdk\relaxngdatatype.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\fonts\LucidaSansRegular.ttf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\security\policy\limited\US_export_policy.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\rt.jar	unpack200.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\client\jvm.pdb	jp2launcher.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-crt-stdio-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\awt.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\java-rmi.exe	installer.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\dll\java.pdb	jp2launcher.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\jjs.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\nio.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\cmm\GRAY.pf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\ext\sunmscapi.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\meta-index	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\security\policy\limited\local_policy.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\client\Xusage.txt	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\javacpl.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\cmm\PYCC.pf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-crt-utility-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\jsdt.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\legal\jdk\dom.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\plugin.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\installer.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-core-localization-l1-2-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\API-MS-Win-core-xstate-l2-1-0.dll	installer.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\client\dll\jvm.pdb	jp2launcher.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\legal\jdk\colorimaging.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\javaws.pack	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\jsse.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-core-interlocked-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\jp2launcher.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\orbd.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\sound.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\dt_socket.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\fonts\LucidaBrightItalic.ttf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\management\jmxremote.access	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\w2k_lsa_auth.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\logging.properties	installer.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\client\symbols\dll\jvm.pdb	jp2launcher.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-core-heap-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\jfxmedia.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\deploy\messages_es.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\management-agent.jar	installer.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\client\dll\java.pdb	jp2launcher.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-core-handle-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\klist.exe	installer.exe

Drops file in Windows directory 15 IoCs

Processes:

msiexec.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI60D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3636.tmp	msiexec.exe
File created	C:\Windows\Installer\f74fc86.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F32180281F0}	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\MSI3694.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74fc86.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f74fc8a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74fc8a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38B.tmp	msiexec.exe
File created	C:\Windows\Installer\f74fc89.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C82.tmp	msiexec.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2056 4056 WerFault.exe JavaSetup8u281.exe
1716 2068 WerFault.exe jp2launcher.exe
4364 4120 WerFault.exe jp2launcher.exe

pid	pid_target	process	target process
2056	4056	WerFault.exe	JavaSetup8u281.exe
1716	2068	WerFault.exe	jp2launcher.exe
4364	4120	WerFault.exe	jp2launcher.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppName = "jp2launcher.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0272-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0034-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_34"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0159-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0256-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0097-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0246-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0170-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0152-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0021-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0220-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0195-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_195"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_47"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0161-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0211-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0191-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_56"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0178-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0063-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0087-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0279-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0180-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0227-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0174-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_174"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0148-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0088-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_88"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0252-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0229-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0217-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0109-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0136-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0173-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_173"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0169-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0149-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0077-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_24"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0258-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0262-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0188-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0028-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0181-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0187-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0191-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_191"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exessvagent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_09"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0122-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_35"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0130-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0059-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_59"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_50"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0023-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0197-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0179-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_79"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0068-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0086-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0170-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_170"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_42"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0018-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0120-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0195-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0198-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_198"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0052-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0084-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_84"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0146-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0241-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0216-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0156-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0258-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_258"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_51"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0205-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_205"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0194-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0275-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_275"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0208-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0188-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0187-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0220-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_220"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0197-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0199-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0068-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0141-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0179-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_01"	ssvagent.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

JavaSetup8u281.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u281.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	JavaSetup8u281.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u281.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u281.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u281.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

WerFault.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exeakrien.exeakrien.exeakrien.exe

pid	process
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
4028	javaws.exe
4028	javaws.exe
2068	jp2launcher.exe
2068	jp2launcher.exe
4104	javaws.exe
4104	javaws.exe
4120	jp2launcher.exe
4120	jp2launcher.exe
4852	akrien.exe
4852	akrien.exe
4852	akrien.exe
4852	akrien.exe
4852	akrien.exe
4852	akrien.exe
2584	akrien.exe
2584	akrien.exe
2584	akrien.exe
2584	akrien.exe
3304	akrien.exe
3304	akrien.exe
2584	akrien.exe
2584	akrien.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

JavaSetup8u281.exe

pid process

1704 JavaSetup8u281.exe

pid	process
1704	JavaSetup8u281.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

JavaSetup8u281.exemsiexec.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	4056	JavaSetup8u281.exe
Token: SeIncreaseQuotaPrivilege	4056	JavaSetup8u281.exe
Token: SeSecurityPrivilege	2556	msiexec.exe
Token: SeCreateTokenPrivilege	4056	JavaSetup8u281.exe
Token: SeAssignPrimaryTokenPrivilege	4056	JavaSetup8u281.exe
Token: SeLockMemoryPrivilege	4056	JavaSetup8u281.exe
Token: SeIncreaseQuotaPrivilege	4056	JavaSetup8u281.exe
Token: SeMachineAccountPrivilege	4056	JavaSetup8u281.exe
Token: SeTcbPrivilege	4056	JavaSetup8u281.exe
Token: SeSecurityPrivilege	4056	JavaSetup8u281.exe
Token: SeTakeOwnershipPrivilege	4056	JavaSetup8u281.exe
Token: SeLoadDriverPrivilege	4056	JavaSetup8u281.exe
Token: SeSystemProfilePrivilege	4056	JavaSetup8u281.exe
Token: SeSystemtimePrivilege	4056	JavaSetup8u281.exe
Token: SeProfSingleProcessPrivilege	4056	JavaSetup8u281.exe
Token: SeIncBasePriorityPrivilege	4056	JavaSetup8u281.exe
Token: SeCreatePagefilePrivilege	4056	JavaSetup8u281.exe
Token: SeCreatePermanentPrivilege	4056	JavaSetup8u281.exe
Token: SeBackupPrivilege	4056	JavaSetup8u281.exe
Token: SeRestorePrivilege	4056	JavaSetup8u281.exe
Token: SeShutdownPrivilege	4056	JavaSetup8u281.exe
Token: SeDebugPrivilege	4056	JavaSetup8u281.exe
Token: SeAuditPrivilege	4056	JavaSetup8u281.exe
Token: SeSystemEnvironmentPrivilege	4056	JavaSetup8u281.exe
Token: SeChangeNotifyPrivilege	4056	JavaSetup8u281.exe
Token: SeRemoteShutdownPrivilege	4056	JavaSetup8u281.exe
Token: SeUndockPrivilege	4056	JavaSetup8u281.exe
Token: SeSyncAgentPrivilege	4056	JavaSetup8u281.exe
Token: SeEnableDelegationPrivilege	4056	JavaSetup8u281.exe
Token: SeManageVolumePrivilege	4056	JavaSetup8u281.exe
Token: SeImpersonatePrivilege	4056	JavaSetup8u281.exe
Token: SeCreateGlobalPrivilege	4056	JavaSetup8u281.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2056	WerFault.exe
Token: SeBackupPrivilege	2056	WerFault.exe
Token: SeBackupPrivilege	2056	WerFault.exe
Token: SeDebugPrivilege	2056	WerFault.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

r.exeJavaSetup8u281.exeLZMA_EXELZMA_EXEJavaSetup8u281.exeJavaSetup8u281.exeLZMA_EXELZMA_EXEjp2launcher.exejp2launcher.exe

pid	process
1308	r.exe
1308	r.exe
4056	JavaSetup8u281.exe
4056	JavaSetup8u281.exe
4056	JavaSetup8u281.exe
1320	LZMA_EXE
2416	LZMA_EXE
4056	JavaSetup8u281.exe
4056	JavaSetup8u281.exe
908	JavaSetup8u281.exe
908	JavaSetup8u281.exe
908	JavaSetup8u281.exe
1704	JavaSetup8u281.exe
1704	JavaSetup8u281.exe
1704	JavaSetup8u281.exe
2480	LZMA_EXE
2164	LZMA_EXE
2068	jp2launcher.exe
4120	jp2launcher.exe
1704	JavaSetup8u281.exe
1704	JavaSetup8u281.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

JavaSetup8u281.exeJavaSetup8u281.exemsiexec.exeJavaSetup8u281.exeinstaller.exeJavaSetup8u281.exeJavaSetup8u281.exesvchost.exejavaws.exe

description	pid	process	target process
PID 1420 wrote to memory of 4056	1420	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 1420 wrote to memory of 4056	1420	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 1420 wrote to memory of 4056	1420	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 4056 wrote to memory of 1320	4056	JavaSetup8u281.exe	LZMA_EXE
PID 4056 wrote to memory of 1320	4056	JavaSetup8u281.exe	LZMA_EXE
PID 4056 wrote to memory of 1320	4056	JavaSetup8u281.exe	LZMA_EXE
PID 4056 wrote to memory of 2416	4056	JavaSetup8u281.exe	LZMA_EXE
PID 4056 wrote to memory of 2416	4056	JavaSetup8u281.exe	LZMA_EXE
PID 4056 wrote to memory of 2416	4056	JavaSetup8u281.exe	LZMA_EXE
PID 2556 wrote to memory of 652	2556	msiexec.exe	MsiExec.exe
PID 2556 wrote to memory of 652	2556	msiexec.exe	MsiExec.exe
PID 2556 wrote to memory of 652	2556	msiexec.exe	MsiExec.exe
PID 2556 wrote to memory of 692	2556	msiexec.exe	installer.exe
PID 2556 wrote to memory of 692	2556	msiexec.exe	installer.exe
PID 2556 wrote to memory of 692	2556	msiexec.exe	installer.exe
PID 2880 wrote to memory of 908	2880	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 2880 wrote to memory of 908	2880	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 2880 wrote to memory of 908	2880	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 692 wrote to memory of 2280	692	installer.exe	bspatch.exe
PID 692 wrote to memory of 2280	692	installer.exe	bspatch.exe
PID 692 wrote to memory of 2280	692	installer.exe	bspatch.exe
PID 4036 wrote to memory of 1704	4036	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 4036 wrote to memory of 1704	4036	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 4036 wrote to memory of 1704	4036	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 692 wrote to memory of 3040	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 3040	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 3040	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 748	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 748	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 748	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 2540	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 2540	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 2540	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 3668	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 3668	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 3668	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 812	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 812	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 812	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 1152	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 1152	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 1152	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 1844	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 1844	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 1844	692	installer.exe	unpack200.exe
PID 692 wrote to memory of 984	692	installer.exe	javaw.exe
PID 692 wrote to memory of 984	692	installer.exe	javaw.exe
PID 692 wrote to memory of 984	692	installer.exe	javaw.exe
PID 1704 wrote to memory of 2480	1704	JavaSetup8u281.exe	LZMA_EXE
PID 1704 wrote to memory of 2480	1704	JavaSetup8u281.exe	LZMA_EXE
PID 1704 wrote to memory of 2480	1704	JavaSetup8u281.exe	LZMA_EXE
PID 1704 wrote to memory of 2164	1704	JavaSetup8u281.exe	LZMA_EXE
PID 1704 wrote to memory of 2164	1704	JavaSetup8u281.exe	LZMA_EXE
PID 1704 wrote to memory of 2164	1704	JavaSetup8u281.exe	LZMA_EXE
PID 2592 wrote to memory of 2524	2592	svchost.exe	ssvagent.exe
PID 2592 wrote to memory of 2524	2592	svchost.exe	ssvagent.exe
PID 2592 wrote to memory of 2524	2592	svchost.exe	ssvagent.exe
PID 692 wrote to memory of 4028	692	installer.exe	javaws.exe
PID 692 wrote to memory of 4028	692	installer.exe	javaws.exe
PID 692 wrote to memory of 4028	692	installer.exe	javaws.exe
PID 4028 wrote to memory of 2068	4028	javaws.exe	jp2launcher.exe
PID 4028 wrote to memory of 2068	4028	javaws.exe	jp2launcher.exe
PID 4028 wrote to memory of 2068	4028	javaws.exe	jp2launcher.exe
PID 692 wrote to memory of 4104	692	installer.exe	javaws.exe

C:\Users\Admin\AppData\Local\Temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\r.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Users\Admin\Desktop\JavaSetup8u281.exe
"C:\Users\Admin\Desktop\JavaSetup8u281.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\jds259301468.tmp\JavaSetup8u281.exe
"C:\Users\Admin\AppData\Local\Temp\jds259301468.tmp\JavaSetup8u281.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\jre1.8.0_281full.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 3228
3⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3CE7C3786CA59A6A47822A9103A16C0E
2⤵
- Loads dropped DLL
PID:652

C:\Program Files (x86)\Java\jre1.8.0_281\installer.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_281\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180281F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:692

C:\ProgramData\Oracle\Java\installcache\259341953.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
PID:2280

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/plugin.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3040

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/javaws.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/deploy.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/rt.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3668

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/jsse.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:812

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/charsets.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/ext/localedata.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844

C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaw.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984

C:\Program Files (x86)\Java\jre1.8.0_281\bin\ssvagent.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2524

C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaws.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028

C:\Program Files (x86)\Java\jre1.8.0_281\bin\jp2launcher.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_281" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI4MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8yODFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI4MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 192
5⤵
- Program crash
PID:1716

C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaws.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Program Files (x86)\Java\jre1.8.0_281\bin\jp2launcher.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_281" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI4MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8yODFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI4MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1160
5⤵
- Program crash
PID:4364

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 857704100F50CD0197581FA99D562BD5 E Global\MSI0000
2⤵
PID:4412

C:\Users\Admin\Desktop\JavaSetup8u281.exe
"C:\Users\Admin\Desktop\JavaSetup8u281.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\jds259341468.tmp\JavaSetup8u281.exe
"C:\Users\Admin\AppData\Local\Temp\jds259341468.tmp\JavaSetup8u281.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:908

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:3940

C:\Users\Admin\Desktop\JavaSetup8u281.exe
"C:\Users\Admin\Desktop\JavaSetup8u281.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\jds259376312.tmp\JavaSetup8u281.exe
"C:\Users\Admin\AppData\Local\Temp\jds259376312.tmp\JavaSetup8u281.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\jre1.8.0_281patch.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2164

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\Desktop\akrien.exe
"C:\Users\Admin\Desktop\akrien.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5028

C:\Users\Admin\Desktop\akrien.exe
"C:\Users\Admin\Desktop\akrien.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:4320

C:\Users\Admin\Desktop\akrien.exe
"C:\Users\Admin\Desktop\akrien.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre1.8.0_281\bin\VCRUNTIME140.dll
MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
MD5
f202df73ab8b2755092b1fedf2a53a75

SHA1
083905061e1110db2b332e3da1f3375ea6cd836b

SHA256
b99ae66fc02058cdbd2b3fc1fdb3dde2dee54bc205393a3fa90f4ab4a74aec69

SHA512
36ea65d5430d047a8f85f8849f1bd7a1f645ea3c30d024575a48a935cd51226729124f5e664bd40d19a7d423c7d31a1cf1bb1e0a4664e09db97aefbb3aad6642

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
MD5
f202df73ab8b2755092b1fedf2a53a75

SHA1
083905061e1110db2b332e3da1f3375ea6cd836b

SHA256
b99ae66fc02058cdbd2b3fc1fdb3dde2dee54bc205393a3fa90f4ab4a74aec69

SHA512
36ea65d5430d047a8f85f8849f1bd7a1f645ea3c30d024575a48a935cd51226729124f5e664bd40d19a7d423c7d31a1cf1bb1e0a4664e09db97aefbb3aad6642

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_281\installer.exe
MD5
4b6f28c50890eab375d080bd7162ab5a

SHA1
281cd76bbe9ec0ee92487b887f87f8484403e2a8

SHA256
fd2421a2c358d71b4f65703946b3e4d891e2f0e3ce537f46ab126ccf1787ac2c

SHA512
e9c51be54abac73d6fe211bd15c12f85d4db73fb15bd9f6cc97b4a1673b5e734872a25b170894484b69ea6a7d214fab0bf0973ee43ec565a28ea1b35a71262a2

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_281\installer.exe
MD5
4b6f28c50890eab375d080bd7162ab5a

SHA1
281cd76bbe9ec0ee92487b887f87f8484403e2a8

SHA256
fd2421a2c358d71b4f65703946b3e4d891e2f0e3ce537f46ab126ccf1787ac2c

SHA512
e9c51be54abac73d6fe211bd15c12f85d4db73fb15bd9f6cc97b4a1673b5e734872a25b170894484b69ea6a7d214fab0bf0973ee43ec565a28ea1b35a71262a2

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_281\lib\plugin.pack
MD5
35dc0e0452a2a3e6a7bd8b2acfecc576

SHA1
d96ace19642b9a8f691f1fcf8df6684aeb5d7559

SHA256
74e285fdb2de2286f75ac676c22d8bfe82ad7c21292788c818579548a6b6e15c

SHA512
53663023828b278eb37dc65550ba89da1fdbd21127b73da8e3f49e2677311ddcfd35e14e35584e61418d473b6bbff71b9e4586a797e0a27182c9471e788e739b

Download Submit
C:\ProgramData\Oracle\Java\installcache\259341953.tmp\baseimagefam8
MD5
c68f61bae0654148ae82c9ac18c771f9

SHA1
fde79f7eebe45a096e7af4d7463294551dead994

SHA256
fe7870985a9af11cff29ed00c1a8042d5e1f3194b465146ddcaa9612a51a3195

SHA512
f08e5bbbd74c322a079618aee7da064f510bac05f1b0066da11d9829f8ad8e9ca03ad0e20116d64173e2b5a9a0e12c1ac95b2880805c6a4de2828839506f7107

Download Submit
C:\ProgramData\Oracle\Java\installcache\259341953.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\259341953.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\259341953.tmp\diff
MD5
d76b2f48e458e79bb06c62d489accfa3

SHA1
0735d72cdd515c6e314a5099ed30781d6f905cac

SHA256
b5f4746327ea23da22a605115a368ff990dea29e2c04148651f3d652602e5371

SHA512
7db8b00150336bd9bce644b59f21c8dac744849a43c6f32ec325d65ac33a383795b7c2b37a85525c8946d32b944ae08793444c44fa9e663feb596912fedfc5b1

Download Submit
C:\ProgramData\Oracle\Java\installcache\259341953.tmp\newimage
MD5
75bf5ea788b638dd9d1cdbf4b1764b7b

SHA1
aec8f224a9978ab77e98f468ce30a94bf27ca817

SHA256
94473b3feb3e9ab4b0c0182d6431a3c9e2c887bc107c9999d5adce8c06dadc6f

SHA512
b325de842bce4f15d3d882ede32941493c44e36b5656bb0b9148d8a75205bbc0a69b19f80a954e602683d0532e9f83c595f83430b04cec735ea8000e38972290

Download Submit
C:\ProgramData\Oracle\Java\installcache\baseimagefam8
MD5
c68f61bae0654148ae82c9ac18c771f9

SHA1
fde79f7eebe45a096e7af4d7463294551dead994

SHA256
fe7870985a9af11cff29ed00c1a8042d5e1f3194b465146ddcaa9612a51a3195

SHA512
f08e5bbbd74c322a079618aee7da064f510bac05f1b0066da11d9829f8ad8e9ca03ad0e20116d64173e2b5a9a0e12c1ac95b2880805c6a4de2828839506f7107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
b02f6796345383608b6a65333f7372f3

SHA1
fafbe993fcfa9c1cbbae02af268e2caee79b7c57

SHA256
0bc68f627738ae3c9013ac0f72cac0786074966a9bbe5030aae241466f34d809

SHA512
e627d3b6e29ead72f534b7cc92a22fd31a5188b885b59e1ddf84dd9c346abeafd0ebbdd189e2e39f8cb033ebc05edfdfdc21481430331bf85c47a5760815af34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937
MD5
f8487f7ae907a89e1ef17461763cf093

SHA1
6a1f493b6f0e8e5a15746b191533cd6d0b63ed91

SHA256
2dd3bea924a64bedc95002947e07b89975307cccf011564837b7a65ef1f05029

SHA512
82b5f614160efdae82865252b5a7ed58f43d62a457e1d96cfc6bfcbdd70d33f70ab47af62f0244ab4527d3e938405af1dd1dfca5a257d7dbb2abc2980984ec26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_B514E3306E9B5CC22C1D3DB90570477A
MD5
1159655d0dd7b482319628ecd8c24bdb

SHA1
569b146905d7d5661746f3266cf923bd25e7e94f

SHA256
682354aa37c6f2435c22e8f9b7ff933518083ce8563c4d35f2a68802a0f0c1fd

SHA512
766d8ab83c95b241dd4b73644467c73828a301efad93bd3cfdcb5d6ddb95123592ac2be00fbff8514fae8292d31f89bea99e7ac3c8b22509e440f972c0dfec24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
3a7aa3008da8a23387fe515dc0633c77

SHA1
9fea19741b0e31c5f8b7b0a6337872b33df1ee29

SHA256
8dec7feb428e9ecdc00257e7ddd716480c27cc767c5a3b6ec5a1a798f8b910e8

SHA512
7b0e10bbb497dfecd1191c16c23cc759e119beb0ca049accd9dfbe43b8101acd94d9f372ebd6ee4b70fcdc2ca710b93ca1378521872f42239fb33fad19a76102

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
69c5e8b56a3ea1a5634f05983a065551

SHA1
03cfa205392937f8b470123cf006fa9ec03687f0

SHA256
7747fcaf2041593d302550ace8848fbfa9b949550d93905e941887f9ca30c59c

SHA512
66860c180a1f010f77d2bf7ee6bf6b6c4448639795ef15a5d25f0c8d3b3f34b6277c268c3c789d3dc57b45bf7e9a5edc0ae0b5015e5d5c932f6f88c5e0a3d99e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937
MD5
f7a02516b5c4ad14373af856938e0c5b

SHA1
c98fef1e5f99c9676f0ecdeb41bca966761e15d6

SHA256
e1815042e6ce70f05a2315d01cd7bdff75f43c7522e18834a12067a0aa718874

SHA512
c13ed31a1211415ec33627eb6c89ee96ef8250d1cc4f61f56143dab8a13af12d5fe4362a3823353129405328e99da60c4763a4a1993946a6526fded2b8a98b7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_B514E3306E9B5CC22C1D3DB90570477A
MD5
5f5bd2e43af5c6d51cf69da202a74d38

SHA1
592b331ffaf85fdb6d892a9cce6bd1f2cd68abbe

SHA256
ef664d70045fdbe746981885160a135c5569509f44949c6e88f689c38fdef334

SHA512
4769be540766d32fc0d28eb4d4cb07bdb2e68b093179ce803a34b31e1a226f1137ebfaef8eb6b8c0467c507978ed576b7e28ebdfa78a935f1b363f12feb6ff9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
2a18ddcb2a0eefe1d29d8bd73e99ee2e

SHA1
c1da8ac292fce41808b5e3429eab94b58b16acfe

SHA256
1030450b3cedcbb09ce11d5e44ea42970cc35a6b6c266d8224803e491b65e426

SHA512
6323e845678b7908c240fca409422e28df29c5edd623b784f8aaefe129b582ec8c7390be7f3aa8ae7cc9a042b7e3eae2f328b9874131611ab056fa539ba4eee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\au.msi
MD5
88435c6298eff7ecf4fda8414d4b5c8c

SHA1
66d51843316a86d70b1b7799a6d74d492e413c64

SHA256
18ee9710217a0a341ef0b82324274a3a4ada6745934834e022ae12d19fb04981

SHA512
d46b1ad30244e0770fd040b7a9271846482c03a054ff727ccd840b0312650652a6c589c6ebca380f96fcf06fbc560d4d99a8f34c903108d1c94e93636ff0910b

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\jre1.8.0_281full.msi
MD5
cd6bbef4f6df0d6a0c9193a67f27b222

SHA1
e2fcc99c1fcc4203d1481620099f2dd156f5afaf

SHA256
ba28b247930d19fb8ad6553fb4a154cd8a40046507850c1f4af887223a5bedfc

SHA512
8ed7a70dfd9299e2ae105756186caf87fbbf11ecf57d0a2b22d49a8a28e9ecdf05cfce3654048548827497c6f5969729e1baaf98e8010773a97323c9274b64f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp
MD5
27163914d6a8e50c1aef46ee46c093a7

SHA1
d9880a1a2475c7359e0c5254f6f51b2f8cf9b289

SHA256
463fc2144ed4107e1462e2360e2baebfcde064dd8698375f015471abc20c2c5b

SHA512
70c25abf89442765c42ccfee99cd8396d8d06d8f984aac5c91dfa96ef8ba9f2c8cba7cb9d5062e5e9036e3dd09d83f5ac56c687549d203465c020e997d1d48b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp
MD5
c0e6d8887ccdf3376fcd87f20009b043

SHA1
2248952e0148d92eec7d03a832d269062e152a68

SHA256
001805d209448562eb98b92cb74933aa0b713f81437863591826b1ccea5350ab

SHA512
a40b82fa20115b4ffdcbf9e7f3abde074c33d9461c4db21dd483e61ef189c6d90bb3ae8187b3742181d8beb619f413e9e816fd81d15a4109858383cbbff8fbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259301468.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259301468.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259341468.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259341468.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259376312.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259376312.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
f15eafde34f41223b01543736816b051

SHA1
942f176dcd80f92934d1c0c9946010b167b98657

SHA256
ccdcbe9ec1895de6b2f821583da96707c7b26fe99c01b424ca43f77d67a42299

SHA512
378577857c9c2975b9d791f8dc6b96b2a2ae6870b298cc7afe5a00d4d21e66dbcf378f307b020dfb1771005f0e5eb478a325b5c56c0096fab64cee98c44832ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
c4aeccb8ce0458de49698b6d978166c0

SHA1
aa49695546555b20f5277e22bdfcabab75de9cde

SHA256
e5bae1a373af44ebc75948d5574d6cfb0404c7a5aac8a2e01f41108431170fa0

SHA512
6dbcdc0d765aba03672d9156037751404132a7ac099748a7939f0f7b5ab458e0539c9c03e3bac52f87ac61b46c6e708d4c734dfb2fff97b2bc279c2f5eb130b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
c4aeccb8ce0458de49698b6d978166c0

SHA1
aa49695546555b20f5277e22bdfcabab75de9cde

SHA256
e5bae1a373af44ebc75948d5574d6cfb0404c7a5aac8a2e01f41108431170fa0

SHA512
6dbcdc0d765aba03672d9156037751404132a7ac099748a7939f0f7b5ab458e0539c9c03e3bac52f87ac61b46c6e708d4c734dfb2fff97b2bc279c2f5eb130b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
bf3c696817debb73f0c0feadc3c45572

SHA1
ac25ebaed746b0234c11a9c74db4d801314592d0

SHA256
8cf87a88312064d704ae330afb62cad1a34cb5fb063dc992e244264fab85d9fb

SHA512
89c9429cb322c70446e728c1592d5dd0d46552faf19263289f711f581bb2a63120bb5cc262e9ab1cbcefb1e2805d7bf3c9702ed36265bf27f653be70f2e5732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
bf3c696817debb73f0c0feadc3c45572

SHA1
ac25ebaed746b0234c11a9c74db4d801314592d0

SHA256
8cf87a88312064d704ae330afb62cad1a34cb5fb063dc992e244264fab85d9fb

SHA512
89c9429cb322c70446e728c1592d5dd0d46552faf19263289f711f581bb2a63120bb5cc262e9ab1cbcefb1e2805d7bf3c9702ed36265bf27f653be70f2e5732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
bf3c696817debb73f0c0feadc3c45572

SHA1
ac25ebaed746b0234c11a9c74db4d801314592d0

SHA256
8cf87a88312064d704ae330afb62cad1a34cb5fb063dc992e244264fab85d9fb

SHA512
89c9429cb322c70446e728c1592d5dd0d46552faf19263289f711f581bb2a63120bb5cc262e9ab1cbcefb1e2805d7bf3c9702ed36265bf27f653be70f2e5732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
bf3c696817debb73f0c0feadc3c45572

SHA1
ac25ebaed746b0234c11a9c74db4d801314592d0

SHA256
8cf87a88312064d704ae330afb62cad1a34cb5fb063dc992e244264fab85d9fb

SHA512
89c9429cb322c70446e728c1592d5dd0d46552faf19263289f711f581bb2a63120bb5cc262e9ab1cbcefb1e2805d7bf3c9702ed36265bf27f653be70f2e5732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
bf3c696817debb73f0c0feadc3c45572

SHA1
ac25ebaed746b0234c11a9c74db4d801314592d0

SHA256
8cf87a88312064d704ae330afb62cad1a34cb5fb063dc992e244264fab85d9fb

SHA512
89c9429cb322c70446e728c1592d5dd0d46552faf19263289f711f581bb2a63120bb5cc262e9ab1cbcefb1e2805d7bf3c9702ed36265bf27f653be70f2e5732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
bf3c696817debb73f0c0feadc3c45572

SHA1
ac25ebaed746b0234c11a9c74db4d801314592d0

SHA256
8cf87a88312064d704ae330afb62cad1a34cb5fb063dc992e244264fab85d9fb

SHA512
89c9429cb322c70446e728c1592d5dd0d46552faf19263289f711f581bb2a63120bb5cc262e9ab1cbcefb1e2805d7bf3c9702ed36265bf27f653be70f2e5732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
bf3c696817debb73f0c0feadc3c45572

SHA1
ac25ebaed746b0234c11a9c74db4d801314592d0

SHA256
8cf87a88312064d704ae330afb62cad1a34cb5fb063dc992e244264fab85d9fb

SHA512
89c9429cb322c70446e728c1592d5dd0d46552faf19263289f711f581bb2a63120bb5cc262e9ab1cbcefb1e2805d7bf3c9702ed36265bf27f653be70f2e5732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
4ea6d9c41909297b517522e3c2e5b2ae

SHA1
9484a17c7b34abb8ee8551fb8a6a67cea8fd5f99

SHA256
6ae89001f187dab5fd9b693d4acd836be0d5be0c34b201b668d57be7adc7d626

SHA512
711ae4e0daea6630e79cbf9410c200616ee2e9d62c7a589a3bcb00a807b9499bc90476852b8730d2e69c365ca36f5f8551fe9dd48568a82cfe47fc7cd67f6dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
38c8860e466ccf4da806871e2fe2967f

SHA1
717747656359cff85f29d0a1c08c013e67e445a5

SHA256
42c07722676fb463eb3fbe605806c84459c981d28598bff2dbf10eceafd0e92a

SHA512
3c460c88f2a43c5606005754cc55c86eb84e876312d05a3a1fb669290d66f5811f92be83015548aa24539db410418e23a2f76aff0f08806d7cae3fe984f22aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
3edb389106b68965f6dca9d1f786ba31

SHA1
1cf289b51e5702868a0cea16b7af0bea5b4b5a4b

SHA256
d1908b060dd09d8e39ebe78fb47da5516a4ed775ff59468764ee38190f4f774d

SHA512
a612524ed1b3ba35a9d7c2da74e8c0980e73389667c12963acb461dbd2e080dc159910cbd1e701d5c0e99b9e4d5bb19ec15c71c5771b5aa700313d691ffd166e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
86649da8293a88e2678c0c49cc65851f

SHA1
d495958aab782e472069ef4e0f8895600629764c

SHA256
023a8b780b966434b6a97269d9f567c599cb1b2109da288103801f869af8c2da

SHA512
c52510a10bf83be08c79f0250d582bbc53202d4c23e1046aeae76eaa03d00ec7c55ca0a7c4b725e91877e017542defacdfbb1d6df3045b12d04dde5c0da67bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
bfdd76b14fd68a8fd40554459d07095c

SHA1
f9fc574f901a24417531a8a92792266a5e78b278

SHA256
93b06c183595dffd5005eaa46b6cbe16c7e8d4145bf00ffb074ae6d5fc97db9b

SHA512
3a2080648199fb5d276090e84573820c219e0e50355ad13643bacfd310a9c78b9811f1379acd82d32b290541d545d835ef3dd3b0faa6133a1027041961afe788

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
4e3e7af9742d6f27bf822bd38aa7ac52

SHA1
998b6d0a96fe29851c732d5b3a9906a7c5bc7adb

SHA256
7307cfac29300b60a18817cb32ef80ed9d6535e1eeea7e088dc62072ccb36d55

SHA512
58b517a116b0db150c15f8237e47aa6f2d6077349c9f8b75cfbf7027091b9080984a2df460e50bd2f402eb71c2c2aa1a34237ce8dcd0264386b782ae04ad34a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
ee40f8ad8e87ba39f51cb75a31b163ab

SHA1
8912eb25e04084feb5810a1e8eb5c4ba2e9c7422

SHA256
61edcaa9570e41c4bb34dfbe5ff7fd4647c1e8df0f71f8e3ec884fc04a2b4138

SHA512
665ddc7cf1a006eb53a98d2c9213d4312e8265ae91a5845d3613c2634ee750a4635e169701d7aba4093f9591b8902107b2335ad29f30f5d16b6266faff7eedb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
ee40f8ad8e87ba39f51cb75a31b163ab

SHA1
8912eb25e04084feb5810a1e8eb5c4ba2e9c7422

SHA256
61edcaa9570e41c4bb34dfbe5ff7fd4647c1e8df0f71f8e3ec884fc04a2b4138

SHA512
665ddc7cf1a006eb53a98d2c9213d4312e8265ae91a5845d3613c2634ee750a4635e169701d7aba4093f9591b8902107b2335ad29f30f5d16b6266faff7eedb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
be6454d358165cfc1aace5c7c7e3e4f2

SHA1
1cf9416ad308779641d90e90b31ad7b581c0a05e

SHA256
f27aa496cbe014af70cae6ca3acb8959ce5263b451ace4e46903004f8e7961ec

SHA512
8e3e83970f7a6ac1eb7efed5fa65e1a783b1b9404f61023ca5397c663d9a01525e3738c4d847ec2ab2d4f044954a0c9fe27ee88e0b04847fdcac8a12da4d6d2f

Download Submit
C:\Users\Admin\Desktop\JavaSetup8u281.exe
MD5
a54c026f6fdf3f059cb52fbda1d2e979

SHA1
8d2161430f47c7e843b4001bceb23f7fd8a34a48

SHA256
ea2df4efa55d554db4a547c343e42d06eb31b1211e1dd516f3b1ffbc1cdceaae

SHA512
f43f66694ddc60a3db41a9c60314a5e77fb16ec10ca6e503aa2754cf11894a1c3abc21bd75c7a99e8ba77811b6edb3479f5bdcc199f6c78557534cc22824be5e

Download Submit
C:\Users\Admin\Desktop\JavaSetup8u281.exe
MD5
a54c026f6fdf3f059cb52fbda1d2e979

SHA1
8d2161430f47c7e843b4001bceb23f7fd8a34a48

SHA256
ea2df4efa55d554db4a547c343e42d06eb31b1211e1dd516f3b1ffbc1cdceaae

SHA512
f43f66694ddc60a3db41a9c60314a5e77fb16ec10ca6e503aa2754cf11894a1c3abc21bd75c7a99e8ba77811b6edb3479f5bdcc199f6c78557534cc22824be5e

Download Submit
C:\Users\Admin\Desktop\JavaSetup8u281.exe
MD5
a54c026f6fdf3f059cb52fbda1d2e979

SHA1
8d2161430f47c7e843b4001bceb23f7fd8a34a48

SHA256
ea2df4efa55d554db4a547c343e42d06eb31b1211e1dd516f3b1ffbc1cdceaae

SHA512
f43f66694ddc60a3db41a9c60314a5e77fb16ec10ca6e503aa2754cf11894a1c3abc21bd75c7a99e8ba77811b6edb3479f5bdcc199f6c78557534cc22824be5e

Download Submit
C:\Users\Admin\Desktop\JavaSetup8u281.exe
MD5
a54c026f6fdf3f059cb52fbda1d2e979

SHA1
8d2161430f47c7e843b4001bceb23f7fd8a34a48

SHA256
ea2df4efa55d554db4a547c343e42d06eb31b1211e1dd516f3b1ffbc1cdceaae

SHA512
f43f66694ddc60a3db41a9c60314a5e77fb16ec10ca6e503aa2754cf11894a1c3abc21bd75c7a99e8ba77811b6edb3479f5bdcc199f6c78557534cc22824be5e

Download Submit
C:\Windows\Installer\MSI3694.tmp
MD5
48ba53112ed2c351e062499995891806

SHA1
f33cadaea1dfe2f488b3d936e1f12e9fe8ab6406

SHA256
21cd63d63d3af5da2c84f9368129cc760cded245d3365a075975890c3c775fc8

SHA512
35e692ea7daae171e35319dc670792110bbc0d618e38e967be8c40588bccdcc49c6398f4b309001a1972f0619af5e12b39a5f736598b29198f651b23125666e6

Download Submit
C:\Windows\Installer\MSI38B.tmp
MD5
48ba53112ed2c351e062499995891806

SHA1
f33cadaea1dfe2f488b3d936e1f12e9fe8ab6406

SHA256
21cd63d63d3af5da2c84f9368129cc760cded245d3365a075975890c3c775fc8

SHA512
35e692ea7daae171e35319dc670792110bbc0d618e38e967be8c40588bccdcc49c6398f4b309001a1972f0619af5e12b39a5f736598b29198f651b23125666e6

Download Submit
C:\Windows\Installer\MSI60D.tmp
MD5
48ba53112ed2c351e062499995891806

SHA1
f33cadaea1dfe2f488b3d936e1f12e9fe8ab6406

SHA256
21cd63d63d3af5da2c84f9368129cc760cded245d3365a075975890c3c775fc8

SHA512
35e692ea7daae171e35319dc670792110bbc0d618e38e967be8c40588bccdcc49c6398f4b309001a1972f0619af5e12b39a5f736598b29198f651b23125666e6

Download Submit
C:\Windows\Installer\f74fc89.msi
MD5
c0e6d8887ccdf3376fcd87f20009b043

SHA1
2248952e0148d92eec7d03a832d269062e152a68

SHA256
001805d209448562eb98b92cb74933aa0b713f81437863591826b1ccea5350ab

SHA512
a40b82fa20115b4ffdcbf9e7f3abde074c33d9461c4db21dd483e61ef189c6d90bb3ae8187b3742181d8beb619f413e9e816fd81d15a4109858383cbbff8fbc2

Download Submit
\Program Files (x86)\Java\jre1.8.0_281\bin\vcruntime140.dll
MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
\Windows\Installer\MSI3694.tmp
MD5
48ba53112ed2c351e062499995891806

SHA1
f33cadaea1dfe2f488b3d936e1f12e9fe8ab6406

SHA256
21cd63d63d3af5da2c84f9368129cc760cded245d3365a075975890c3c775fc8

SHA512
35e692ea7daae171e35319dc670792110bbc0d618e38e967be8c40588bccdcc49c6398f4b309001a1972f0619af5e12b39a5f736598b29198f651b23125666e6

Download Submit
\Windows\Installer\MSI38B.tmp
MD5
48ba53112ed2c351e062499995891806

SHA1
f33cadaea1dfe2f488b3d936e1f12e9fe8ab6406

SHA256
21cd63d63d3af5da2c84f9368129cc760cded245d3365a075975890c3c775fc8

SHA512
35e692ea7daae171e35319dc670792110bbc0d618e38e967be8c40588bccdcc49c6398f4b309001a1972f0619af5e12b39a5f736598b29198f651b23125666e6

Download Submit
\Windows\Installer\MSI60D.tmp
MD5
48ba53112ed2c351e062499995891806

SHA1
f33cadaea1dfe2f488b3d936e1f12e9fe8ab6406

SHA256
21cd63d63d3af5da2c84f9368129cc760cded245d3365a075975890c3c775fc8

SHA512
35e692ea7daae171e35319dc670792110bbc0d618e38e967be8c40588bccdcc49c6398f4b309001a1972f0619af5e12b39a5f736598b29198f651b23125666e6

Download Submit
memory/652-22-0x0000000000000000-mapping.dmp

Download
memory/692-37-0x0000000000000000-mapping.dmp

Download
memory/748-79-0x0000000000000000-mapping.dmp

Download
memory/812-82-0x0000000000000000-mapping.dmp

Download
memory/908-38-0x0000000000000000-mapping.dmp

Download
memory/984-86-0x0000000002790000-0x00000000027B8000-memory.dmp

Filesize
160KB

Download
memory/984-85-0x0000000000000000-mapping.dmp

Download
memory/1152-83-0x0000000000000000-mapping.dmp

Download
memory/1320-9-0x0000000000000000-mapping.dmp

Download
memory/1520-166-0x0000000000000000-mapping.dmp

Download
memory/1704-64-0x0000000000000000-mapping.dmp

Download
memory/1844-84-0x0000000000000000-mapping.dmp

Download
memory/2056-28-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/2056-29-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/2068-93-0x0000000002F00000-0x0000000002F28000-memory.dmp

Filesize
160KB

Download
memory/2068-102-0x0000000002F98000-0x0000000002FA0000-memory.dmp

Filesize
32KB

Download
memory/2068-116-0x0000000003000000-0x0000000003008000-memory.dmp

Filesize
32KB

Download
memory/2068-108-0x0000000002FD8000-0x0000000002FE0000-memory.dmp

Filesize
32KB

Download
memory/2068-110-0x0000000002FE8000-0x0000000002FF0000-memory.dmp

Filesize
32KB

Download
memory/2068-113-0x0000000002FF0000-0x0000000002FF8000-memory.dmp

Filesize
32KB

Download
memory/2068-105-0x0000000002FD0000-0x0000000002FD8000-memory.dmp

Filesize
32KB

Download
memory/2068-103-0x0000000002FA8000-0x0000000002FB0000-memory.dmp

Filesize
32KB

Download
memory/2068-92-0x0000000000000000-mapping.dmp

Download
memory/2068-115-0x0000000002FF8000-0x0000000003000000-memory.dmp

Filesize
32KB

Download
memory/2068-104-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

Filesize
32KB

Download
memory/2068-94-0x0000000002FB8000-0x0000000002FC0000-memory.dmp

Filesize
32KB

Download
memory/2068-95-0x0000000002F48000-0x0000000002F50000-memory.dmp

Filesize
32KB

Download
memory/2068-96-0x0000000002FC0000-0x0000000002FC8000-memory.dmp

Filesize
32KB

Download
memory/2068-97-0x0000000002FC8000-0x0000000002FD0000-memory.dmp

Filesize
32KB

Download
memory/2068-98-0x0000000002F50000-0x0000000002F58000-memory.dmp

Filesize
32KB

Download
memory/2068-99-0x0000000002F38000-0x0000000002F40000-memory.dmp

Filesize
32KB

Download
memory/2068-101-0x0000000002F40000-0x0000000002F48000-memory.dmp

Filesize
32KB

Download
memory/2068-100-0x0000000002FA0000-0x0000000002FA8000-memory.dmp

Filesize
32KB

Download
memory/2068-109-0x0000000002FE0000-0x0000000002FE8000-memory.dmp

Filesize
32KB

Download
memory/2164-89-0x0000000000000000-mapping.dmp

Download
memory/2280-51-0x0000000000000000-mapping.dmp

Download
memory/2416-14-0x0000000000000000-mapping.dmp

Download
memory/2480-87-0x0000000000000000-mapping.dmp

Download
memory/2524-90-0x0000000000000000-mapping.dmp

Download
memory/2540-80-0x0000000000000000-mapping.dmp

Download
memory/2584-190-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/2584-216-0x00000000036D0000-0x00000000036E0000-memory.dmp

Filesize
64KB

Download
memory/2584-244-0x0000000003800000-0x0000000003810000-memory.dmp

Filesize
64KB

Download
memory/2584-243-0x00000000037F0000-0x0000000003800000-memory.dmp

Filesize
64KB

Download
memory/2584-242-0x00000000037E0000-0x00000000037F0000-memory.dmp

Filesize
64KB

Download
memory/2584-241-0x00000000037D0000-0x00000000037E0000-memory.dmp

Filesize
64KB

Download
memory/2584-240-0x00000000037C0000-0x00000000037D0000-memory.dmp

Filesize
64KB

Download
memory/2584-239-0x00000000037B0000-0x00000000037C0000-memory.dmp

Filesize
64KB

Download
memory/2584-237-0x0000000003790000-0x00000000037A0000-memory.dmp

Filesize
64KB

Download
memory/2584-238-0x00000000037A0000-0x00000000037B0000-memory.dmp

Filesize
64KB

Download
memory/2584-236-0x0000000003710000-0x0000000003720000-memory.dmp

Filesize
64KB

Download
memory/2584-231-0x0000000003650000-0x0000000003660000-memory.dmp

Filesize
64KB

Download
memory/2584-235-0x0000000003680000-0x0000000003690000-memory.dmp

Filesize
64KB

Download
memory/2584-234-0x0000000003670000-0x0000000003680000-memory.dmp

Filesize
64KB

Download
memory/2584-233-0x0000000003660000-0x0000000003670000-memory.dmp

Filesize
64KB

Download
memory/2584-232-0x0000000003780000-0x0000000003790000-memory.dmp

Filesize
64KB

Download
memory/2584-230-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/2584-229-0x0000000003770000-0x0000000003780000-memory.dmp

Filesize
64KB

Download
memory/2584-228-0x0000000003750000-0x0000000003760000-memory.dmp

Filesize
64KB

Download
memory/2584-226-0x0000000003630000-0x0000000003640000-memory.dmp

Filesize
64KB

Download
memory/2584-227-0x0000000003640000-0x0000000003650000-memory.dmp

Filesize
64KB

Download
memory/2584-225-0x0000000003620000-0x0000000003630000-memory.dmp

Filesize
64KB

Download
memory/2584-224-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/2584-223-0x0000000003610000-0x0000000003620000-memory.dmp

Filesize
64KB

Download
memory/2584-220-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/2584-222-0x0000000003600000-0x0000000003610000-memory.dmp

Filesize
64KB

Download
memory/2584-221-0x00000000035F0000-0x0000000003600000-memory.dmp

Filesize
64KB

Download
memory/2584-218-0x00000000035C0000-0x00000000035D0000-memory.dmp

Filesize
64KB

Download
memory/2584-219-0x00000000035D0000-0x00000000035E0000-memory.dmp

Filesize
64KB

Download
memory/2584-217-0x00000000036E0000-0x00000000036F0000-memory.dmp

Filesize
64KB

Download
memory/2584-215-0x0000000003730000-0x0000000003740000-memory.dmp

Filesize
64KB

Download
memory/2584-214-0x00000000036B0000-0x00000000036C0000-memory.dmp

Filesize
64KB

Download
memory/2584-210-0x00000000036F0000-0x0000000003700000-memory.dmp

Filesize
64KB

Download
memory/2584-213-0x00000000036A0000-0x00000000036B0000-memory.dmp

Filesize
64KB

Download
memory/2584-212-0x0000000003720000-0x0000000003730000-memory.dmp

Filesize
64KB

Download
memory/2584-211-0x0000000003700000-0x0000000003710000-memory.dmp

Filesize
64KB

Download
memory/2584-209-0x00000000036C0000-0x00000000036D0000-memory.dmp

Filesize
64KB

Download
memory/2584-208-0x0000000003690000-0x00000000036A0000-memory.dmp

Filesize
64KB

Download
memory/2584-207-0x00000000035B0000-0x00000000035C0000-memory.dmp

Filesize
64KB

Download
memory/2584-206-0x00000000035A0000-0x00000000035B0000-memory.dmp

Filesize
64KB

Download
memory/2584-205-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/2584-204-0x0000000003580000-0x0000000003590000-memory.dmp

Filesize
64KB

Download
memory/2584-203-0x0000000003570000-0x0000000003580000-memory.dmp

Filesize
64KB

Download
memory/2584-202-0x00000000034F0000-0x0000000003500000-memory.dmp

Filesize
64KB

Download
memory/2584-201-0x0000000003560000-0x0000000003570000-memory.dmp

Filesize
64KB

Download
memory/2584-200-0x0000000003550000-0x0000000003560000-memory.dmp

Filesize
64KB

Download
memory/2584-199-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/2584-198-0x00000000034D0000-0x00000000034E0000-memory.dmp

Filesize
64KB

Download
memory/2584-197-0x00000000034C0000-0x00000000034D0000-memory.dmp

Filesize
64KB

Download
memory/2584-196-0x0000000003540000-0x0000000003550000-memory.dmp

Filesize
64KB

Download
memory/2584-195-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/2584-168-0x00007FF8F5FD0000-0x00007FF8F5FD2000-memory.dmp

Filesize
8KB

Download
memory/2584-171-0x0000000003110000-0x0000000003380000-memory.dmp

Filesize
2.4MB

Download
memory/2584-173-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/2584-172-0x0000000003380000-0x0000000003390000-memory.dmp

Filesize
64KB

Download
memory/2584-175-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/2584-174-0x00000000033A0000-0x00000000033B0000-memory.dmp

Filesize
64KB

Download
memory/2584-176-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/2584-177-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/2584-178-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/2584-179-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/2584-180-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/2584-182-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/2584-184-0x0000000003440000-0x0000000003450000-memory.dmp

Filesize
64KB

Download
memory/2584-183-0x0000000003430000-0x0000000003440000-memory.dmp

Filesize
64KB

Download
memory/2584-181-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/2584-185-0x0000000003450000-0x0000000003460000-memory.dmp

Filesize
64KB

Download
memory/2584-186-0x0000000003460000-0x0000000003470000-memory.dmp

Filesize
64KB

Download
memory/2584-187-0x0000000003470000-0x0000000003480000-memory.dmp

Filesize
64KB

Download
memory/2584-189-0x0000000003510000-0x0000000003520000-memory.dmp

Filesize
64KB

Download
memory/2584-194-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/2584-188-0x0000000003500000-0x0000000003510000-memory.dmp

Filesize
64KB

Download
memory/2584-191-0x0000000003480000-0x0000000003490000-memory.dmp

Filesize
64KB

Download
memory/2584-193-0x0000000003530000-0x0000000003540000-memory.dmp

Filesize
64KB

Download
memory/2584-192-0x0000000003490000-0x00000000034A0000-memory.dmp

Filesize
64KB

Download
memory/3040-71-0x0000000000000000-mapping.dmp

Download
memory/3668-81-0x0000000000000000-mapping.dmp

Download
memory/4028-91-0x0000000000000000-mapping.dmp

Download
memory/4056-5-0x0000000000000000-mapping.dmp

Download
memory/4104-106-0x0000000000000000-mapping.dmp

Download
memory/4120-122-0x0000000002F20000-0x0000000002F28000-memory.dmp

Filesize
32KB

Download
memory/4120-124-0x0000000002F88000-0x0000000002F90000-memory.dmp

Filesize
32KB

Download
memory/4120-130-0x0000000002FC8000-0x0000000002FD0000-memory.dmp

Filesize
32KB

Download
memory/4120-129-0x0000000002FC0000-0x0000000002FC8000-memory.dmp

Filesize
32KB

Download
memory/4120-127-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

Filesize
32KB

Download
memory/4120-111-0x0000000002F98000-0x0000000002FA0000-memory.dmp

Filesize
32KB

Download
memory/4120-112-0x0000000002FA0000-0x0000000002FA8000-memory.dmp

Filesize
32KB

Download
memory/4120-128-0x0000000002FB8000-0x0000000002FC0000-memory.dmp

Filesize
32KB

Download
memory/4120-125-0x0000000002F90000-0x0000000002F98000-memory.dmp

Filesize
32KB

Download
memory/4120-123-0x0000000002F78000-0x0000000002F80000-memory.dmp

Filesize
32KB

Download
memory/4120-114-0x0000000002FA8000-0x0000000002FB0000-memory.dmp

Filesize
32KB

Download
memory/4120-107-0x0000000000000000-mapping.dmp

Download
memory/4120-118-0x0000000002F28000-0x0000000002F30000-memory.dmp

Filesize
32KB

Download
memory/4120-119-0x0000000002F30000-0x0000000002F38000-memory.dmp

Filesize
32KB

Download
memory/4120-121-0x0000000002F80000-0x0000000002F88000-memory.dmp

Filesize
32KB

Download
memory/4120-120-0x0000000002F18000-0x0000000002F20000-memory.dmp

Filesize
32KB

Download
memory/4120-131-0x0000000002FD0000-0x0000000002FD8000-memory.dmp

Filesize
32KB

Download
memory/4244-162-0x0000000000000000-mapping.dmp

Download
memory/4284-163-0x0000000000000000-mapping.dmp

Download
memory/4324-164-0x0000000000000000-mapping.dmp

Download
memory/4344-165-0x0000000000000000-mapping.dmp

Download
memory/4392-250-0x0000000000000000-mapping.dmp

Download
memory/4412-126-0x0000000000000000-mapping.dmp

Download
memory/4424-249-0x0000000000000000-mapping.dmp

Download
memory/4780-248-0x0000000000000000-mapping.dmp

Download
memory/4836-247-0x0000000000000000-mapping.dmp

Download
memory/4852-153-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/4852-151-0x0000000003480000-0x0000000003490000-memory.dmp

Filesize
64KB

Download
memory/4852-159-0x0000000003500000-0x0000000003510000-memory.dmp

Filesize
64KB

Download
memory/4852-154-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/4852-157-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/4852-158-0x00000000034F0000-0x0000000003500000-memory.dmp

Filesize
64KB

Download
memory/4852-156-0x00000000034D0000-0x00000000034E0000-memory.dmp

Filesize
64KB

Download
memory/4852-140-0x00007FF8F5FD0000-0x00007FF8F5FD2000-memory.dmp

Filesize
8KB

Download
memory/4852-143-0x00000000031A0000-0x0000000003410000-memory.dmp

Filesize
2.4MB

Download
memory/4852-146-0x0000000003430000-0x0000000003440000-memory.dmp

Filesize
64KB

Download
memory/4852-144-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/4852-145-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/4852-147-0x0000000003440000-0x0000000003450000-memory.dmp

Filesize
64KB

Download
memory/4852-148-0x0000000003450000-0x0000000003460000-memory.dmp

Filesize
64KB

Download
memory/4852-149-0x0000000003460000-0x0000000003470000-memory.dmp

Filesize
64KB

Download
memory/4852-150-0x0000000003470000-0x0000000003480000-memory.dmp

Filesize
64KB

Download
memory/4852-132-0x00007FF8F5FB0000-0x00007FF8F5FB2000-memory.dmp

Filesize
8KB

Download
memory/4852-152-0x0000000003490000-0x00000000034A0000-memory.dmp

Filesize
64KB

Download
memory/4852-155-0x00000000034C0000-0x00000000034D0000-memory.dmp

Filesize
64KB

Download
memory/4956-134-0x0000000000000000-mapping.dmp

Download
memory/4972-135-0x0000000000000000-mapping.dmp

Download
memory/4988-136-0x0000000000000000-mapping.dmp

Download
memory/5004-137-0x0000000000000000-mapping.dmp

Download
memory/5028-138-0x0000000000000000-mapping.dmp

Download