2db7866798f1d612aab8fdccc3420096ab11f208a37bdaf3f8d49480da4c06a6

Analysis

max time kernel
591s
max time network
571s
platform
windows10_x64
resource
win10v20201028
submitted
10-02-2021 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r.exe
Size

7.8MB
MD5

939ba0623704350ce7c139aabee00df5
SHA1

4407dc92a0dbc8ef99035dc682a8752f793bf55b
SHA256

2db7866798f1d612aab8fdccc3420096ab11f208a37bdaf3f8d49480da4c06a6
SHA512

76c826928eaef2a80e804ee1fb7f4a2c3d6b6370eade5c2f82671611e3253b30596655b332d19f21af714adc8015db31c3fa5dd1aa76a81b7d7840d99dc16dd1

Score

10^/10

adware persistence ransomware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 2296 created 3728 2296 svchost.exe installer.exe
PID 2296 created 944 2296 svchost.exe installer.exe

description	pid	process	target process
PID 2296 created 3728	2296	svchost.exe	installer.exe
PID 2296 created 944	2296	svchost.exe	installer.exe

Executes dropped EXE 50 IoCs

Processes:

JavaSetup8u281.exeJavaSetup8u281.exeMSI16A6.tmpJavaSetup8u281.exeJavaSetup8u281.exeJavaSetup8u281.exeJavaSetup8u281.exeJavaSetup8u281.exeJavaSetup8u281.exeJavaSetup8u281.exeJavaSetup8u281.exeLZMA_EXELZMA_EXEinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exessvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exeJavaSetup8u281.exeJavaSetup8u281.exeMSI2872.tmpLZMA_EXELZMA_EXEakrien.exeakrien.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exessvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exe

pid	process
2088	JavaSetup8u281.exe
3932	JavaSetup8u281.exe
2912	MSI16A6.tmp
3516	JavaSetup8u281.exe
2116	JavaSetup8u281.exe
408	JavaSetup8u281.exe
1640	JavaSetup8u281.exe
3468	JavaSetup8u281.exe
2640	JavaSetup8u281.exe
3804	JavaSetup8u281.exe
2912	JavaSetup8u281.exe
3984	LZMA_EXE
544	LZMA_EXE
3728	installer.exe
2284	bspatch.exe
2520	unpack200.exe
772	unpack200.exe
2392	unpack200.exe
3928	unpack200.exe
1016	unpack200.exe
3012	unpack200.exe
3976	unpack200.exe
2252	javaw.exe
4072	ssvagent.exe
2120	javaws.exe
2132	jp2launcher.exe
3924	javaws.exe
2312	jp2launcher.exe
2280	JavaSetup8u281.exe
1000	JavaSetup8u281.exe
2260	MSI2872.tmp
2680	LZMA_EXE
2096	LZMA_EXE
2232	akrien.exe
3508	akrien.exe
944	installer.exe
2064	bspatch.exe
1912	unpack200.exe
3228	unpack200.exe
3192	unpack200.exe
3768	unpack200.exe
2928	unpack200.exe
2128	unpack200.exe
2940	unpack200.exe
3792	javaw.exe
2008	ssvagent.exe
668	javaws.exe
3992	jp2launcher.exe
1436	javaws.exe
1512	jp2launcher.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exeinstaller.exessvagent.exejp2launcher.exe

pid	process
940	MsiExec.exe
2444	MsiExec.exe
2444	MsiExec.exe
3248	MsiExec.exe
3248	MsiExec.exe
3248	MsiExec.exe
2520	unpack200.exe
772	unpack200.exe
2392	unpack200.exe
3928	unpack200.exe
1016	unpack200.exe
3012	unpack200.exe
3976	unpack200.exe
2252	javaw.exe
2252	javaw.exe
2252	javaw.exe
2252	javaw.exe
2252	javaw.exe
2252	javaw.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
3728	installer.exe
4072	ssvagent.exe
4072	ssvagent.exe
2132	jp2launcher.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 2 IoCs

Processes:

installer.exeinstaller.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

akrien.exeakrien.exe

pid process

2232 akrien.exe
2232 akrien.exe
3508 akrien.exe
3508 akrien.exe

pid	process
2232	akrien.exe
2232	akrien.exe
3508	akrien.exe
3508	akrien.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeinstaller.exeunpack200.exeinstaller.exeunpack200.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jfxmedia.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\msvcp120.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-core-file-l2-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\deploy\messages_zh_HK.properties	installer.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\JAWTAccessBridge-32.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_de.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jfr\default.jfc	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-crt-private-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\security\policy\limited\US_export_policy.jar	installer.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\legal\jdk\libpng.md	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\legal\jdk\santuario.md	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\lib\cmm\sRGB.pf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-crt-stdio-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\javaws.jar	unpack200.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\lib\cmm\CIEXYZ.pf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\w2k_lsa_auth.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\logging.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_ja.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-core-localization-l1-2-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-crt-time-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\npt.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\cmm\CIEXYZ.pf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\ext\meta-index	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\psfontj2d.properties	installer.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\README.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-core-profile-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\jabswitch.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\klist.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\jli.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\lib\images\cursors\invalid32x32.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\lib\jfr\profile.jfc	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259629218\javaw.exe	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansRegular.ttf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\security\policy\unlimited\local_policy.jar	installer.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\awt.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\jsdt.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\legal\jdk\dom.md	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\content-types.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-crt-locale-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\fontmanager.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2native.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\access-bridge-64.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-core-processthreads-l1-1-0.dll	installer.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\rmid.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\legal\jdk\pkcs11wrapper.md	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\lib\cmm\PYCC.pf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\lib\ext\zipfs.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-crt-conio-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\legal\jdk\jcup.md	installer.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\legal\javafx\directshow.md	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\lib\security\policy\limited\US_export_policy.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.cpl	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javafx_font.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\javafx.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\bin\mlib_image.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_281\lib\deploy.jar	unpack200.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-core-libraryloader-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\ktab.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Java\jre1.8.0_281\bin\ssv.dll	msiexec.exe

Drops file in Windows directory 30 IoCs

Processes:

msiexec.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI4088.tmp	msiexec.exe
File created	C:\Windows\Installer\f753538.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D15.tmp	msiexec.exe
File created	C:\Windows\Installer\f75353b.msi	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F32180281F0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2872.tmp	msiexec.exe
File created	C:\Windows\Installer\f753658.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f753538.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A10.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2553.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6038.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI355A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FE9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DC2.tmp	msiexec.exe
File created	C:\Windows\Installer\f753655.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCB5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC8E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI459A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f753655.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF71D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI399B.tmp	msiexec.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3164 2912 WerFault.exe JavaSetup8u281.exe
2600 1000 WerFault.exe JavaSetup8u281.exe
1656 1512 WerFault.exe jp2launcher.exe

pid	pid_target	process	target process
3164	2912	WerFault.exe	JavaSetup8u281.exe
2600	1000	WerFault.exe	JavaSetup8u281.exe
1656	1512	WerFault.exe	jp2launcher.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exeinstaller.exeMSI16A6.tmpMSI2872.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	MSI16A6.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	MSI16A6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Users\\Admin\\Desktop\\New folder\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MSI16A6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	MSI16A6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	MSI2872.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MSI2872.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	MSI2872.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MSI16A6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	MSI16A6.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	MSI2872.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Users\\Admin\\Desktop\\New folder\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MSI16A6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Users\\Admin\\Desktop\\New folder\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MSI2872.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Users\\Admin\\Desktop\\New folder\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppName = "jp2launcher.exe"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exeinstaller.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0040-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_17"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0223-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0094-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0208-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0258-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_258"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0279-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_279"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0051-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0162-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_162"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0215-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0058-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0242-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0191-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0182-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0145-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\New folder\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0139-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0201-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_201"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0110-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0177-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_45"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0187-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_187"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0141-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0119-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0159-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0061-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0020-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\New folder\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0056-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_56"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0214-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0271-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0091-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0083-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0068-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_68"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0258-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0192-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0039-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_39"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0191-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0223-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_33"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0192-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_02"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0081-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_81"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0173-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_173"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0086-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0120-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\New folder\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBB}	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exessvagent.exeMSI2872.tmpssvagent.exeinstaller.exeMSI16A6.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0214-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0178-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_178"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0140-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CAFEEFAC-0016-0000-0189-ABCDEFFEDCBA}\INPROCSERVER32	MSI2872.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBC}\INPROCSERVER32	MSI2872.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0018-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0175-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\INPROCSERVER32	MSI16A6.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBA}\INPROCSERVER32	MSI16A6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0086-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_27"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0143-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\New folder\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0091-ABCDEFFEDCBC}	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0072-ABCDEFFEDCBA}	MSI2872.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0241-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\New folder\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0167-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_63"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0181-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\New folder\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}	MSI16A6.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBB}	MSI16A6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0153-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0216-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0212-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0119-ABCDEFFEDCBB}	MSI2872.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0199-ABCDEFFEDCBA}	MSI2872.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0130-ABCDEFFEDCBC}	MSI2872.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0268-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0213-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_213"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0161-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_161"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0085-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0098-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_71"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0217-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\New folder\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBB}	MSI16A6.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0204-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_23"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0180-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Users\\Admin\\Desktop\\New folder\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBB}	MSI16A6.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0218-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_218"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0164-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0159-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_81"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CAFEEFAC-0018-0000-0259-ABCDEFFEDCBC}\INPROCSERVER32	MSI2872.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0246-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0096-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0156-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0239-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_239"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}	MSI2872.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0208-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0046-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0094-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_94"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0130-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

JavaSetup8u281.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	JavaSetup8u281.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u281.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u281.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u281.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u281.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MSI16A6.tmpjp2launcher.exemsiexec.exeWerFault.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exeWerFault.exeakrien.exeakrien.exejavaws.exejp2launcher.exe

pid	process
2912	MSI16A6.tmp
2912	MSI16A6.tmp
2512	jp2launcher.exe
2512	jp2launcher.exe
2856	msiexec.exe
2856	msiexec.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
3164	WerFault.exe
2120	javaws.exe
2120	javaws.exe
2132	jp2launcher.exe
2132	jp2launcher.exe
3924	javaws.exe
3924	javaws.exe
2312	jp2launcher.exe
2312	jp2launcher.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2232	akrien.exe
2232	akrien.exe
2232	akrien.exe
2232	akrien.exe
2232	akrien.exe
2232	akrien.exe
3508	akrien.exe
3508	akrien.exe
3508	akrien.exe
3508	akrien.exe
3508	akrien.exe
3508	akrien.exe
668	javaws.exe
668	javaws.exe
3992	jp2launcher.exe
3992	jp2launcher.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

JavaSetup8u281.exe

pid process

1000 JavaSetup8u281.exe

pid	process
1000	JavaSetup8u281.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

JavaSetup8u281.exemsiexec.exeMSI16A6.tmp

description	pid	process
Token: SeShutdownPrivilege	3932	JavaSetup8u281.exe
Token: SeIncreaseQuotaPrivilege	3932	JavaSetup8u281.exe
Token: SeSecurityPrivilege	2856	msiexec.exe
Token: SeCreateTokenPrivilege	3932	JavaSetup8u281.exe
Token: SeAssignPrimaryTokenPrivilege	3932	JavaSetup8u281.exe
Token: SeLockMemoryPrivilege	3932	JavaSetup8u281.exe
Token: SeIncreaseQuotaPrivilege	3932	JavaSetup8u281.exe
Token: SeMachineAccountPrivilege	3932	JavaSetup8u281.exe
Token: SeTcbPrivilege	3932	JavaSetup8u281.exe
Token: SeSecurityPrivilege	3932	JavaSetup8u281.exe
Token: SeTakeOwnershipPrivilege	3932	JavaSetup8u281.exe
Token: SeLoadDriverPrivilege	3932	JavaSetup8u281.exe
Token: SeSystemProfilePrivilege	3932	JavaSetup8u281.exe
Token: SeSystemtimePrivilege	3932	JavaSetup8u281.exe
Token: SeProfSingleProcessPrivilege	3932	JavaSetup8u281.exe
Token: SeIncBasePriorityPrivilege	3932	JavaSetup8u281.exe
Token: SeCreatePagefilePrivilege	3932	JavaSetup8u281.exe
Token: SeCreatePermanentPrivilege	3932	JavaSetup8u281.exe
Token: SeBackupPrivilege	3932	JavaSetup8u281.exe
Token: SeRestorePrivilege	3932	JavaSetup8u281.exe
Token: SeShutdownPrivilege	3932	JavaSetup8u281.exe
Token: SeDebugPrivilege	3932	JavaSetup8u281.exe
Token: SeAuditPrivilege	3932	JavaSetup8u281.exe
Token: SeSystemEnvironmentPrivilege	3932	JavaSetup8u281.exe
Token: SeChangeNotifyPrivilege	3932	JavaSetup8u281.exe
Token: SeRemoteShutdownPrivilege	3932	JavaSetup8u281.exe
Token: SeUndockPrivilege	3932	JavaSetup8u281.exe
Token: SeSyncAgentPrivilege	3932	JavaSetup8u281.exe
Token: SeEnableDelegationPrivilege	3932	JavaSetup8u281.exe
Token: SeManageVolumePrivilege	3932	JavaSetup8u281.exe
Token: SeImpersonatePrivilege	3932	JavaSetup8u281.exe
Token: SeCreateGlobalPrivilege	3932	JavaSetup8u281.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeDebugPrivilege	2912	MSI16A6.tmp
Token: SeBackupPrivilege	2912	MSI16A6.tmp
Token: SeRestorePrivilege	2912	MSI16A6.tmp
Token: SeBackupPrivilege	2912	MSI16A6.tmp
Token: SeRestorePrivilege	2912	MSI16A6.tmp
Token: SeBackupPrivilege	2912	MSI16A6.tmp
Token: SeRestorePrivilege	2912	MSI16A6.tmp
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeRestorePrivilege	2856	msiexec.exe
Token: SeTakeOwnershipPrivilege	2856	msiexec.exe
Token: SeRestorePrivilege	2856	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WerFault.exe

pid process

2600 WerFault.exe
2600 WerFault.exe

pid	process
2600	WerFault.exe
2600	WerFault.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

r.exeJavaSetup8u281.exejp2launcher.exeJavaSetup8u281.exeJavaSetup8u281.exeJavaSetup8u281.exeJavaSetup8u281.exeLZMA_EXELZMA_EXEjp2launcher.exejp2launcher.exeJavaSetup8u281.exeLZMA_EXELZMA_EXEjp2launcher.exe

pid	process
652	r.exe
652	r.exe
3932	JavaSetup8u281.exe
3932	JavaSetup8u281.exe
3932	JavaSetup8u281.exe
2512	jp2launcher.exe
2116	JavaSetup8u281.exe
1640	JavaSetup8u281.exe
2640	JavaSetup8u281.exe
2912	JavaSetup8u281.exe
2912	JavaSetup8u281.exe
2912	JavaSetup8u281.exe
3984	LZMA_EXE
544	LZMA_EXE
2912	JavaSetup8u281.exe
2912	JavaSetup8u281.exe
2132	jp2launcher.exe
2312	jp2launcher.exe
1000	JavaSetup8u281.exe
1000	JavaSetup8u281.exe
1000	JavaSetup8u281.exe
2680	LZMA_EXE
2096	LZMA_EXE
1000	JavaSetup8u281.exe
1000	JavaSetup8u281.exe
3992	jp2launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

JavaSetup8u281.exemsiexec.exeMSI16A6.tmpjavaws.exejaureg.exeJavaSetup8u281.exeJavaSetup8u281.exeJavaSetup8u281.exeJavaSetup8u281.exeJavaSetup8u281.exeinstaller.exe

description	pid	process	target process
PID 2088 wrote to memory of 3932	2088	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 2088 wrote to memory of 3932	2088	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 2088 wrote to memory of 3932	2088	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 2856 wrote to memory of 2912	2856	msiexec.exe	MSI16A6.tmp
PID 2856 wrote to memory of 2912	2856	msiexec.exe	MSI16A6.tmp
PID 2912 wrote to memory of 3148	2912	MSI16A6.tmp	javaws.exe
PID 2912 wrote to memory of 3148	2912	MSI16A6.tmp	javaws.exe
PID 3148 wrote to memory of 2512	3148	javaws.exe	jp2launcher.exe
PID 3148 wrote to memory of 2512	3148	javaws.exe	jp2launcher.exe
PID 2912 wrote to memory of 1624	2912	MSI16A6.tmp	jaureg.exe
PID 2912 wrote to memory of 1624	2912	MSI16A6.tmp	jaureg.exe
PID 2912 wrote to memory of 1624	2912	MSI16A6.tmp	jaureg.exe
PID 1624 wrote to memory of 2268	1624	jaureg.exe	msiexec.exe
PID 1624 wrote to memory of 2268	1624	jaureg.exe	msiexec.exe
PID 1624 wrote to memory of 2268	1624	jaureg.exe	msiexec.exe
PID 2856 wrote to memory of 940	2856	msiexec.exe	MsiExec.exe
PID 2856 wrote to memory of 940	2856	msiexec.exe	MsiExec.exe
PID 2856 wrote to memory of 940	2856	msiexec.exe	MsiExec.exe
PID 2856 wrote to memory of 2444	2856	msiexec.exe	MsiExec.exe
PID 2856 wrote to memory of 2444	2856	msiexec.exe	MsiExec.exe
PID 2856 wrote to memory of 2444	2856	msiexec.exe	MsiExec.exe
PID 3516 wrote to memory of 2116	3516	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 3516 wrote to memory of 2116	3516	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 3516 wrote to memory of 2116	3516	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 408 wrote to memory of 1640	408	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 408 wrote to memory of 1640	408	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 408 wrote to memory of 1640	408	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 3468 wrote to memory of 2640	3468	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 3468 wrote to memory of 2640	3468	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 3468 wrote to memory of 2640	3468	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 3804 wrote to memory of 2912	3804	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 3804 wrote to memory of 2912	3804	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 3804 wrote to memory of 2912	3804	JavaSetup8u281.exe	JavaSetup8u281.exe
PID 2912 wrote to memory of 3984	2912	JavaSetup8u281.exe	LZMA_EXE
PID 2912 wrote to memory of 3984	2912	JavaSetup8u281.exe	LZMA_EXE
PID 2912 wrote to memory of 3984	2912	JavaSetup8u281.exe	LZMA_EXE
PID 2912 wrote to memory of 544	2912	JavaSetup8u281.exe	LZMA_EXE
PID 2912 wrote to memory of 544	2912	JavaSetup8u281.exe	LZMA_EXE
PID 2912 wrote to memory of 544	2912	JavaSetup8u281.exe	LZMA_EXE
PID 2856 wrote to memory of 3248	2856	msiexec.exe	MsiExec.exe
PID 2856 wrote to memory of 3248	2856	msiexec.exe	MsiExec.exe
PID 2856 wrote to memory of 3248	2856	msiexec.exe	MsiExec.exe
PID 2856 wrote to memory of 3728	2856	msiexec.exe	installer.exe
PID 2856 wrote to memory of 3728	2856	msiexec.exe	installer.exe
PID 2856 wrote to memory of 3728	2856	msiexec.exe	installer.exe
PID 3728 wrote to memory of 2284	3728	installer.exe	bspatch.exe
PID 3728 wrote to memory of 2284	3728	installer.exe	bspatch.exe
PID 3728 wrote to memory of 2284	3728	installer.exe	bspatch.exe
PID 3728 wrote to memory of 2520	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 2520	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 2520	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 772	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 772	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 772	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 2392	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 2392	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 2392	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 3928	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 3928	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 3928	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 1016	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 1016	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 1016	3728	installer.exe	unpack200.exe
PID 3728 wrote to memory of 3012	3728	installer.exe	unpack200.exe

C:\Users\Admin\AppData\Local\Temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\r.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:652

C:\Users\Admin\Desktop\JavaSetup8u281.exe
"C:\Users\Admin\Desktop\JavaSetup8u281.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\jds259312062.tmp\JavaSetup8u281.exe
"C:\Users\Admin\AppData\Local\Temp\jds259312062.tmp\JavaSetup8u281.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\Installer\MSI16A6.tmp
"C:\Windows\Installer\MSI16A6.tmp" ProductCode={26A24AE4-039D-4CA4-87B4-2F86418066F0} /s
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_66" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzY2XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -u auto-update
3⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe" /x {4A03706F-666A-4037-7777-5F2748764D10} /qn
4⤵
PID:2268

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8C213C9E54FB7FC00A378A5D339D925E
2⤵
- Loads dropped DLL
PID:940

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E1EFC9669DB9C0A615D91B6BEC99000A E Global\MSI0000
2⤵
- Loads dropped DLL
PID:2444

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding ED16FB829968AA93A1D1734F3B8C584C
2⤵
- Loads dropped DLL
PID:3248

C:\Program Files (x86)\Java\jre1.8.0_281\installer.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_281\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180281F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3728

C:\ProgramData\Oracle\Java\installcache\259429078.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
PID:2284

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/plugin.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/javaws.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:772

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/deploy.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2392

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/rt.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3928

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/jsse.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/charsets.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012

C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_281\lib/ext/localedata.pack" "C:\Program Files (x86)\Java\jre1.8.0_281\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3976

C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaw.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252

C:\Program Files (x86)\Java\jre1.8.0_281\bin\ssvagent.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4072

C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaws.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2120

C:\Program Files (x86)\Java\jre1.8.0_281\bin\jp2launcher.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_281" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI4MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8yODFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI4MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaws.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3924

C:\Program Files (x86)\Java\jre1.8.0_281\bin\jp2launcher.exe
"C:\Program Files (x86)\Java\jre1.8.0_281\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_281" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI4MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8yODFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI4MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjgxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2CB28076E7F0ED5EB0EE55B2E98A360A E Global\MSI0000
2⤵
PID:2148

C:\Windows\Installer\MSI2872.tmp
"C:\Windows\Installer\MSI2872.tmp" INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_281\\" ProductCode={26A24AE4-039D-4CA4-87B4-2F32180281F0} /s BASEIMAGECHECKSUMSHA256=
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
PID:2260

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 00AC561E42E09526F3B907B94228BE15
2⤵
PID:3500

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BC9EA0E14E02D78B794EED422ECC4E33
2⤵
PID:512

C:\Users\Admin\Desktop\New folder\installer.exe
"C:\Users\Admin\Desktop\New folder\installer.exe" /s INSTALLDIR="C:\Users\Admin\Desktop\New folder\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180281F0}
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
PID:944

C:\ProgramData\Oracle\Java\installcache\259614343.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
PID:2064

C:\Users\Admin\Desktop\New folder\bin\unpack200.exe
"C:\Users\Admin\Desktop\New folder\bin\unpack200.exe" -r "C:\Users\Admin\Desktop\New folder\lib/plugin.pack" "C:\Users\Admin\Desktop\New folder\lib/plugin.jar"
3⤵
- Executes dropped EXE
PID:1912

C:\Users\Admin\Desktop\New folder\bin\unpack200.exe
"C:\Users\Admin\Desktop\New folder\bin\unpack200.exe" -r "C:\Users\Admin\Desktop\New folder\lib/javaws.pack" "C:\Users\Admin\Desktop\New folder\lib/javaws.jar"
3⤵
- Executes dropped EXE
PID:3228

C:\Users\Admin\Desktop\New folder\bin\unpack200.exe
"C:\Users\Admin\Desktop\New folder\bin\unpack200.exe" -r "C:\Users\Admin\Desktop\New folder\lib/deploy.pack" "C:\Users\Admin\Desktop\New folder\lib/deploy.jar"
3⤵
- Executes dropped EXE
PID:3192

C:\Users\Admin\Desktop\New folder\bin\unpack200.exe
"C:\Users\Admin\Desktop\New folder\bin\unpack200.exe" -r "C:\Users\Admin\Desktop\New folder\lib/rt.pack" "C:\Users\Admin\Desktop\New folder\lib/rt.jar"
3⤵
- Executes dropped EXE
PID:3768

C:\Users\Admin\Desktop\New folder\bin\unpack200.exe
"C:\Users\Admin\Desktop\New folder\bin\unpack200.exe" -r "C:\Users\Admin\Desktop\New folder\lib/jsse.pack" "C:\Users\Admin\Desktop\New folder\lib/jsse.jar"
3⤵
- Executes dropped EXE
PID:2928

C:\Users\Admin\Desktop\New folder\bin\unpack200.exe
"C:\Users\Admin\Desktop\New folder\bin\unpack200.exe" -r "C:\Users\Admin\Desktop\New folder\lib/charsets.pack" "C:\Users\Admin\Desktop\New folder\lib/charsets.jar"
3⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\Desktop\New folder\bin\unpack200.exe
"C:\Users\Admin\Desktop\New folder\bin\unpack200.exe" -r "C:\Users\Admin\Desktop\New folder\lib/ext/localedata.pack" "C:\Users\Admin\Desktop\New folder\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
PID:2940

C:\Users\Admin\Desktop\New folder\bin\javaw.exe
"C:\Users\Admin\Desktop\New folder\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
PID:3792

C:\Users\Admin\Desktop\New folder\bin\ssvagent.exe
"C:\Users\Admin\Desktop\New folder\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Modifies registry class
PID:2008

C:\Users\Admin\Desktop\New folder\bin\javaws.exe
"C:\Users\Admin\Desktop\New folder\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:668

C:\Users\Admin\Desktop\New folder\bin\jp2launcher.exe
"C:\Users\Admin\Desktop\New folder\bin\jp2launcher.exe" -secure -javaws -jre "C:\Users\Admin\Desktop\New folder" -vma LWNsYXNzcGF0aABDOlxVc2Vyc1xBZG1pblxEZXNrdG9wXE5ldyBmb2xkZXJcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFVzZXJzXEFkbWluXERlc2t0b3BcTmV3IGZvbGRlclxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFVzZXJzXEFkbWluXERlc2t0b3BcTmV3IGZvbGRlclxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFVzZXJzXEFkbWluXERlc2t0b3BcTmV3IGZvbGRlclxsaWJcamF2YXdzLmphcjtDOlxVc2Vyc1xBZG1pblxEZXNrdG9wXE5ldyBmb2xkZXJcbGliXGRlcGxveS5qYXI7QzpcVXNlcnNcQWRtaW5cRGVza3RvcFxOZXcgZm9sZGVyXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxVc2Vyc1xBZG1pblxEZXNrdG9wXE5ldyBmb2xkZXJcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Users\Admin\Desktop\New folder\bin\javaws.exe
"C:\Users\Admin\Desktop\New folder\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
PID:1436

C:\Users\Admin\Desktop\New folder\bin\jp2launcher.exe
"C:\Users\Admin\Desktop\New folder\bin\jp2launcher.exe" -secure -javaws -jre "C:\Users\Admin\Desktop\New folder" -vma LWNsYXNzcGF0aABDOlxVc2Vyc1xBZG1pblxEZXNrdG9wXE5ldyBmb2xkZXJcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFVzZXJzXEFkbWluXERlc2t0b3BcTmV3IGZvbGRlclxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFVzZXJzXEFkbWluXERlc2t0b3BcTmV3IGZvbGRlclxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFVzZXJzXEFkbWluXERlc2t0b3BcTmV3IGZvbGRlclxsaWJcamF2YXdzLmphcjtDOlxVc2Vyc1xBZG1pblxEZXNrdG9wXE5ldyBmb2xkZXJcbGliXGRlcGxveS5qYXI7QzpcVXNlcnNcQWRtaW5cRGVza3RvcFxOZXcgZm9sZGVyXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxVc2Vyc1xBZG1pblxEZXNrdG9wXE5ldyBmb2xkZXJcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 184
5⤵
- Program crash
PID:1656

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 008C75B55299A6D002F25943C3890531 E Global\MSI0000
2⤵
PID:2908

C:\Users\Admin\Desktop\JavaSetup8u281.exe
"C:\Users\Admin\Desktop\JavaSetup8u281.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Local\Temp\jds259357406.tmp\JavaSetup8u281.exe
"C:\Users\Admin\AppData\Local\Temp\jds259357406.tmp\JavaSetup8u281.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Users\Admin\Desktop\JavaSetup8u281.exe
"C:\Users\Admin\Desktop\JavaSetup8u281.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\jds259362718.tmp\JavaSetup8u281.exe
"C:\Users\Admin\AppData\Local\Temp\jds259362718.tmp\JavaSetup8u281.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Users\Admin\Desktop\JavaSetup8u281.exe
"C:\Users\Admin\Desktop\JavaSetup8u281.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\jds259375234.tmp\JavaSetup8u281.exe
"C:\Users\Admin\AppData\Local\Temp\jds259375234.tmp\JavaSetup8u281.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:1000

C:\Users\Admin\Desktop\JavaSetup8u281.exe
"C:\Users\Admin\Desktop\JavaSetup8u281.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804

C:\Users\Admin\AppData\Local\Temp\jds259383546.tmp\JavaSetup8u281.exe
"C:\Users\Admin\AppData\Local\Temp\jds259383546.tmp\JavaSetup8u281.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3984

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\jre1.8.0_281full.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 3272
3⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3164

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:3924

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2296

C:\Users\Admin\Desktop\JavaSetup8u281.exe
"C:\Users\Admin\Desktop\JavaSetup8u281.exe"
1⤵
- Executes dropped EXE
PID:2280

C:\Users\Admin\AppData\Local\Temp\jds259464671.tmp\JavaSetup8u281.exe
"C:\Users\Admin\AppData\Local\Temp\jds259464671.tmp\JavaSetup8u281.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\jre1.8.0_281full.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 3940
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2600

C:\Users\Admin\Desktop\akrien.exe
"C:\Users\Admin\Desktop\akrien.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:1452

C:\Users\Admin\Desktop\akrien.exe
"C:\Users\Admin\Desktop\akrien.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2632

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:1360

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
9856e16f30ac0dd4ef8025493c438428

SHA1
6f43ff5f3ea65b70ee30b7cd21e25d9adcb96d82

SHA256
3c378e0874bd83d0360c771205769ead2d5f91768f994ce3384163e0b413c11f

SHA512
b918b899eeb25db7b8783296176e5f17533227b1aa2e04371c7666dbf685527ad4c290850fa1f0da3e2bf42e23fe4e2f273df99e33928a78114b1388731f246f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_B514E3306E9B5CC22C1D3DB90570477A
MD5
1159655d0dd7b482319628ecd8c24bdb

SHA1
569b146905d7d5661746f3266cf923bd25e7e94f

SHA256
682354aa37c6f2435c22e8f9b7ff933518083ce8563c4d35f2a68802a0f0c1fd

SHA512
766d8ab83c95b241dd4b73644467c73828a301efad93bd3cfdcb5d6ddb95123592ac2be00fbff8514fae8292d31f89bea99e7ac3c8b22509e440f972c0dfec24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
3a7aa3008da8a23387fe515dc0633c77

SHA1
9fea19741b0e31c5f8b7b0a6337872b33df1ee29

SHA256
8dec7feb428e9ecdc00257e7ddd716480c27cc767c5a3b6ec5a1a798f8b910e8

SHA512
7b0e10bbb497dfecd1191c16c23cc759e119beb0ca049accd9dfbe43b8101acd94d9f372ebd6ee4b70fcdc2ca710b93ca1378521872f42239fb33fad19a76102

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
12ef62de4d90dd27ddd9d803ece21a4a

SHA1
78bc7305f33eaab18204b0c3f624957b41dcb548

SHA256
10e559bbe249ec21ea8d0a8c5ded0ad96ffb108ceda215375a449c28081d53c0

SHA512
c701f2255884c58c68a8011990d846bc0b32f8a894b749689b84412ce31915919ec703546520c3da1be15d732334966311e80db2a32a111c838b0737c415b67e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937
MD5
9266bdcd9e0ab2f32f5233695989c122

SHA1
ac8c6b34f9a4103dc20d27dea7b7ce351ad2c741

SHA256
3f61efb24959f41fae67e71949da9f042291a1c37be45b74db40c94ee8dcb3eb

SHA512
1a5772fc5fd99288418e55872b9d0195778f5c8f6adf278cbb45a735d98021fc62938e6f4d651f2934ca10b92cc3efc9e5e32c74a9be951467693112cb132621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_B514E3306E9B5CC22C1D3DB90570477A
MD5
c8099a924112d3f4315c4a07d8f8e46b

SHA1
634a8620e3297b650ad9d4f92ddbb6c3be2d1a06

SHA256
8674261928648f3594470ff1c77e1fc9f397fcf344ece843195a86e6ce661ac7

SHA512
1d8b2131a26971c62d4e96c78bcfa32c7f993a56348643cabf3222aa32ed9a2ac47fd2d10f4c41ed85d708194fc895e16daf54017b47944649dca5668510b918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
f79349008dc5380abdcd6cafbea74bba

SHA1
5f1efa191cbd0de98326708b0f34e5f58ef598d5

SHA256
4840ae778bc6762ca4ddb1c37b61c229239ce120b67a189d276768072f8ee505

SHA512
1cbfd7d3df62182dd81af2bff769132f49f148d4fe3c3d9f988ac9bcf755c01f62bd048ee9c32b674dd5e3a304fd43b583ac3c78af4cbaf2c43c6eedd8e26223

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\au.msi
MD5
88435c6298eff7ecf4fda8414d4b5c8c

SHA1
66d51843316a86d70b1b7799a6d74d492e413c64

SHA256
18ee9710217a0a341ef0b82324274a3a4ada6745934834e022ae12d19fb04981

SHA512
d46b1ad30244e0770fd040b7a9271846482c03a054ff727ccd840b0312650652a6c589c6ebca380f96fcf06fbc560d4d99a8f34c903108d1c94e93636ff0910b

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\jre1.8.0_281full.msi
MD5
cd6bbef4f6df0d6a0c9193a67f27b222

SHA1
e2fcc99c1fcc4203d1481620099f2dd156f5afaf

SHA256
ba28b247930d19fb8ad6553fb4a154cd8a40046507850c1f4af887223a5bedfc

SHA512
8ed7a70dfd9299e2ae105756186caf87fbbf11ecf57d0a2b22d49a8a28e9ecdf05cfce3654048548827497c6f5969729e1baaf98e8010773a97323c9274b64f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp
MD5
27163914d6a8e50c1aef46ee46c093a7

SHA1
d9880a1a2475c7359e0c5254f6f51b2f8cf9b289

SHA256
463fc2144ed4107e1462e2360e2baebfcde064dd8698375f015471abc20c2c5b

SHA512
70c25abf89442765c42ccfee99cd8396d8d06d8f984aac5c91dfa96ef8ba9f2c8cba7cb9d5062e5e9036e3dd09d83f5ac56c687549d203465c020e997d1d48b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281\msi.tmp
MD5
c0e6d8887ccdf3376fcd87f20009b043

SHA1
2248952e0148d92eec7d03a832d269062e152a68

SHA256
001805d209448562eb98b92cb74933aa0b713f81437863591826b1ccea5350ab

SHA512
a40b82fa20115b4ffdcbf9e7f3abde074c33d9461c4db21dd483e61ef189c6d90bb3ae8187b3742181d8beb619f413e9e816fd81d15a4109858383cbbff8fbc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
MD5
4ebed8a207353660dcca35040828b891

SHA1
44c9ee4d98d6bfde102ebcbf5b7d17c6dbfa4c42

SHA256
80afd583601ea8f846e9026ec78e860db1381ee8a93e48207c057aaf6a0b22ef

SHA512
819209472bb7a0a8747a75ed7bb7e2459fa6e7046eb4ea96fadd3f5cfcfe8df182d8480934f29566413f8820f5ec76846d28bec3252ff6a850dc83f4351d59b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259312062.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259312062.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259357406.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259357406.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259362718.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259362718.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259375234.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259375234.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259383546.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259383546.tmp\JavaSetup8u281.exe
MD5
e4b05bf48c68e93439bfbde5aab496f8

SHA1
067fb8c9f438defdf601e588302389f6d161300d

SHA256
bc61c7e1384e7ad96a2e9edc78b18a5ce706fd05dfdb095556191f831250978d

SHA512
3770a5cc2f5da8e087139abd5ca02feccbd85ff08da741c91597e3751049eb91919d1e9e8b8872588d5d18943fb08af3f2f773817b85b2c430d6ea599471eb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
27405e0df6da43407e4829095c4c0fc5

SHA1
c4926657b5e51dc8616c591fded9e9cf1406c14a

SHA256
e222f9203c444f05419be766f9e30cab7876e2e4441a68c21e1afb9c187fe5d2

SHA512
825507c60c6c90c732f8c3cf5ee98fa3f2c6ec3cb5fbbd20fb183c9d2e370cbf8e584449f8edbf3862c77ac6e13e67eb518082d84916b22635a6d2a4ee0f9594

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
9da943c746fd3a8d4a69618eed3e093b

SHA1
be7ac641d265114f359aa4da9ca6ed25d29cb32a

SHA256
98ac710b40fbc043487f08138f8602483a4ac6f8063cc2b3d0714e90a8c8cf1c

SHA512
df8c097c5dcd4ebf1e381388d0aa9121bb84c18df653034f19315d327ce021ceaa96fab0fb939fcbff1bbe4fdb6b64da0d6460fa0045a7aeb455336157f12f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
c85ce23130d3c68cd7db476bb7b5aded

SHA1
0561dc762a5ed126b9e30b9e6d43c7f04545863e

SHA256
8bbb72448b37dc2353ebdda020d7472aa63b4645c0ca30b180dbfec88aa05ca3

SHA512
42d4f1ed1109ab00c643e778756ea669a1291ea2439cd4f79acd0f4ab6107617e036b1b7d3cd7ef17e96239ba246f2157ef511e47d9916dd46fc2dca5b1c47bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
da260949bada78b4c90e49e8fbde1757

SHA1
b39b7e444407de8e468a712a9722c6a29093c31e

SHA256
b3c6a32c44c848b929f30cd87610b1b9658db7e2a4e71f1e24871f61f06ce840

SHA512
69c74bae3728775db0e37a79a85547dfbc8b42bb2c9564d57e8ddd96a71f2eb3ac15da634a30f1eec186c784feef5692d610415a5971f21fa7a4149a78033370

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
da260949bada78b4c90e49e8fbde1757

SHA1
b39b7e444407de8e468a712a9722c6a29093c31e

SHA256
b3c6a32c44c848b929f30cd87610b1b9658db7e2a4e71f1e24871f61f06ce840

SHA512
69c74bae3728775db0e37a79a85547dfbc8b42bb2c9564d57e8ddd96a71f2eb3ac15da634a30f1eec186c784feef5692d610415a5971f21fa7a4149a78033370

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
da260949bada78b4c90e49e8fbde1757

SHA1
b39b7e444407de8e468a712a9722c6a29093c31e

SHA256
b3c6a32c44c848b929f30cd87610b1b9658db7e2a4e71f1e24871f61f06ce840

SHA512
69c74bae3728775db0e37a79a85547dfbc8b42bb2c9564d57e8ddd96a71f2eb3ac15da634a30f1eec186c784feef5692d610415a5971f21fa7a4149a78033370

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
da260949bada78b4c90e49e8fbde1757

SHA1
b39b7e444407de8e468a712a9722c6a29093c31e

SHA256
b3c6a32c44c848b929f30cd87610b1b9658db7e2a4e71f1e24871f61f06ce840

SHA512
69c74bae3728775db0e37a79a85547dfbc8b42bb2c9564d57e8ddd96a71f2eb3ac15da634a30f1eec186c784feef5692d610415a5971f21fa7a4149a78033370

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
3f62899f6cb172c6b454d2f7cbd77e53

SHA1
cf317bf1b30467bd11423464e10763e8f99ef70f

SHA256
acab223cae27245e0044b692dd2efeafd9a550fba610ae2e9a219cfe8b82cdd3

SHA512
0a1a6ee105bc6a3081c5bfb3dfed80bf46810e1c3ff15753723c7bd40d3f1eb1baedffe1279b99d3e62172eb14d6ae1f517bb145327238a8216700ab42917c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
ee311694ae6fe46a609edf7db1078c99

SHA1
045d274f4415f1c6cd3b0bb035a909f7d03b6f07

SHA256
3b862730c767fff573039e05a2ec2ecade4f31f8684d18305882790de4ff81e7

SHA512
e16cdbde8d3a799041f7006213a5cedecb739ba3eab16abab9dc453275c5bb819038255b5307ed7ef8a738142bd18eec4226fdd8e5b0ee8c2fe22a5553c94b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
f7e5e01bcc35f68953ca6e48f3eb63d4

SHA1
7162768668ccf3d5fdc7c3fafb37157d2245c2ac

SHA256
a82b629580febe667e3d212b204af48605a41f3b058c1857c5d112c5434db05f

SHA512
5ea2b69fe7cd80ac0163e504c2f17c6ce73b48c05dcd66d9aaf5a900275d4baec56ba551e14f889b8c0dcd6360477f593968228680533cd1015c7e2fa40c3953

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
1963fc692c86ef3fb64d3bc1954f79f3

SHA1
3cfa0ea3356e26e61b71f7a187bdcd325e7394ad

SHA256
11f78fe81e3565ced0bff1c7c2eb1d1dad2f8935fc592f705f4d842a471595c4

SHA512
82f3c7b6156c602e9d698f35e702b523341509631722f30a73e64a99073e1c8b29ed5ffcf72ed3cdf0faf9cb27dcdd21939fb07bc020f247c13e26823e737927

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
c02a72a92ac92db15ca0c2c2fe9a86fd

SHA1
8a76c237b685f6274d608ffdd312e10456127ddb

SHA256
dcf83f6beed887ca25741192a6a29f899a80db10346b1eeb11f7579b25d5ab06

SHA512
ed63d22b2f780afa543068e0568f88e1dee9f0399a375b7c3d34d64783b5268105812dda025a9a1c690817d3d1ef9ba8496a1adefda0644bb2b10331b2c88e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
8af8d0fc517afdca15ad82086a4a22b0

SHA1
59248d4f87ec142f687e380681f698173a9c82e9

SHA256
d33a8089830de72ffc72b6be81d3680ee7d40c51660142ee719e21a995926f54

SHA512
8b351b067cdd6278fe0c9f895ee4990a3423350fb51b07703fc2e4a483be851ebb6c14c07a6b9188b7315cf0d381cc67400b9629d0d3722c6592cf0a71ba435e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
5b26c655cbd6acee0ce629d712f5dcea

SHA1
8da8414d2004be58e1687fb0a2e7d3939d0f25c3

SHA256
481e2edbb97820c389120f31b7cdc6cd92b9f3f1efe2d4b8d1fe638acd9324c2

SHA512
0774b2782faaa3af9204ca80630c2d6745cdf8221821997885a848b1d78b84a3e664496180623999cf814449d0bba3af931960c2dc36b82a1669819796fbabb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
bf05c9ae209a069f848f218670e63c6d

SHA1
2276dc240a14dcd4ccdb5d3bbb9b0a471a806da3

SHA256
021cefd95cb85e422bb41907ab8ce02447e62c29e4af178c75a380835ff29ded

SHA512
6e9ae338e3f2897e1b4ec98225b4cb3835f174550b0adf9777f3600028a6c60f19dac4c12811a8abc792c4f386fc1c9dea5f9a61d6c822eb343ad4e8b876ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
c6f294f51536ad18acb0b30a900b095e

SHA1
8f5124217084e711f854b6b8dddcce9a9581320d

SHA256
dc59e1ff5a6c3a177d4586420e4ea09252a0e46e654e02c60bf086a2295e9ade

SHA512
ad790921101dd5f23bf986fc16bd095c47ab649a491837f46e06448368d33b780c9e498a42cda198520272dc5efdabc80bc04a08499f541c9e26f428bdded184

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
2195768071bc994cba1af1ee89f9ca69

SHA1
f8e903aa39a0e90f1a13cc7d4e6575c6c2dd9073

SHA256
341f0f3c9fbc5ae197bed23ba142910b3a5f8d24a3a1877daa6b03ad8ddb432b

SHA512
d179ed855314002d5cf4fcd6e62e672681c0c69a5d0cf2df55161ea61bbb53dd875ffca943df8aa7d18300427812fdd6209923b1829d6723a33e0c72effdba82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
2d8c92352bbd936dc466f1da5a25f3bc

SHA1
33909316faf147571dda29cf6288aa0c0762c66d

SHA256
998b1f49e701a319a2dcf4918cd8d6034a80b651f6850b12eeb9de0a89745614

SHA512
96c0f81b230baf66d97786035426148c3cf8d3a4af791d7d668c5b80b28fe2fcd198740adb541436d997a874c9815a6da9c69bf21709e8f10fd4a8bceb088635

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
2d8c92352bbd936dc466f1da5a25f3bc

SHA1
33909316faf147571dda29cf6288aa0c0762c66d

SHA256
998b1f49e701a319a2dcf4918cd8d6034a80b651f6850b12eeb9de0a89745614

SHA512
96c0f81b230baf66d97786035426148c3cf8d3a4af791d7d668c5b80b28fe2fcd198740adb541436d997a874c9815a6da9c69bf21709e8f10fd4a8bceb088635

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
445e81250eda8fd1353279ec572ba059

SHA1
19e962323d5e44413d3ae981562ad9bccba8638a

SHA256
d2cef057051c78b0292af660020f14cd335df33d332f83ff4ed0d79ab09bdf74

SHA512
3aa7898348be76271d93afe6ae7a0404dd622555068477b324c99147d2aece8ae120fe0b9e389979ca0c08c233f83b0604b1e20d95cb78cdf1ec8ea91926250f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
445e81250eda8fd1353279ec572ba059

SHA1
19e962323d5e44413d3ae981562ad9bccba8638a

SHA256
d2cef057051c78b0292af660020f14cd335df33d332f83ff4ed0d79ab09bdf74

SHA512
3aa7898348be76271d93afe6ae7a0404dd622555068477b324c99147d2aece8ae120fe0b9e389979ca0c08c233f83b0604b1e20d95cb78cdf1ec8ea91926250f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
36df9719b39b364a66b4184dfd34d8ac

SHA1
527ccb8b9b968e217d90265b4c5e9e035a05d153

SHA256
bfde0db9d8497ba337bdf06188646db02009e67a49e1b9133fe232a51b147d97

SHA512
5a859b49fe6e7187ac1e6134771e77d8c575c7c6cc85b5504c16ecfeecaea68ac546511f3044e6215314dc370eaca9ded1468bcf403bc6438e93c86b04038e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
43b7980150a979127e4db776e4c7fbe7

SHA1
299b0e49a50a89157ac99cad51eb018bd4851a9e

SHA256
9a852f03dd110601710f2b66d38edeccc397529ee0a95abd213a25b676cc442b

SHA512
1ddb3472da18e89569c5b877f0238a1ed55f486c57a27a24cd85af2847cbdd657941e215a382da587c37cd2405f5d448306eeedc211673d2b3dfcd5a7cd389f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
b71efa159e886a73495da4c39e27a5a1

SHA1
c1df356ceca45e72e4c4bbc87206b36b63d33285

SHA256
61140cf20ed302cfbb4c19be574adf1b2e52847ded0b2f3c7af5d5ce675158fd

SHA512
84d97cece207bc4270fadd7091848c2dcc3d69de946f6cd9e0de2ab445ad483b9243a2c8c79110d1e81112f138487e896ddac25dfda7dd4cb9e766e777bf0f31

Download Submit
C:\Users\Admin\Desktop\JavaSetup8u281.exe
MD5
a54c026f6fdf3f059cb52fbda1d2e979

SHA1
8d2161430f47c7e843b4001bceb23f7fd8a34a48

SHA256
ea2df4efa55d554db4a547c343e42d06eb31b1211e1dd516f3b1ffbc1cdceaae

SHA512
f43f66694ddc60a3db41a9c60314a5e77fb16ec10ca6e503aa2754cf11894a1c3abc21bd75c7a99e8ba77811b6edb3479f5bdcc199f6c78557534cc22824be5e

Download Submit
C:\Users\Admin\Desktop\JavaSetup8u281.exe
MD5
a54c026f6fdf3f059cb52fbda1d2e979

SHA1
8d2161430f47c7e843b4001bceb23f7fd8a34a48

SHA256
ea2df4efa55d554db4a547c343e42d06eb31b1211e1dd516f3b1ffbc1cdceaae

SHA512
f43f66694ddc60a3db41a9c60314a5e77fb16ec10ca6e503aa2754cf11894a1c3abc21bd75c7a99e8ba77811b6edb3479f5bdcc199f6c78557534cc22824be5e

Download Submit
C:\Users\Admin\Desktop\JavaSetup8u281.exe
MD5
a54c026f6fdf3f059cb52fbda1d2e979

SHA1
8d2161430f47c7e843b4001bceb23f7fd8a34a48

SHA256
ea2df4efa55d554db4a547c343e42d06eb31b1211e1dd516f3b1ffbc1cdceaae

SHA512
f43f66694ddc60a3db41a9c60314a5e77fb16ec10ca6e503aa2754cf11894a1c3abc21bd75c7a99e8ba77811b6edb3479f5bdcc199f6c78557534cc22824be5e

Download Submit
C:\Users\Admin\Desktop\JavaSetup8u281.exe
MD5
a54c026f6fdf3f059cb52fbda1d2e979

SHA1
8d2161430f47c7e843b4001bceb23f7fd8a34a48

SHA256
ea2df4efa55d554db4a547c343e42d06eb31b1211e1dd516f3b1ffbc1cdceaae

SHA512
f43f66694ddc60a3db41a9c60314a5e77fb16ec10ca6e503aa2754cf11894a1c3abc21bd75c7a99e8ba77811b6edb3479f5bdcc199f6c78557534cc22824be5e

Download Submit
C:\Users\Admin\Desktop\JavaSetup8u281.exe
MD5
a54c026f6fdf3f059cb52fbda1d2e979

SHA1
8d2161430f47c7e843b4001bceb23f7fd8a34a48

SHA256
ea2df4efa55d554db4a547c343e42d06eb31b1211e1dd516f3b1ffbc1cdceaae

SHA512
f43f66694ddc60a3db41a9c60314a5e77fb16ec10ca6e503aa2754cf11894a1c3abc21bd75c7a99e8ba77811b6edb3479f5bdcc199f6c78557534cc22824be5e

Download Submit
C:\Users\Admin\Desktop\JavaSetup8u281.exe
MD5
a54c026f6fdf3f059cb52fbda1d2e979

SHA1
8d2161430f47c7e843b4001bceb23f7fd8a34a48

SHA256
ea2df4efa55d554db4a547c343e42d06eb31b1211e1dd516f3b1ffbc1cdceaae

SHA512
f43f66694ddc60a3db41a9c60314a5e77fb16ec10ca6e503aa2754cf11894a1c3abc21bd75c7a99e8ba77811b6edb3479f5bdcc199f6c78557534cc22824be5e

Download Submit
C:\Windows\Installer\MSI16A6.tmp
MD5
36565c7aa5355f98e059fc031d28ef9c

SHA1
43e2a29f40a9efc2aa4056b946e2eac12d0bff11

SHA256
212b711d72c66dc47603bcee4cfe3e80fea84c818168341082fe7aa12552278c

SHA512
fa3452acdce4322c95eacdcdb5957c409cd1373c269908703c69b9a5a7d5fdb3ce36a4c214d95e1078eef164428c5fea322e183d394e212e24e66c4b2df72330

Download Submit
C:\Windows\Installer\MSI16A6.tmp
MD5
36565c7aa5355f98e059fc031d28ef9c

SHA1
43e2a29f40a9efc2aa4056b946e2eac12d0bff11

SHA256
212b711d72c66dc47603bcee4cfe3e80fea84c818168341082fe7aa12552278c

SHA512
fa3452acdce4322c95eacdcdb5957c409cd1373c269908703c69b9a5a7d5fdb3ce36a4c214d95e1078eef164428c5fea322e183d394e212e24e66c4b2df72330

Download Submit
C:\Windows\Installer\MSI4088.tmp
MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
C:\Windows\Installer\MSI43C7.tmp
MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
C:\Windows\Installer\MSI44B3.tmp
MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
\Windows\Installer\MSI4088.tmp
MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
\Windows\Installer\MSI43C7.tmp
MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
\Windows\Installer\MSI44B3.tmp
MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
memory/512-159-0x0000000000000000-mapping.dmp

Download
memory/544-76-0x0000000000000000-mapping.dmp

Download
memory/668-233-0x0000000000000000-mapping.dmp

Download
memory/772-90-0x0000000000000000-mapping.dmp

Download
memory/908-167-0x0000000000000000-mapping.dmp

Download
memory/908-188-0x0000000000000000-mapping.dmp

Download
memory/940-27-0x0000000000000000-mapping.dmp

Download
memory/944-192-0x0000000000000000-mapping.dmp

Download
memory/1000-152-0x0000000000000000-mapping.dmp

Download
memory/1016-93-0x0000000000000000-mapping.dmp

Download
memory/1240-191-0x0000000000000000-mapping.dmp

Download
memory/1436-259-0x0000000000000000-mapping.dmp

Download
memory/1512-267-0x0000000003330000-0x0000000003338000-memory.dmp

Filesize
32KB

Download
memory/1512-265-0x0000000003328000-0x0000000003330000-memory.dmp

Filesize
32KB

Download
memory/1512-270-0x00000000033A0000-0x00000000033A8000-memory.dmp

Filesize
32KB

Download
memory/1512-263-0x0000000003338000-0x0000000003340000-memory.dmp

Filesize
32KB

Download
memory/1512-260-0x0000000000000000-mapping.dmp

Download
memory/1512-269-0x0000000003398000-0x00000000033A0000-memory.dmp

Filesize
32KB

Download
memory/1512-166-0x0000000000000000-mapping.dmp

Download
memory/1512-268-0x0000000003388000-0x0000000003390000-memory.dmp

Filesize
32KB

Download
memory/1512-264-0x0000000003340000-0x0000000003348000-memory.dmp

Filesize
32KB

Download
memory/1512-266-0x0000000003390000-0x0000000003398000-memory.dmp

Filesize
32KB

Download
memory/1624-18-0x0000000000000000-mapping.dmp

Download
memory/1640-46-0x0000000000000000-mapping.dmp

Download
memory/1912-194-0x0000000000000000-mapping.dmp

Download
memory/2008-218-0x0000000000000000-mapping.dmp

Download
memory/2064-193-0x0000000000000000-mapping.dmp

Download
memory/2096-158-0x0000000000000000-mapping.dmp

Download
memory/2116-39-0x0000000000000000-mapping.dmp

Download
memory/2120-99-0x0000000000000000-mapping.dmp

Download
memory/2128-200-0x0000000000000000-mapping.dmp

Download
memory/2132-100-0x0000000000000000-mapping.dmp

Download
memory/2132-122-0x00000000030F0000-0x00000000030F8000-memory.dmp

Filesize
32KB

Download
memory/2132-101-0x0000000003000000-0x0000000003028000-memory.dmp

Filesize
160KB

Download
memory/2132-102-0x00000000030A8000-0x00000000030B0000-memory.dmp

Filesize
32KB

Download
memory/2132-103-0x0000000003048000-0x0000000003050000-memory.dmp

Filesize
32KB

Download
memory/2132-104-0x0000000003050000-0x0000000003058000-memory.dmp

Filesize
32KB

Download
memory/2132-105-0x0000000003038000-0x0000000003040000-memory.dmp

Filesize
32KB

Download
memory/2132-106-0x00000000030A0000-0x00000000030A8000-memory.dmp

Filesize
32KB

Download
memory/2132-108-0x0000000003098000-0x00000000030A0000-memory.dmp

Filesize
32KB

Download
memory/2132-107-0x0000000003040000-0x0000000003048000-memory.dmp

Filesize
32KB

Download
memory/2132-109-0x00000000030B0000-0x00000000030B8000-memory.dmp

Filesize
32KB

Download
memory/2132-110-0x00000000030B8000-0x00000000030C0000-memory.dmp

Filesize
32KB

Download
memory/2132-111-0x00000000030C0000-0x00000000030C8000-memory.dmp

Filesize
32KB

Download
memory/2132-113-0x00000000030C8000-0x00000000030D0000-memory.dmp

Filesize
32KB

Download
memory/2132-114-0x00000000030D0000-0x00000000030D8000-memory.dmp

Filesize
32KB

Download
memory/2132-115-0x00000000030D8000-0x00000000030E0000-memory.dmp

Filesize
32KB

Download
memory/2132-112-0x0000000003108000-0x0000000003110000-memory.dmp

Filesize
32KB

Download
memory/2132-116-0x0000000003110000-0x0000000003118000-memory.dmp

Filesize
32KB

Download
memory/2132-117-0x0000000003118000-0x0000000003120000-memory.dmp

Filesize
32KB

Download
memory/2132-118-0x0000000003128000-0x0000000003130000-memory.dmp

Filesize
32KB

Download
memory/2132-119-0x0000000003120000-0x0000000003128000-memory.dmp

Filesize
32KB

Download
memory/2132-120-0x00000000030E0000-0x00000000030E8000-memory.dmp

Filesize
32KB

Download
memory/2132-121-0x00000000030E8000-0x00000000030F0000-memory.dmp

Filesize
32KB

Download
memory/2132-124-0x0000000003100000-0x0000000003108000-memory.dmp

Filesize
32KB

Download
memory/2132-123-0x00000000030F8000-0x0000000003100000-memory.dmp

Filesize
32KB

Download
memory/2148-151-0x0000000000000000-mapping.dmp

Download
memory/2232-163-0x00007FFC50750000-0x00007FFC50752000-memory.dmp

Filesize
8KB

Download
memory/2232-184-0x0000000003730000-0x0000000003740000-memory.dmp

Filesize
64KB

Download
memory/2232-177-0x00000000036C0000-0x00000000036D0000-memory.dmp

Filesize
64KB

Download
memory/2232-180-0x00000000036F0000-0x0000000003700000-memory.dmp

Filesize
64KB

Download
memory/2232-176-0x00000000036B0000-0x00000000036C0000-memory.dmp

Filesize
64KB

Download
memory/2232-175-0x00000000036A0000-0x00000000036B0000-memory.dmp

Filesize
64KB

Download
memory/2232-179-0x00000000036E0000-0x00000000036F0000-memory.dmp

Filesize
64KB

Download
memory/2232-178-0x00000000036D0000-0x00000000036E0000-memory.dmp

Filesize
64KB

Download
memory/2232-181-0x0000000003700000-0x0000000003710000-memory.dmp

Filesize
64KB

Download
memory/2232-182-0x0000000003710000-0x0000000003720000-memory.dmp

Filesize
64KB

Download
memory/2232-171-0x00007FFC50770000-0x00007FFC50772000-memory.dmp

Filesize
8KB

Download
memory/2232-174-0x0000000003430000-0x00000000036A0000-memory.dmp

Filesize
2.4MB

Download
memory/2232-183-0x0000000003720000-0x0000000003730000-memory.dmp

Filesize
64KB

Download
memory/2232-185-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/2252-96-0x0000000000000000-mapping.dmp

Download
memory/2252-97-0x00000000029F0000-0x0000000002A18000-memory.dmp

Filesize
160KB

Download
memory/2260-155-0x0000000000000000-mapping.dmp

Download
memory/2268-23-0x0000000000000000-mapping.dmp

Download
memory/2284-88-0x0000000000000000-mapping.dmp

Download
memory/2312-130-0x0000000002F38000-0x0000000002F40000-memory.dmp

Filesize
32KB

Download
memory/2312-133-0x0000000002F10000-0x0000000002F18000-memory.dmp

Filesize
32KB

Download
memory/2312-147-0x0000000002F80000-0x0000000002F88000-memory.dmp

Filesize
32KB

Download
memory/2312-148-0x0000000002F88000-0x0000000002F90000-memory.dmp

Filesize
32KB

Download
memory/2312-149-0x0000000002F90000-0x0000000002F98000-memory.dmp

Filesize
32KB

Download
memory/2312-150-0x0000000002F98000-0x0000000002FA0000-memory.dmp

Filesize
32KB

Download
memory/2312-145-0x0000000002F70000-0x0000000002F78000-memory.dmp

Filesize
32KB

Download
memory/2312-144-0x0000000002F68000-0x0000000002F70000-memory.dmp

Filesize
32KB

Download
memory/2312-143-0x0000000002F60000-0x0000000002F68000-memory.dmp

Filesize
32KB

Download
memory/2312-142-0x0000000002F58000-0x0000000002F60000-memory.dmp

Filesize
32KB

Download
memory/2312-141-0x0000000002F50000-0x0000000002F58000-memory.dmp

Filesize
32KB

Download
memory/2312-140-0x0000000002F48000-0x0000000002F50000-memory.dmp

Filesize
32KB

Download
memory/2312-139-0x0000000002F40000-0x0000000002F48000-memory.dmp

Filesize
32KB

Download
memory/2312-138-0x0000000002F28000-0x0000000002F30000-memory.dmp

Filesize
32KB

Download
memory/2312-126-0x0000000000000000-mapping.dmp

Download
memory/2312-128-0x0000000002F30000-0x0000000002F38000-memory.dmp

Filesize
32KB

Download
memory/2312-129-0x0000000002EB8000-0x0000000002EC0000-memory.dmp

Filesize
32KB

Download
memory/2312-132-0x0000000002EA8000-0x0000000002EB0000-memory.dmp

Filesize
32KB

Download
memory/2312-131-0x0000000002EC0000-0x0000000002EC8000-memory.dmp

Filesize
32KB

Download
memory/2312-146-0x0000000002F78000-0x0000000002F80000-memory.dmp

Filesize
32KB

Download
memory/2312-135-0x0000000002F08000-0x0000000002F10000-memory.dmp

Filesize
32KB

Download
memory/2312-137-0x0000000002F20000-0x0000000002F28000-memory.dmp

Filesize
32KB

Download
memory/2312-136-0x0000000002F18000-0x0000000002F20000-memory.dmp

Filesize
32KB

Download
memory/2312-134-0x0000000002EB0000-0x0000000002EB8000-memory.dmp

Filesize
32KB

Download
memory/2392-91-0x0000000000000000-mapping.dmp

Download
memory/2444-30-0x0000000000000000-mapping.dmp

Download
memory/2512-16-0x0000000000000000-mapping.dmp

Download
memory/2512-168-0x0000000000000000-mapping.dmp

Download
memory/2512-165-0x0000000000000000-mapping.dmp

Download
memory/2512-17-0x0000000005330000-0x00000000055A0000-memory.dmp

Filesize
2.4MB

Download
memory/2520-89-0x0000000000000000-mapping.dmp

Download
memory/2584-190-0x0000000000000000-mapping.dmp

Download
memory/2600-161-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2600-160-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2632-198-0x0000000000000000-mapping.dmp

Download
memory/2640-53-0x0000000000000000-mapping.dmp

Download
memory/2680-157-0x0000000000000000-mapping.dmp

Download
memory/2908-261-0x0000000000000000-mapping.dmp

Download
memory/2912-14-0x0000000007590000-0x0000000007594000-memory.dmp

Filesize
16KB

Download
memory/2912-63-0x0000000000000000-mapping.dmp

Download
memory/2912-10-0x0000000000000000-mapping.dmp

Download
memory/2928-199-0x0000000000000000-mapping.dmp

Download
memory/2940-201-0x0000000000000000-mapping.dmp

Download
memory/3012-94-0x0000000000000000-mapping.dmp

Download
memory/3084-189-0x0000000000000000-mapping.dmp

Download
memory/3148-15-0x0000000000000000-mapping.dmp

Download
memory/3164-85-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/3164-84-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/3192-196-0x0000000000000000-mapping.dmp

Download
memory/3228-195-0x0000000000000000-mapping.dmp

Download
memory/3248-83-0x0000000000000000-mapping.dmp

Download
memory/3500-156-0x0000000000000000-mapping.dmp

Download
memory/3508-213-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/3508-228-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/3508-212-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/3508-211-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/3508-214-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/3508-215-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/3508-216-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/3508-217-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/3508-209-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/3508-219-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/3508-221-0x0000000003380000-0x0000000003390000-memory.dmp

Filesize
64KB

Download
memory/3508-222-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/3508-223-0x00000000033A0000-0x00000000033B0000-memory.dmp

Filesize
64KB

Download
memory/3508-224-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/3508-225-0x0000000003370000-0x0000000003380000-memory.dmp

Filesize
64KB

Download
memory/3508-220-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/3508-227-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/3508-205-0x00007FFC50770000-0x00007FFC50772000-memory.dmp

Filesize
8KB

Download
memory/3508-226-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/3508-229-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/3508-230-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/3508-232-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download
memory/3508-231-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/3508-208-0x0000000003040000-0x00000000032B0000-memory.dmp

Filesize
2.4MB

Download
memory/3508-210-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/3724-169-0x0000000000000000-mapping.dmp

Download
memory/3728-87-0x0000000000000000-mapping.dmp

Download
memory/3768-197-0x0000000000000000-mapping.dmp

Download
memory/3792-202-0x0000000000000000-mapping.dmp

Download
memory/3924-125-0x0000000000000000-mapping.dmp

Download
memory/3928-92-0x0000000000000000-mapping.dmp

Download
memory/3932-6-0x0000000000000000-mapping.dmp

Download
memory/3976-95-0x0000000000000000-mapping.dmp

Download
memory/3984-71-0x0000000000000000-mapping.dmp

Download
memory/3992-240-0x00000000032E0000-0x00000000032E8000-memory.dmp

Filesize
32KB

Download
memory/3992-257-0x0000000003360000-0x0000000003368000-memory.dmp

Filesize
32KB

Download
memory/3992-247-0x0000000003310000-0x0000000003318000-memory.dmp

Filesize
32KB

Download
memory/3992-246-0x0000000003308000-0x0000000003310000-memory.dmp

Filesize
32KB

Download
memory/3992-248-0x0000000003318000-0x0000000003320000-memory.dmp

Filesize
32KB

Download
memory/3992-249-0x0000000003320000-0x0000000003328000-memory.dmp

Filesize
32KB

Download
memory/3992-250-0x0000000003328000-0x0000000003330000-memory.dmp

Filesize
32KB

Download
memory/3992-251-0x0000000003330000-0x0000000003338000-memory.dmp

Filesize
32KB

Download
memory/3992-252-0x0000000003338000-0x0000000003340000-memory.dmp

Filesize
32KB

Download
memory/3992-253-0x0000000003340000-0x0000000003348000-memory.dmp

Filesize
32KB

Download
memory/3992-254-0x0000000003348000-0x0000000003350000-memory.dmp

Filesize
32KB

Download
memory/3992-255-0x0000000003350000-0x0000000003358000-memory.dmp

Filesize
32KB

Download
memory/3992-256-0x0000000003358000-0x0000000003360000-memory.dmp

Filesize
32KB

Download
memory/3992-245-0x00000000032E8000-0x00000000032F0000-memory.dmp

Filesize
32KB

Download
memory/3992-258-0x0000000003368000-0x0000000003370000-memory.dmp

Filesize
32KB

Download
memory/3992-244-0x00000000032D8000-0x00000000032E0000-memory.dmp

Filesize
32KB

Download
memory/3992-243-0x0000000003280000-0x0000000003288000-memory.dmp

Filesize
32KB

Download
memory/3992-242-0x0000000003300000-0x0000000003308000-memory.dmp

Filesize
32KB

Download
memory/3992-241-0x00000000032F8000-0x0000000003300000-memory.dmp

Filesize
32KB

Download
memory/3992-239-0x0000000003278000-0x0000000003280000-memory.dmp

Filesize
32KB

Download
memory/3992-238-0x00000000032F0000-0x00000000032F8000-memory.dmp

Filesize
32KB

Download
memory/3992-237-0x0000000003290000-0x0000000003298000-memory.dmp

Filesize
32KB

Download
memory/3992-234-0x0000000000000000-mapping.dmp

Download
memory/3992-236-0x0000000003288000-0x0000000003290000-memory.dmp

Filesize
32KB

Download
memory/3992-235-0x0000000003240000-0x0000000003268000-memory.dmp

Filesize
160KB

Download
memory/4072-98-0x0000000000000000-mapping.dmp

Download