a176e914f8c97804bafd4c619cc0e3986ea2b8b3fdba793884906b6d6ef0d124

Analysis

max time kernel
257s
max time network
258s
platform
windows10_x64
resource
win10v20201028
submitted
19-02-2021 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExLoader.exe
Size

9.7MB
MD5

6b8d4a6fe634501bb85e2e1507d46e32
SHA1

64884341f5afa812b8c8cae40664940a86a7e8e7
SHA256

a176e914f8c97804bafd4c619cc0e3986ea2b8b3fdba793884906b6d6ef0d124
SHA512

f3fd4fa0243312622f085df3abfc571c99cdd0d551721774ff0cb983f2a4bf9d512cf6d0ae4f80cc13e389701853f040585e00a63735772ea3f6cda9a6fd8552

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4956 created 4516 4956 svchost.exe installer.exe
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

188 4048 msiexec.exe

description	pid	process	target process
PID 4956 created 4516	4956	svchost.exe	installer.exe

flow	pid	process
188	4048	msiexec.exe

Executes dropped EXE 17 IoCs

Processes:

jre-8u281-windows-x64.exejre-8u281-windows-x64.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exessvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exe

pid	process
1508	jre-8u281-windows-x64.exe
4988	jre-8u281-windows-x64.exe
4516	installer.exe
4912	bspatch.exe
420	unpack200.exe
1424	unpack200.exe
4332	unpack200.exe
856	unpack200.exe
4348	unpack200.exe
1476	unpack200.exe
4424	unpack200.exe
3476	javaw.exe
4228	ssvagent.exe
2892	javaws.exe
2364	jp2launcher.exe
3452	javaws.exe
4860	jp2launcher.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Oracle\Java\installcache_x64\259437718.tmp\bspatch.exe	upx
C:\ProgramData\Oracle\Java\installcache_x64\259437718.tmp\bspatch.exe	upx

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exeinstaller.exe

pid	process
1432	MsiExec.exe
1432	MsiExec.exe
1432	MsiExec.exe
420	unpack200.exe
1424	unpack200.exe
4332	unpack200.exe
856	unpack200.exe
4348	unpack200.exe
1476	unpack200.exe
4424	unpack200.exe
3476	javaw.exe
3476	javaw.exe
3476	javaw.exe
3476	javaw.exe
3476	javaw.exe
3476	javaw.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe
4516	installer.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176
Drops file in System32 directory 1 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exejavaw.exejavaw.exejavaw.exejp2launcher.exejavaw.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_281\legal\jdk\unicode.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\ext\nashorn.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\security\policy\unlimited\US_export_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-synch-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-locale-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-string-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\management.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\prism_sw.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-private-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\jawt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\security\javaws.policy	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-utility-l1-1-0.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\jaas_nt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\flavormap.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\j2pkcs11.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\jdk\xerces.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\deploy\messages_ja.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\sound.properties	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_281\bin\server\ntdll.pdb	jp2launcher.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_281\bin\dll\jvm.pdb	jp2launcher.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-debug-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-util-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\javafx\jpeg_fx.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\jdk\xmlresolver.md	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259485562\java.exe	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_281\bin\server\dll\jvm.pdb	jp2launcher.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\pack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\jdk\ecc.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\currency.data	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\ext\sunpkcs11.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\fontconfig.properties.src	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\javafx\glib.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\JAWTAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\net.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\jdk\xalan.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\images\cursors\win32_MoveNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\fontmanager.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\lcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\javafx\gstreamer.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\jdk\cldr.md	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\jdk\giflib.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\legal\jdk\icu.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\glass.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\jdwp.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_281\Welcome.html	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-process-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\deploy\messages_es.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_281\lib\charsets.jar	unpack200.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F64180281F0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACF7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F9A.tmp	msiexec.exe
File created	C:\Windows\Installer\f768a3b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f768a3b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI941E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI970D.tmp	msiexec.exe
File created	C:\Windows\Installer\f768a3e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD66.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4604 4988 WerFault.exe jre-8u281-windows-x64.exe
4396 2364 WerFault.exe jp2launcher.exe

pid	pid_target	process	target process
4604	4988	WerFault.exe	jre-8u281-windows-x64.exe
4396	2364	WerFault.exe	jp2launcher.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exemsiexec.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0186-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0141-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0179-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0206-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0217-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0091-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_91"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0133-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_133"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0146-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0178-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0252-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0282-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0039-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0244-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0130-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0058-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_02"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0118-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0229-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0105-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0067-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_11"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0128-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0175-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0090-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0003-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_41"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0101-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_101"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0175-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0129-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_129"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0271-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0286-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0001-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_06"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0118-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0188-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0137-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0044-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0179-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0204-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0144-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0081-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0161-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0036-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0082-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0239-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0204-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0174-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0276-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exessvagent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0179-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0070-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_70"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0140-ABCDEFFEDCBA}	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0159-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_159"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0202-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0029-ABCDEFFEDCBA}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0081-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0274-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0256-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0017-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0161-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0236-ABCDEFFEDCBB}	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0268-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0140-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0120-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0191-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0034-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0164-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0089-ABCDEFFEDCBB}	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0274-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0208-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0249-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0178-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0072-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0074-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_74"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0181-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBB}	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBA}	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0046-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0014-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0018-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0019-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0178-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0218-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0088-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_88"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBB}	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0176-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0229-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0005-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0037-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0048-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\jre-8u281-windows-x64.exe:Zone.Identifier firefox.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4600 NOTEPAD.EXE

description	ioc	process
File created	C:\Users\Admin\Downloads\jre-8u281-windows-x64.exe:Zone.Identifier	firefox.exe

pid	process
4600	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

firefox.exeWerFault.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exe

pid	process
416	firefox.exe
416	firefox.exe
416	firefox.exe
416	firefox.exe
416	firefox.exe
416	firefox.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
2892	javaws.exe
2892	javaws.exe
2364	jp2launcher.exe
2364	jp2launcher.exe
3452	javaws.exe
3452	javaws.exe
4860	jp2launcher.exe
4860	jp2launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exejre-8u281-windows-x64.exemsiexec.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4584	firefox.exe
Token: SeDebugPrivilege	4584	firefox.exe
Token: SeShutdownPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeSecurityPrivilege	4048	msiexec.exe
Token: SeCreateTokenPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeLockMemoryPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeMachineAccountPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeTcbPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeSecurityPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeTakeOwnershipPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeLoadDriverPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeSystemProfilePrivilege	4988	jre-8u281-windows-x64.exe
Token: SeSystemtimePrivilege	4988	jre-8u281-windows-x64.exe
Token: SeProfSingleProcessPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeIncBasePriorityPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeCreatePagefilePrivilege	4988	jre-8u281-windows-x64.exe
Token: SeCreatePermanentPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeBackupPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeRestorePrivilege	4988	jre-8u281-windows-x64.exe
Token: SeShutdownPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeDebugPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeAuditPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeChangeNotifyPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeRemoteShutdownPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeUndockPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeSyncAgentPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeEnableDelegationPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeManageVolumePrivilege	4988	jre-8u281-windows-x64.exe
Token: SeImpersonatePrivilege	4988	jre-8u281-windows-x64.exe
Token: SeCreateGlobalPrivilege	4988	jre-8u281-windows-x64.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeDebugPrivilege	4604	WerFault.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4584 firefox.exe
4584 firefox.exe
4584 firefox.exe
4584 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4584 firefox.exe
4584 firefox.exe
4584 firefox.exe

pid	process
4584	firefox.exe
4584	firefox.exe
4584	firefox.exe
4584	firefox.exe

pid	process
4584	firefox.exe
4584	firefox.exe
4584	firefox.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

firefox.exefirefox.exefirefox.exejre-8u281-windows-x64.exejp2launcher.exejp2launcher.exe

pid	process
1680	firefox.exe
416	firefox.exe
4584	firefox.exe
4584	firefox.exe
4584	firefox.exe
4584	firefox.exe
4584	firefox.exe
4584	firefox.exe
4584	firefox.exe
4584	firefox.exe
4584	firefox.exe
4584	firefox.exe
4988	jre-8u281-windows-x64.exe
4988	jre-8u281-windows-x64.exe
4988	jre-8u281-windows-x64.exe
4988	jre-8u281-windows-x64.exe
4988	jre-8u281-windows-x64.exe
2364	jp2launcher.exe
4860	jp2launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ExLoader.exeExLoader.exeExLoader.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4768 wrote to memory of 5072	4768	ExLoader.exe	javaw.exe
PID 4768 wrote to memory of 5072	4768	ExLoader.exe	javaw.exe
PID 4084 wrote to memory of 3336	4084	ExLoader.exe	javaw.exe
PID 4084 wrote to memory of 3336	4084	ExLoader.exe	javaw.exe
PID 3660 wrote to memory of 3984	3660	ExLoader.exe	javaw.exe
PID 3660 wrote to memory of 3984	3660	ExLoader.exe	javaw.exe
PID 196 wrote to memory of 4612	196	firefox.exe	firefox.exe
PID 196 wrote to memory of 4612	196	firefox.exe	firefox.exe
PID 196 wrote to memory of 4612	196	firefox.exe	firefox.exe
PID 196 wrote to memory of 4612	196	firefox.exe	firefox.exe
PID 196 wrote to memory of 4612	196	firefox.exe	firefox.exe
PID 196 wrote to memory of 4612	196	firefox.exe	firefox.exe
PID 196 wrote to memory of 4612	196	firefox.exe	firefox.exe
PID 196 wrote to memory of 4612	196	firefox.exe	firefox.exe
PID 196 wrote to memory of 4612	196	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1680	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1680	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1680	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1680	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1680	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1680	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1680	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1680	2056	firefox.exe	firefox.exe
PID 2056 wrote to memory of 1680	2056	firefox.exe	firefox.exe
PID 1680 wrote to memory of 3820	1680	firefox.exe	firefox.exe
PID 1680 wrote to memory of 3820	1680	firefox.exe	firefox.exe
PID 3300 wrote to memory of 416	3300	firefox.exe	firefox.exe
PID 3300 wrote to memory of 416	3300	firefox.exe	firefox.exe
PID 3300 wrote to memory of 416	3300	firefox.exe	firefox.exe
PID 3300 wrote to memory of 416	3300	firefox.exe	firefox.exe
PID 3300 wrote to memory of 416	3300	firefox.exe	firefox.exe
PID 3300 wrote to memory of 416	3300	firefox.exe	firefox.exe
PID 3300 wrote to memory of 416	3300	firefox.exe	firefox.exe
PID 3300 wrote to memory of 416	3300	firefox.exe	firefox.exe
PID 3300 wrote to memory of 416	3300	firefox.exe	firefox.exe
PID 416 wrote to memory of 2388	416	firefox.exe	firefox.exe
PID 416 wrote to memory of 2388	416	firefox.exe	firefox.exe
PID 416 wrote to memory of 4564	416	firefox.exe	firefox.exe
PID 416 wrote to memory of 4564	416	firefox.exe	firefox.exe
PID 4564 wrote to memory of 4584	4564	firefox.exe	firefox.exe
PID 4564 wrote to memory of 4584	4564	firefox.exe	firefox.exe
PID 4564 wrote to memory of 4584	4564	firefox.exe	firefox.exe
PID 4564 wrote to memory of 4584	4564	firefox.exe	firefox.exe
PID 4564 wrote to memory of 4584	4564	firefox.exe	firefox.exe
PID 4564 wrote to memory of 4584	4564	firefox.exe	firefox.exe
PID 4564 wrote to memory of 4584	4564	firefox.exe	firefox.exe
PID 4564 wrote to memory of 4584	4564	firefox.exe	firefox.exe
PID 4564 wrote to memory of 4584	4564	firefox.exe	firefox.exe
PID 4584 wrote to memory of 4292	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 4292	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe
PID 4584 wrote to memory of 1512	4584	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\ExLoader.exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\ExLoader.exe" %*
2⤵
- Drops file in Program Files directory
PID:5072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\ExLoader.exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\ExLoader.exe" %*
2⤵
- Drops file in Program Files directory
PID:3336

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\hs_err_pid3336.log
1⤵
- Opens file in notepad (likely ransom note)
PID:4600

C:\Users\Admin\AppData\Local\Temp\ExLoader.exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\ExLoader.exe" %*
2⤵
- Drops file in Program Files directory
PID:3984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:4612

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1680.0.2000510652\246731068" -parentBuildID 20200403170909 -prefsHandle 1364 -prefMapHandle 1348 -prefsLen 1 -prefMapSize 214080 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1680 "\\.\pipe\gecko-crash-server-pipe.1680" 1468 gpu
3⤵
PID:3820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="416.0.1794771045\2102776313" -parentBuildID 20200403170909 -prefsHandle 1344 -prefMapHandle 1336 -prefsLen 1 -prefMapSize 214080 -appdir "C:\Program Files\Mozilla Firefox\browser" - 416 "\\.\pipe\gecko-crash-server-pipe.416" 1448 gpu
3⤵
PID:2388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4584.0.1148959301\1506650465" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1524 -prefsLen 1 -prefMapSize 219511 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4584 "\\.\pipe\gecko-crash-server-pipe.4584" 1620 gpu
5⤵
PID:4292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4584.3.1551824128\104718302" -childID 1 -isForBrowser -prefsHandle 2264 -prefMapHandle 2260 -prefsLen 156 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4584 "\\.\pipe\gecko-crash-server-pipe.4584" 2272 tab
5⤵
PID:1512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4584.13.819062895\563518933" -childID 2 -isForBrowser -prefsHandle 3312 -prefMapHandle 3308 -prefsLen 7013 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4584 "\\.\pipe\gecko-crash-server-pipe.4584" 3332 tab
5⤵
PID:4312

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4584.20.1957517825\763072133" -childID 3 -isForBrowser -prefsHandle 4256 -prefMapHandle 4240 -prefsLen 8126 -prefMapSize 219511 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4584 "\\.\pipe\gecko-crash-server-pipe.4584" 4304 tab
5⤵
PID:2040

C:\Users\Admin\Downloads\jre-8u281-windows-x64.exe
"C:\Users\Admin\Downloads\jre-8u281-windows-x64.exe"
1⤵
- Executes dropped EXE
PID:1508

C:\Users\Admin\AppData\Local\Temp\jds259396062.tmp\jre-8u281-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds259396062.tmp\jre-8u281-windows-x64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4988 -s 2836
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 790AB12FC30250EBDF796EBDF92F4420
2⤵
- Loads dropped DLL
PID:1432

C:\Program Files\Java\jre1.8.0_281\installer.exe
"C:\Program Files\Java\jre1.8.0_281\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_281\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180281F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4516

C:\ProgramData\Oracle\Java\installcache_x64\259437718.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
PID:4912

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_281\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:420

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_281\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_281\lib/deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4332

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_281\lib/rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_281\lib/jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4348

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_281\lib/charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1476

C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_281\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4424

C:\Program Files\Java\jre1.8.0_281\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_281\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3476

C:\Program Files\Java\jre1.8.0_281\bin\ssvagent.exe
"C:\Program Files\Java\jre1.8.0_281\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Modifies registry class
PID:4228

C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_281" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yODFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2364 -s 1028
5⤵
- Program crash
PID:4396

C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3452

C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_281" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yODFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding D10287A512DB037DEC7F11E94D78920B E Global\MSI0000
2⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\ExLoader.exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader.exe"
1⤵
PID:4836

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\ExLoader.exe" %*
2⤵
- Drops file in Program Files directory
PID:372

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_281\bin\VCRUNTIME140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\java.dll
MD5
949fc2c63994ec317abcccfc1452ef22

SHA1
41d496159e826e894988ad1dcca7918d10e793e5

SHA256
6cca6ced25b89323900dc9e5f75604c922a78bd70887ef003313f9e2e7b9aca8

SHA512
26f13807dce767a89d053690023ca322409dc819120f213944291f06e597a0d4f0a08435251d69a74bc15811540ba7f2472bf5962f0f66515603e34b0cd2815c

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\javaw.exe
MD5
74198e9118b9b57592f08fed2380ddb6

SHA1
e5c6541d4a133d434192155f758b750a17a532c5

SHA256
a8c0c9cd921236b8b47c62718638690e74edebdfd555f306ce3247207e032458

SHA512
c1838904824f7d7fba36e811a2b81f68beaba2f26b6ba1dd5249c6e3289583b818afb3fd934a08d526c30bd983240dcab0679f6a3f62fb29998430e75df92026

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\server\jvm.dll
MD5
b6eccb52a3c72e3359419bedac89ccad

SHA1
e0448d8ac5a0ddee4ad91c6d373ae6467b3b4595

SHA256
c39842d7a68037629d734cef260af727c5346177929030adc00b0adc4671088d

SHA512
34b9fe1dda4624afe286440fc607d4b2d2e6a905974748fbb740132c825df6d2638d32f914881a9db79660be821e9ec9ca26c40a1ed382f72d7b70944bce384a

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
MD5
9bc8abeedf17b7e6bf826dd8ddeec12b

SHA1
5bdf9e3f1ccd272c20e85dc3782065ce2cda4285

SHA256
3122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1

SHA512
425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
MD5
9bc8abeedf17b7e6bf826dd8ddeec12b

SHA1
5bdf9e3f1ccd272c20e85dc3782065ce2cda4285

SHA256
3122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1

SHA512
425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
MD5
9bc8abeedf17b7e6bf826dd8ddeec12b

SHA1
5bdf9e3f1ccd272c20e85dc3782065ce2cda4285

SHA256
3122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1

SHA512
425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
MD5
9bc8abeedf17b7e6bf826dd8ddeec12b

SHA1
5bdf9e3f1ccd272c20e85dc3782065ce2cda4285

SHA256
3122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1

SHA512
425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
MD5
9bc8abeedf17b7e6bf826dd8ddeec12b

SHA1
5bdf9e3f1ccd272c20e85dc3782065ce2cda4285

SHA256
3122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1

SHA512
425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
MD5
9bc8abeedf17b7e6bf826dd8ddeec12b

SHA1
5bdf9e3f1ccd272c20e85dc3782065ce2cda4285

SHA256
3122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1

SHA512
425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
MD5
9bc8abeedf17b7e6bf826dd8ddeec12b

SHA1
5bdf9e3f1ccd272c20e85dc3782065ce2cda4285

SHA256
3122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1

SHA512
425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f

Download Submit
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe
MD5
9bc8abeedf17b7e6bf826dd8ddeec12b

SHA1
5bdf9e3f1ccd272c20e85dc3782065ce2cda4285

SHA256
3122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1

SHA512
425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f

Download Submit
C:\Program Files\Java\jre1.8.0_281\installer.exe
MD5
fa4ee41538e227270b4c5043c5f01659

SHA1
c4f2b6ef6037e5b5b4bc7ac923ceafbd6fa9d34c

SHA256
a1444bfdcad52b76400b42d2df55ee42f065ed6c015c567c526fca634b29fb98

SHA512
41a54772f6fc3054b796104b73618342196b8d3eb0afad007f1915eb69c2a65f1aed8b9a5a80424c2096c4e719c733aeb7bd83f10e9f6e2367a10e7ea8467ccf

Download Submit
C:\Program Files\Java\jre1.8.0_281\installer.exe
MD5
fa4ee41538e227270b4c5043c5f01659

SHA1
c4f2b6ef6037e5b5b4bc7ac923ceafbd6fa9d34c

SHA256
a1444bfdcad52b76400b42d2df55ee42f065ed6c015c567c526fca634b29fb98

SHA512
41a54772f6fc3054b796104b73618342196b8d3eb0afad007f1915eb69c2a65f1aed8b9a5a80424c2096c4e719c733aeb7bd83f10e9f6e2367a10e7ea8467ccf

Download Submit
C:\Program Files\Java\jre1.8.0_281\lib\amd64\jvm.cfg
MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Program Files\Java\jre1.8.0_281\lib\charsets.pack
MD5
c7aa057ae6178409b20673ee9b07c8c7

SHA1
3d8fdf58cb8f7b097f29ecaae39287967e8203aa

SHA256
4029021f4f3fe7e9256797e5247be5182e542602c51956784a058f992b53302f

SHA512
894f0c53c824b517b4897485031e7df4f307d2252bf60d6d343452e6a8e979a8f2c682f741ba5f1a93bd1705d4dd7e6be47c3caa47aee5787e2fb0d6aa999e81

Download Submit
C:\Program Files\Java\jre1.8.0_281\lib\deploy.pack
MD5
da3942cd970a705c2b38ca0c68730758

SHA1
d930ed6747f517a43b83361e5d9ee181de4751e4

SHA256
0fa6e71cbb5626e138dd8f811d6d1f01df7ff0354d3641ae113b9d4567836407

SHA512
a7cd0c8e47c298a05f9e84adfa5359e913e36cad901a4905d64b16d0cf32d33d263c5608be5e06ee148df665bc7e1005bd4e21580efa9123d7569b4ba7bb31d1

Download Submit
C:\Program Files\Java\jre1.8.0_281\lib\ext\localedata.pack
MD5
66c1a7f3a76bb3d0d2481b4c4890af3e

SHA1
6b0f9a59513049206c19d17643c2959606c8bcbb

SHA256
a8856056bc51071152f18d44649586739ac2bff03836bbcdb46f0c935a173db9

SHA512
1d0444292622b2a12e839dc6887009a77e997c6f6bab3fc1f4cabef1c839d5dced6b6036d45f26b31b32adfc98919d45c57f3e189e07f9930e328930b4ffd360

Download Submit
C:\Program Files\Java\jre1.8.0_281\lib\javaws.pack
MD5
9f1b7a828fe7387633f0e288139da55f

SHA1
e8d068b51ed8557ff10cfbfe2757b0bcd99676ae

SHA256
c3fa2dfce23608dd49e136c58dae7a6900d8e584211b38f19bc8563307b1701f

SHA512
68dd52a7137770aa34fc94a638c596a28234bd1c29c3ed5cd5cd3fa26ae45418923128705ade2ac92b465ffd6fc75884e434ae2300771527d992b81c3d47738b

Download Submit
C:\Program Files\Java\jre1.8.0_281\lib\jsse.pack
MD5
884a2e7606180612e52ea8cea555c016

SHA1
0a7ebebf358a7700efe6b55e1fbd583ce9f8636c

SHA256
59dde340b6d49ef69121e6008b3b741a8e7dff98ab2068c82edd252a068ba72b

SHA512
032bbf3ab27ba9014de90b508e35e4e648e7d3d5fe96e9b10e4bab15070811f422cb00c172b6fded27557ae55e30fa3a03aec0e5101c7cf5abc4e9eae79cacd8

Download Submit
C:\Program Files\Java\jre1.8.0_281\lib\plugin.pack
MD5
caccacb78c04507cf17c6de7b8a698da

SHA1
73ad8797542382d22947afbd88410022533ee36d

SHA256
33ea7de804f55e95a3070ee4121b737b85b36ca7cc90f686066f27471ec49438

SHA512
fab17d1aa70cf8323ae8a93f0d2089e9a2418999ad8f6aace07f07a9be9a5828f6b71a783715e7bc99c74bd9fccd92c4bcc0597931af7c7cb4232cf7b19b6cf5

Download Submit
C:\Program Files\Java\jre1.8.0_281\lib\rt.pack
MD5
604b23b81135034403b4e3d65ccb5413

SHA1
66634907945a455e650129529e2bd3970d825eab

SHA256
2e08f26f2bc7948f73893fea2c6e59ab5a18760a5a39fbb895ca57513992246c

SHA512
a8703ebab1ce057e3672450692b8bb35350fa8dbb91fdc6f0e40b4089a19666955f9c1fb86afac45961d04e13dc2ed7e3b1221ee0cdfaf73ae00859a9edc2852

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259437718.tmp\baseimagefam8
MD5
22646919b87d1a6dfc371464405b373b

SHA1
2296c69b12c3e0244fc59586f794457a4735e692

SHA256
0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11

SHA512
b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259437718.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259437718.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259437718.tmp\diff
MD5
d5b61c2cfe78a2dd2a3504fe50f3a2af

SHA1
1367bdab2d2d4ca27e5821cb11183f25c091adfa

SHA256
547295e7e127d4b8e03dc8531ca96fbff3d4940a08a2e0237be30955c9f42288

SHA512
057b2deb59a559ec314d3aba0f3b44f35d6607ab5e9538a00cb58066d34a9ce989dbc0aa26b0ffdd20e3ddf60655086b4d4a879bb1f294f08f482734225b9319

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259437718.tmp\newimage
MD5
26e47c6e1ea3599d0afc66fab66d1832

SHA1
cfde5aedc9d5f102a35e8c552fc1f8c1adf403f5

SHA256
c998e8ce2e242a54125e408b9d4ea8f9e055e0fe9282a27bb4a521853e140e4d

SHA512
93fff745724345809f74cc5373590b7ef3b9d8047d34de4144036f90dc4020a50ca268891d07ebd13fe32f5894128dd0f608d7aa2ef760bdb90b151b242e4cc4

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
25d251ae1b611924ec5515e422befaba

SHA1
792cfbcc18ecfd351c2b22fb55bdb8a202a1c37b

SHA256
d7afa1ab8010f29c03e282dcf0fbae1e54b01f910a9f5164befb325048529574

SHA512
492200658afbed0bbd4cb67437439a9eb745914d4d820265f844b095cfcea5ff013a0a70ea79a0a6a8e71ff100eb461e3108a4ec1e5991d01f3224cd571c1af0

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281_x64\jre1.8.0_28164.msi
MD5
7e071988c06dfbe07b08d3101f529514

SHA1
15253d178036122e31c410a8775ac778d49554cd

SHA256
430e639c217fdcb57ba5cd09711a7701d589b313c0874d70dd53248191c2158d

SHA512
47d41aab59419874e1e2f8da0fb5f05951aa7901cf70a2dd5239e4ca504d5816caa4e02719ee468afb9438d79f5e2d4f6eae93e7d6fdc6c70f82f3feb5da0e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\hs_err_pid3336.log
MD5
03e0c7da80efbc5b78294c66839ba638

SHA1
dd3a373f7fd9451a1aebe873e22fcd88e391b7ee

SHA256
f9d7dd48eefe8ffbd88544599aa4143ad367f5099a20f44bbd67068c3d33a827

SHA512
ea9f74f6aa803a76a40000ff9fc79e7daedda9f64610303879df1bd7bfbc38a1f0903e142f8538aca8f8a9a71e0661f7f224c249fb3e7df87c69321d55e0d663

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259396062.tmp\jre-8u281-windows-x64.exe
MD5
fcd2bc341d811dd3ef5f76e88fcb4c23

SHA1
85738726745d049d85c8683f472ce0b400a37482

SHA256
dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773

SHA512
3363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259396062.tmp\jre-8u281-windows-x64.exe
MD5
fcd2bc341d811dd3ef5f76e88fcb4c23

SHA1
85738726745d049d85c8683f472ce0b400a37482

SHA256
dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773

SHA512
3363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
f29e622c2e07b3501eb9092984d7bc42

SHA1
4ece0916794cf530fcc79269ec122f3256a47877

SHA256
9a9eec212b796159a999cccfbe99bc552c854c4164cdd5db23f1fbfb61fbdf70

SHA512
cf00dd4db38ff4b63b06fe68c4c34e3361bf6f6cc46a9366c18b36ee336f7eb6cd37b67bc4fe0cc7b7571113fa5e4a8324bdeeda6d42701605f30c4902854dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
dd06b68213d76f97d8cef4dea9b53f5e

SHA1
e665800f8be3035f3c6c7b5f6e4792e3566bceab

SHA256
f30b4cdea6c7bdeef7c700d770df68c4690cd7edb37c1f21d26c3fc062983a84

SHA512
7d674b55e4b1f974bb92a97a68d021d04ac473782a1caaea31c17a5751950ccc4c15a7f00ae4b3e51e1f2ebf39306ca88648870b6196d657da818e2be5b61201

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
6cc92a1a4a75e24cc88e37ae751579c0

SHA1
a334c2b1f6a419d07f82de6b024e0bfeb8e8ce43

SHA256
5d511018fb4251d1b06c96080e2516842a79e2bdce65b12b954969c65e6a6b20

SHA512
a03ce5975942c420a11188cfd61a8440b654752c5cb559845e2eff0d16bd22e31ff2b01e04b699512fe706279883128ff33df8e6ad680a6d45e322604f027896

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
6cc92a1a4a75e24cc88e37ae751579c0

SHA1
a334c2b1f6a419d07f82de6b024e0bfeb8e8ce43

SHA256
5d511018fb4251d1b06c96080e2516842a79e2bdce65b12b954969c65e6a6b20

SHA512
a03ce5975942c420a11188cfd61a8440b654752c5cb559845e2eff0d16bd22e31ff2b01e04b699512fe706279883128ff33df8e6ad680a6d45e322604f027896

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
e370388d3e109c36299b03078c54d640

SHA1
25544e0a407dcf76f8336593a3e84d68f0f931cb

SHA256
fe2854d0466058b9e7e04f9f99ecc336ab334c0240efb9d251b583fd6f96536d

SHA512
e194ae5329e9c640e74f172bbaa9867f57b5d076047831c626475669ade8ffc3bfe775a1f5804d1c7b2bbf24a91e1f143b0298d744424faaa15a504a367e7d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
c1124bc02b0b7ab4162e94df15dd9944

SHA1
50f0995e7805a2f640287960fbfa08f11a671647

SHA256
71e0bbe2bd7065a2230c77213c5563c208ed395f71eb09ac6c0338620e0ac6e2

SHA512
2c6a96e80a3bfaedfac721cf3e3f4150795d2a7b6f3ffdf0e46996621761174c1f36a85e276ebfdb98d15cdf9d5c2f47ad17754228963988b273e32f269f2907

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\up70r7vk.default-release\Telemetry.FailedProfileLocks.txt
MD5
c81e728d9d4c2f636f067f89cc14862c

SHA1
da4b9237bacccdf19c0760cab7aec4a8359010b0

SHA256
d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35

SHA512
40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114

Download Submit
C:\Users\Admin\Downloads\jre-8u281-windows-x64.exe
MD5
c6136758f1fec04a2f7f01249280c315

SHA1
5835e46596fe9f4dfe48fd5dd3947dc650d196ec

SHA256
27fd9a85f2b49ae6a11b15e36ab28c0493d5572357edf2990a65a2b56f1e1157

SHA512
045f33920fb3882d8f24c06e2179934601396636d2ddc360a2a6f03862e40b188506f8da530e4197e4a0e1c79cda48987e810425079377f357fbcf7950c6b030

Download Submit
C:\Users\Admin\Downloads\jre-8u281-windows-x64.exe
MD5
c6136758f1fec04a2f7f01249280c315

SHA1
5835e46596fe9f4dfe48fd5dd3947dc650d196ec

SHA256
27fd9a85f2b49ae6a11b15e36ab28c0493d5572357edf2990a65a2b56f1e1157

SHA512
045f33920fb3882d8f24c06e2179934601396636d2ddc360a2a6f03862e40b188506f8da530e4197e4a0e1c79cda48987e810425079377f357fbcf7950c6b030

Download Submit
C:\Windows\Installer\MSI941E.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
C:\Windows\Installer\MSI970D.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
C:\Windows\Installer\MSIAD66.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
C:\Windows\Installer\f768a3e.msi
MD5
7e071988c06dfbe07b08d3101f529514

SHA1
15253d178036122e31c410a8775ac778d49554cd

SHA256
430e639c217fdcb57ba5cd09711a7701d589b313c0874d70dd53248191c2158d

SHA512
47d41aab59419874e1e2f8da0fb5f05951aa7901cf70a2dd5239e4ca504d5816caa4e02719ee468afb9438d79f5e2d4f6eae93e7d6fdc6c70f82f3feb5da0e25

Download Submit
\Program Files\Java\jre1.8.0_281\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_281\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_281\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_281\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_281\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_281\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_281\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Windows\Installer\MSI941E.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
\Windows\Installer\MSI970D.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
\Windows\Installer\MSIAD66.tmp
MD5
36702dc0af0ebdc03fa68624f4bde4b0

SHA1
d25f646db7eccdc1dbe425087131a17c1e6397a4

SHA256
c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da

SHA512
2fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831

Download Submit
memory/372-197-0x0000000002540000-0x00000000027B0000-memory.dmp

Filesize
2.4MB

Download
memory/372-198-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/372-195-0x0000000000000000-mapping.dmp

Download
memory/372-200-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/372-199-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/372-201-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/416-107-0x0000000000000000-mapping.dmp

Download
memory/420-203-0x0000000000000000-mapping.dmp

Download
memory/856-217-0x0000000000000000-mapping.dmp

Download
memory/1016-286-0x0000000000000000-mapping.dmp

Download
memory/1424-209-0x0000000000000000-mapping.dmp

Download
memory/1432-171-0x0000000000000000-mapping.dmp

Download
memory/1476-225-0x0000000000000000-mapping.dmp

Download
memory/1512-154-0x0000000000000000-mapping.dmp

Download
memory/1680-38-0x0000000000000000-mapping.dmp

Download
memory/2040-156-0x0000000000000000-mapping.dmp

Download
memory/2364-256-0x0000029449850000-0x0000029449860000-memory.dmp

Filesize
64KB

Download
memory/2364-252-0x0000000000000000-mapping.dmp

Download
memory/2364-258-0x0000029449870000-0x0000029449880000-memory.dmp

Filesize
64KB

Download
memory/2364-257-0x0000029449860000-0x0000029449870000-memory.dmp

Filesize
64KB

Download
memory/2388-140-0x0000000000000000-mapping.dmp

Download
memory/2892-251-0x0000000000000000-mapping.dmp

Download
memory/3336-17-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/3336-16-0x00000000024C0000-0x0000000002730000-memory.dmp

Filesize
2.4MB

Download
memory/3336-14-0x0000000000000000-mapping.dmp

Download
memory/3452-254-0x0000000000000000-mapping.dmp

Download
memory/3476-233-0x0000000000000000-mapping.dmp

Download
memory/3476-238-0x00000283304F0000-0x0000028330760000-memory.dmp

Filesize
2.4MB

Download
memory/3820-71-0x0000000000000000-mapping.dmp

Download
memory/3984-24-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3984-26-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/3984-19-0x0000000000000000-mapping.dmp

Download
memory/3984-30-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/3984-31-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/3984-23-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download
memory/3984-32-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/3984-28-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/3984-25-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/3984-33-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3984-29-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/3984-21-0x0000000002B20000-0x0000000002D90000-memory.dmp

Filesize
2.4MB

Download
memory/3984-27-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/3984-22-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/4228-250-0x0000000000000000-mapping.dmp

Download
memory/4292-153-0x0000000000000000-mapping.dmp

Download
memory/4312-155-0x0000000000000000-mapping.dmp

Download
memory/4332-213-0x0000000000000000-mapping.dmp

Download
memory/4348-221-0x0000000000000000-mapping.dmp

Download
memory/4424-229-0x0000000000000000-mapping.dmp

Download
memory/4516-185-0x0000000000000000-mapping.dmp

Download
memory/4564-151-0x0000000000000000-mapping.dmp

Download
memory/4584-152-0x0000000000000000-mapping.dmp

Download
memory/4604-177-0x0000026B227C0000-0x0000026B227C1000-memory.dmp

Filesize
4KB

Download
memory/4604-178-0x0000026B227C0000-0x0000026B227C1000-memory.dmp

Filesize
4KB

Download
memory/4612-34-0x0000000000000000-mapping.dmp

Download
memory/4860-264-0x000001903FC70000-0x000001903FC80000-memory.dmp

Filesize
64KB

Download
memory/4860-255-0x0000000000000000-mapping.dmp

Download
memory/4860-280-0x000001903FD70000-0x000001903FD80000-memory.dmp

Filesize
64KB

Download
memory/4860-279-0x000001903FD60000-0x000001903FD70000-memory.dmp

Filesize
64KB

Download
memory/4860-278-0x000001903FD50000-0x000001903FD60000-memory.dmp

Filesize
64KB

Download
memory/4860-277-0x000001903FD40000-0x000001903FD50000-memory.dmp

Filesize
64KB

Download
memory/4860-276-0x000001903FD30000-0x000001903FD40000-memory.dmp

Filesize
64KB

Download
memory/4860-275-0x000001903FD20000-0x000001903FD30000-memory.dmp

Filesize
64KB

Download
memory/4860-274-0x000001903FD10000-0x000001903FD20000-memory.dmp

Filesize
64KB

Download
memory/4860-273-0x000001903FD00000-0x000001903FD10000-memory.dmp

Filesize
64KB

Download
memory/4860-272-0x000001903FCF0000-0x000001903FD00000-memory.dmp

Filesize
64KB

Download
memory/4860-268-0x000001903FCB0000-0x000001903FCC0000-memory.dmp

Filesize
64KB

Download
memory/4860-269-0x000001903FCC0000-0x000001903FCD0000-memory.dmp

Filesize
64KB

Download
memory/4860-271-0x000001903FCE0000-0x000001903FCF0000-memory.dmp

Filesize
64KB

Download
memory/4860-267-0x000001903FCA0000-0x000001903FCB0000-memory.dmp

Filesize
64KB

Download
memory/4860-260-0x000001903FC30000-0x000001903FC40000-memory.dmp

Filesize
64KB

Download
memory/4860-261-0x000001903FC40000-0x000001903FC50000-memory.dmp

Filesize
64KB

Download
memory/4860-262-0x000001903FC50000-0x000001903FC60000-memory.dmp

Filesize
64KB

Download
memory/4860-263-0x000001903FC60000-0x000001903FC70000-memory.dmp

Filesize
64KB

Download
memory/4860-270-0x000001903FCD0000-0x000001903FCE0000-memory.dmp

Filesize
64KB

Download
memory/4860-265-0x000001903FC80000-0x000001903FC90000-memory.dmp

Filesize
64KB

Download
memory/4860-266-0x000001903FC90000-0x000001903FCA0000-memory.dmp

Filesize
64KB

Download
memory/4912-190-0x0000000000000000-mapping.dmp

Download
memory/4988-159-0x0000000000000000-mapping.dmp

Download
memory/4988-163-0x0000024A650A0000-0x0000024A650A4000-memory.dmp

Filesize
16KB

Download
memory/5072-9-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/5072-11-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/5072-7-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/5072-12-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/5072-10-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/5072-2-0x0000000000000000-mapping.dmp

Download
memory/5072-8-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/5072-3-0x0000000002530000-0x00000000027A0000-memory.dmp

Filesize
2.4MB

Download
memory/5072-4-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/5072-5-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/5072-6-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/5072-13-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download