9de171005e8191a70274184c61dcac5e75b6a4307063c740609209da86592f3c

Resubmissions

10-07-2021 16:53

210710-thekp6z3ka 10

10-07-2021 16:51

210710-yc1gf34hxn 8

Analysis

max time kernel
299s
max time network
257s
platform
windows7_x64
resource
win7v20210410
submitted
10-07-2021 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd.exe
Size

82.1MB
MD5

9b5aaf2bfe25d830f482b5516471aea3
SHA1

442c40f4dd466a643595a40ae1239c89fca6f9ae
SHA256

9de171005e8191a70274184c61dcac5e75b6a4307063c740609209da86592f3c
SHA512

508322b9d26d55f291d6511103b15dffd9c2230599d51f28c63dfdf9ff6d494a6240fa7daa1b354a051524ea888da6b7b8f03420c4c209ffa734328c10c10b42

Score

10^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

11 1976 msiexec.exe

flow	pid	process
11	1976	msiexec.exe

Executes dropped EXE 22 IoCs

Processes:

jre-8u291-windows-x64.exejre-8u291-windows-x64.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exessvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exeMSI121A.tmpjavaw.exejavaw.exeCristalixLauncher-3.0.145.exejavaw.exe

pid	process
952	jre-8u291-windows-x64.exe
1172	jre-8u291-windows-x64.exe
1960	installer.exe
1828	bspatch.exe
584	unpack200.exe
1668	unpack200.exe
1100	unpack200.exe
1240	unpack200.exe
1956	unpack200.exe
1828	unpack200.exe
1120	unpack200.exe
1508	javaw.exe
1528	ssvagent.exe
924	javaws.exe
1588	jp2launcher.exe
1748	javaws.exe
1580	jp2launcher.exe
1548	MSI121A.tmp
2024	javaw.exe
1516	javaw.exe
1980	CristalixLauncher-3.0.145.exe
1808	javaw.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe	upx
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe	upx

Loads dropped DLL 64 IoCs

Processes:

jre-8u291-windows-x64.exeMsiExec.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exe

pid	process
1272
1272
1272
952	jre-8u291-windows-x64.exe
1272
1272
1272
1272
1272
1272
944	MsiExec.exe
944	MsiExec.exe
944	MsiExec.exe
1976	msiexec.exe
1828	bspatch.exe
1828	bspatch.exe
1828	bspatch.exe
1960	installer.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
584	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1668	unpack200.exe
1100	unpack200.exe
1100	unpack200.exe
1100	unpack200.exe
1100	unpack200.exe
1100	unpack200.exe
1100	unpack200.exe
1100	unpack200.exe
1100	unpack200.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1732 icacls.exe

pid	process
1732	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 5 IoCs

Processes:

rundll32.exeinstaller.exe

description	ioc	process
File created	C:\Windows\system32\javaw.exe	rundll32.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	rundll32.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\javaws.exe	rundll32.exe
File created	C:\Windows\system32\java.exe	rundll32.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exemsiexec.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-processthreads-l1-1-0.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EET	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\legal\jdk\relaxngcc.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Prague	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-synch-l1-2-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\release	installer.exe
File opened for modification	C:\Program Files\Java\jre7\COPYRIGHT	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-file-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\legal\jdk\colorimaging.md	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CET	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Caracas	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Magadan	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\accessibility.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\flavormap.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\eula.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\ext\access-bridge-64.jar	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\awt.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\ext\dnsns.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\security\policy\limited\US_export_policy.jar	installer.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-6	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\decora-sse.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2ssv.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\calendars.properties	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Inuvik	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dt_socket.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\jfr.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Lima	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\images\cursors\win32_MoveNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\security\java.security	installer.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jsdt.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\wsdetect.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Omsk	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\eula.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\management\jmxremote.access	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\jsoundds.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\deploy\splash_11@2x-lic.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\fontmanager.dll	installer.exe

Drops file in Windows directory 18 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI6964.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f755d2f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF98A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI11FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12D7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6500.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f755d31.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC81B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF989.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f755d2d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B59.tmp	msiexec.exe
File created	C:\Windows\Installer\f755d2d.msi	msiexec.exe
File created	C:\Windows\Installer\f755d33.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI121A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f755d33.ipi	msiexec.exe
File created	C:\Windows\Installer\f755d2f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A4F.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exerundll32.exejre-8u291-windows-x64.exedd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_291\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_291\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	jre-8u291-windows-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "19"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_291\\bin"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_291\\bin"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_291\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_93"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0020-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0061-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0093-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0111-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0077-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0130-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0081-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0266-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0024-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0117-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0115-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0087-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0153-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0162-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0125-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_125"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0191-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0026-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_51"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0072-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0050-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0087-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0098-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0052-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_52"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0157-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0121-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0247-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0221-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_221"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0087-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_87"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0271-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0055-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0139-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0173-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0247-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0288-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_288"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0093-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0103-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0157-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0083-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0249-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0248-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0093-ABCDEFFEDCBA}\InprocServer32	installer.exe

Modifies registry class 64 IoCs

Processes:

ssvagent.exerundll32.exeinstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0205-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_205"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBA}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0295-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0195-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0238-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_238"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0223-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0076-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0066-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_14"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0281-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0061-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_61"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0212-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0170-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0075-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0161-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0261-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0097-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0198-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0071-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0112-ABCDEFFEDCBC}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0091-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0155-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0130-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0288-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_288"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0065-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0029-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_47"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBC}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0211-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0224-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0203-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0220-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_220"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0154-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0117-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_117"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0239-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_239"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0298-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_298"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0087-ABCDEFFEDCBB}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jnlps\Shell\Open\Command	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0126-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_126"	installer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

jre-8u291-windows-x64.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	jre-8u291-windows-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	jre-8u291-windows-x64.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

javaws.exejp2launcher.exejavaws.exejp2launcher.exeMSI121A.tmp

pid process

924 javaws.exe
1588 jp2launcher.exe
1748 javaws.exe
1580 jp2launcher.exe
1548 MSI121A.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

jre-8u291-windows-x64.exe

pid process

1172 jre-8u291-windows-x64.exe

pid	process
924	javaws.exe
1588	jp2launcher.exe
1748	javaws.exe
1580	jp2launcher.exe
1548	MSI121A.tmp

pid	process
1172	jre-8u291-windows-x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-8u291-windows-x64.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeSecurityPrivilege	1976	msiexec.exe
Token: SeCreateTokenPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeLockMemoryPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeMachineAccountPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeTcbPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeSecurityPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeTakeOwnershipPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeLoadDriverPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeSystemProfilePrivilege	1172	jre-8u291-windows-x64.exe
Token: SeSystemtimePrivilege	1172	jre-8u291-windows-x64.exe
Token: SeProfSingleProcessPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeIncBasePriorityPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeCreatePagefilePrivilege	1172	jre-8u291-windows-x64.exe
Token: SeCreatePermanentPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeBackupPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeRestorePrivilege	1172	jre-8u291-windows-x64.exe
Token: SeShutdownPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeDebugPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeAuditPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeChangeNotifyPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeRemoteShutdownPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeUndockPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeSyncAgentPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeEnableDelegationPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeManageVolumePrivilege	1172	jre-8u291-windows-x64.exe
Token: SeImpersonatePrivilege	1172	jre-8u291-windows-x64.exe
Token: SeCreateGlobalPrivilege	1172	jre-8u291-windows-x64.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

jre-8u291-windows-x64.exe

pid process

1172 jre-8u291-windows-x64.exe

pid	process
1172	jre-8u291-windows-x64.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

dd.exejre-8u291-windows-x64.exejp2launcher.exejp2launcher.exe

pid	process
2040	dd.exe
2040	dd.exe
1172	jre-8u291-windows-x64.exe
1172	jre-8u291-windows-x64.exe
1172	jre-8u291-windows-x64.exe
1172	jre-8u291-windows-x64.exe
1588	jp2launcher.exe
1580	jp2launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

jre-8u291-windows-x64.exemsiexec.exeinstaller.exejavaws.exejavaws.exe

description	pid	process	target process
PID 952 wrote to memory of 1172	952	jre-8u291-windows-x64.exe	jre-8u291-windows-x64.exe
PID 952 wrote to memory of 1172	952	jre-8u291-windows-x64.exe	jre-8u291-windows-x64.exe
PID 952 wrote to memory of 1172	952	jre-8u291-windows-x64.exe	jre-8u291-windows-x64.exe
PID 1976 wrote to memory of 944	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 944	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 944	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 944	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 944	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 1960	1976	msiexec.exe	installer.exe
PID 1976 wrote to memory of 1960	1976	msiexec.exe	installer.exe
PID 1976 wrote to memory of 1960	1976	msiexec.exe	installer.exe
PID 1960 wrote to memory of 1828	1960	installer.exe	bspatch.exe
PID 1960 wrote to memory of 1828	1960	installer.exe	bspatch.exe
PID 1960 wrote to memory of 1828	1960	installer.exe	bspatch.exe
PID 1960 wrote to memory of 1828	1960	installer.exe	bspatch.exe
PID 1960 wrote to memory of 1828	1960	installer.exe	bspatch.exe
PID 1960 wrote to memory of 1828	1960	installer.exe	bspatch.exe
PID 1960 wrote to memory of 1828	1960	installer.exe	bspatch.exe
PID 1960 wrote to memory of 584	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 584	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 584	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1668	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1668	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1668	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1100	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1100	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1100	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1240	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1240	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1240	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1956	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1956	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1956	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1828	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1828	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1828	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1120	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1120	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1120	1960	installer.exe	unpack200.exe
PID 1960 wrote to memory of 1508	1960	installer.exe	javaw.exe
PID 1960 wrote to memory of 1508	1960	installer.exe	javaw.exe
PID 1960 wrote to memory of 1508	1960	installer.exe	javaw.exe
PID 1960 wrote to memory of 924	1960	installer.exe	javaws.exe
PID 1960 wrote to memory of 924	1960	installer.exe	javaws.exe
PID 1960 wrote to memory of 924	1960	installer.exe	javaws.exe
PID 924 wrote to memory of 1588	924	javaws.exe	jp2launcher.exe
PID 924 wrote to memory of 1588	924	javaws.exe	jp2launcher.exe
PID 924 wrote to memory of 1588	924	javaws.exe	jp2launcher.exe
PID 1960 wrote to memory of 1748	1960	installer.exe	javaws.exe
PID 1960 wrote to memory of 1748	1960	installer.exe	javaws.exe
PID 1960 wrote to memory of 1748	1960	installer.exe	javaws.exe
PID 1748 wrote to memory of 1580	1748	javaws.exe	jp2launcher.exe
PID 1748 wrote to memory of 1580	1748	javaws.exe	jp2launcher.exe
PID 1748 wrote to memory of 1580	1748	javaws.exe	jp2launcher.exe
PID 1976 wrote to memory of 772	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 772	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 772	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 772	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 772	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 1828	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 1828	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 1828	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 1828	1976	msiexec.exe	MsiExec.exe
PID 1976 wrote to memory of 1828	1976	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\dd.exe
"C:\Users\Admin\AppData\Local\Temp\dd.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe
"C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe
-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_291\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
3⤵
- Executes dropped EXE
PID:2024

C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe
-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_291\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
3⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 965EB647DE1B56D027BB22DBD791A5C1
2⤵
- Loads dropped DLL
PID:944

C:\Program Files\Java\jre1.8.0_291\installer.exe
"C:\Program Files\Java\jre1.8.0_291\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_291\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180291F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960

C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_291\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_291\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_291\lib/deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_291\lib/rt.jar"
3⤵
- Executes dropped EXE
PID:1240

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_291\lib/jsse.jar"
3⤵
- Executes dropped EXE
PID:1956

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_291\lib/charsets.jar"
3⤵
- Executes dropped EXE
PID:1828

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_291\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
PID:1120

C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
PID:1508

C:\Program Files\Java\jre1.8.0_291\bin\ssvagent.exe
"C:\Program Files\Java\jre1.8.0_291\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Modifies registry class
PID:1528

C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:924

C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_291" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yOTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748

C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_291" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yOTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 15F5DBDCD9F4C254170EA018B2526381 M Global\MSI0000
2⤵
PID:772

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 1BA7B6BA5CFC12A23CC1494BD4973803
2⤵
PID:1828

C:\Windows\Installer\MSI121A.tmp
"C:\Windows\Installer\MSI121A.tmp" C:\Program Files\Java\jre7\;C;2
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint
2⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1368

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:1952

C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe
"C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe"
1⤵
- Executes dropped EXE
PID:1980

C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe"
2⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
3⤵
- Modifies file permissions
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_291\bin\VCRUNTIME140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-file-l1-2-0.dll
MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-file-l2-1-0.dll
MD5
3bf4406de02aa148f460e5d709f4f67d

SHA1
89b28107c39bb216da00507ffd8adb7838d883f6

SHA256
349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e

SHA512
5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-localization-l1-2-0.dll
MD5
8acb83d102dabd9a5017a94239a2b0c6

SHA1
9b43a40a7b498e02f96107e1524fe2f4112d36ae

SHA256
059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413

SHA512
b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-processthreads-l1-1-1.dll
MD5
9c9b50b204fcb84265810ef1f3c5d70a

SHA1
0913ab720bd692abcdb18a2609df6a7f85d96db3

SHA256
25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40

SHA512
ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-synch-l1-2-0.dll
MD5
d175430eff058838cee2e334951f6c9c

SHA1
7f17fbdcef12042d215828c1d6675e483a4c62b1

SHA256
1c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a

SHA512
6076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-timezone-l1-1-0.dll
MD5
43e1ae2e432eb99aa4427bb68f8826bb

SHA1
eee1747b3ade5a9b985467512215caf7e0d4cb9b

SHA256
3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c

SHA512
40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-convert-l1-1-0.dll
MD5
285dcd72d73559678cfd3ed39f81ddad

SHA1
df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a

SHA256
6c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44

SHA512
84ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-filesystem-l1-1-0.dll
MD5
41fbbb054af69f0141e8fc7480d7f122

SHA1
3613a572b462845d6478a92a94769885da0843af

SHA256
974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c

SHA512
97fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-heap-l1-1-0.dll
MD5
212d58cefb2347bd694b214a27828c83

SHA1
f0e98e2d594054e8a836bd9c6f68c3fe5048f870

SHA256
8166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989

SHA512
637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-runtime-l1-1-0.dll
MD5
883120f9c25633b6c688577d024efd12

SHA1
e4fa6254623a2b4cdea61712cdfa9c91aa905f18

SHA256
4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc

SHA512
f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-stdio-l1-1-0.dll
MD5
29680d7b1105171116a137450c8bb452

SHA1
492bb8c231aae9d5f5af565abb208a706fb2b130

SHA256
6f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af

SHA512
87dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-string-l1-1-0.dll
MD5
f816666e3fc087cd24828943cb15f260

SHA1
eae814c9c41e3d333f43890ed7dafa3575e4c50e

SHA256
45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a

SHA512
6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\ucrtbase.DLL
MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
MD5
bd190f92c29eaf4354f1f636c58c22d8

SHA1
5adecc55700b31238889abb137e3a4654ba92831

SHA256
2effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb

SHA512
aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7

Download Submit
C:\Program Files\Java\jre1.8.0_291\installer.exe
MD5
555df4fdc4bf2b1637c78202220bf3bf

SHA1
11e572f2b737ca8947358d94554f66fdc007b2f5

SHA256
95929d0a6ee3df75a3db2a8f21b644e150ac64838767222bea6621253b29bf04

SHA512
ff1bcb82436cb5d6841fec587b17119d3f7437c723bde17500cbcab95eb1d6289abd97feb3b9967c449b9e24746b42bfde985bab13dd8b5119d565fb0c0979bc

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\baseimagefam8
MD5
22646919b87d1a6dfc371464405b373b

SHA1
2296c69b12c3e0244fc59586f794457a4735e692

SHA256
0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11

SHA512
b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\diff
MD5
da4e745b8bad3af16ce5a0022a3b392d

SHA1
0413500743c53204f56b4800e345c9fd64afe080

SHA256
01f42f9e600f76278dd2f3d1ffa9fa61d3620d95f15f5570beac2e1fef4d1361

SHA512
72d7a0cf4bc56282486a1912c1aa116b8b75775119d16d64975dcc2b77a28080e5fe48f0d92bc7f64ab487792d930691b10b621ccdf27b803092d7db58bed590

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\newimage
MD5
02f19e36fa82c9eb17b925a799bce392

SHA1
7ddbaa8a650c827c0919947fed7bf98eec1f0ad7

SHA256
deb84d0994611b6387f7885cc536ea3b7f37c15cb334b113b5f4d746c9511ee7

SHA512
ad4dff9488ff09140c361adf20cad38cc0bfe5a319c5e3af637ed07eaf9a0337b1fdc19c3edf0aa0d361b8ee83ff519a95e771699b477ea384d5927c46e05f80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
656ae037eaebb20e59e31ba6e406dd17

SHA1
5488f70aae8898651bb7ebc8ff53fa8222683096

SHA256
82747bebfc23c499d660bca3d31829dcd42172125c6d3530c3830b20f959eca9

SHA512
5d731b59a051c03923f3b445185139c41f3323eae51f038b2390a98d8847bfa8cda4ce21556ac499739e1b8e215fc2b0b063e8c1c506a97d20f5a5dc9cdfb281

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291_x64\jre1.8.0_29164.msi
MD5
3cdae39110c1f107a3ac413e69b97b71

SHA1
fdc70fb84e9beb500ce801db9581d6a5e6cccd27

SHA256
db5d0cde928bba56faeb2ea9e54640a69d131a8ba2d1ad716e85de62cc7753fd

SHA512
5c3f6d17567885d60e4b8b83d37080cbd8753edfbfa44a42147cf61d7826ddc235f032cb5ad31079614ccaa03f0b9a951b0620fb6bd3103deb8c53456c8284ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exe
MD5
f459080148823ab6b07d432f421fe1cc

SHA1
8ed4123338458dda21521c9c6edb5755947aec08

SHA256
68a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40

SHA512
323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exe
MD5
f459080148823ab6b07d432f421fe1cc

SHA1
8ed4123338458dda21521c9c6edb5755947aec08

SHA256
68a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40

SHA512
323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
916991c368e71294e7f37e9cfa708cb4

SHA1
f8909bfebf95281ef72f27c0cf0b7c0b64efc0b3

SHA256
30059797cbd320cf0c5213967cfb6636abbdf9dbea8174cce2a63a390e91c965

SHA512
ad4894bdf4f397369311dbed7ac259b89da79ab489dd9d72d188b14ad5d87a1f13da1091925bd5f31f3aa1f734a9e38827013255a88c68258c8ed3c602e18a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
77083c73bb1a7baf1df9931688cea276

SHA1
119050a1ff67e64f1b6c1b94d288fbb318890a70

SHA256
b426fb3af23ac89cdde9783b1c3f66da1ff9ee777ae46ee4d5f2b26f409fa79d

SHA512
4fbbc443053f1691cd67c861b4e4e96abd289d820564735f0d17e9db1a3c0a3bf09a3e17196d9fdf1dcad3d5cfca8d263eba97421f675266496f732d1d18e958

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
d93a18a03047be160d58cbc916a50c86

SHA1
84eb799fb85a7486e6404bd62bb0a79e7b4cfa9c

SHA256
2d440dda241920bcb384be28bcb3834fff634c2225d018264687c844b54d2ff4

SHA512
1821e1a446557d2f7b37cdcd56ebc856aee3cb7be767a5fb22db4dd3c0a25c97aaf75f1327216df43d475711d66187c11e40c4394f7f335504235f81dc92da8d

Download Submit
C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe
MD5
fcc91a877a42ff07e21ed1660818d907

SHA1
3acda10a101c59983c20eb6edbcf5e838bc4f47c

SHA256
c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca

SHA512
1e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d

Download Submit
C:\Windows\Installer\MSI6500.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
C:\Windows\Installer\MSI6964.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
C:\Windows\Installer\MSI6B59.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
C:\Windows\Installer\f755d31.msi
MD5
3cdae39110c1f107a3ac413e69b97b71

SHA1
fdc70fb84e9beb500ce801db9581d6a5e6cccd27

SHA256
db5d0cde928bba56faeb2ea9e54640a69d131a8ba2d1ad716e85de62cc7753fd

SHA512
5c3f6d17567885d60e4b8b83d37080cbd8753edfbfa44a42147cf61d7826ddc235f032cb5ad31079614ccaa03f0b9a951b0620fb6bd3103deb8c53456c8284ca

Download Submit
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-file-l1-2-0.dll
MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-file-l2-1-0.dll
MD5
3bf4406de02aa148f460e5d709f4f67d

SHA1
89b28107c39bb216da00507ffd8adb7838d883f6

SHA256
349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e

SHA512
5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

Download Submit
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-localization-l1-2-0.dll
MD5
8acb83d102dabd9a5017a94239a2b0c6

SHA1
9b43a40a7b498e02f96107e1524fe2f4112d36ae

SHA256
059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413

SHA512
b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

Download Submit
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-processthreads-l1-1-1.dll
MD5
9c9b50b204fcb84265810ef1f3c5d70a

SHA1
0913ab720bd692abcdb18a2609df6a7f85d96db3

SHA256
25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40

SHA512
ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

Download Submit
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-synch-l1-2-0.dll
MD5
d175430eff058838cee2e334951f6c9c

SHA1
7f17fbdcef12042d215828c1d6675e483a4c62b1

SHA256
1c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a

SHA512
6076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b

Download Submit
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-timezone-l1-1-0.dll
MD5
43e1ae2e432eb99aa4427bb68f8826bb

SHA1
eee1747b3ade5a9b985467512215caf7e0d4cb9b

SHA256
3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c

SHA512
40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

Download Submit
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-convert-l1-1-0.dll
MD5
285dcd72d73559678cfd3ed39f81ddad

SHA1
df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a

SHA256
6c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44

SHA512
84ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a

Download Submit
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-heap-l1-1-0.dll
MD5
212d58cefb2347bd694b214a27828c83

SHA1
f0e98e2d594054e8a836bd9c6f68c3fe5048f870

SHA256
8166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989

SHA512
637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe

Download Submit
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-runtime-l1-1-0.dll
MD5
883120f9c25633b6c688577d024efd12

SHA1
e4fa6254623a2b4cdea61712cdfa9c91aa905f18

SHA256
4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc

SHA512
f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

Download Submit
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-stdio-l1-1-0.dll
MD5
29680d7b1105171116a137450c8bb452

SHA1
492bb8c231aae9d5f5af565abb208a706fb2b130

SHA256
6f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af

SHA512
87dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5

Download Submit
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-string-l1-1-0.dll
MD5
f816666e3fc087cd24828943cb15f260

SHA1
eae814c9c41e3d333f43890ed7dafa3575e4c50e

SHA256
45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a

SHA512
6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

Download Submit
\Program Files\Java\jre1.8.0_291\bin\ucrtbase.dll
MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
MD5
bd190f92c29eaf4354f1f636c58c22d8

SHA1
5adecc55700b31238889abb137e3a4654ba92831

SHA256
2effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb

SHA512
aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7

Download Submit
\Program Files\Java\jre1.8.0_291\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_291\installer.exe
MD5
555df4fdc4bf2b1637c78202220bf3bf

SHA1
11e572f2b737ca8947358d94554f66fdc007b2f5

SHA256
95929d0a6ee3df75a3db2a8f21b644e150ac64838767222bea6621253b29bf04

SHA512
ff1bcb82436cb5d6841fec587b17119d3f7437c723bde17500cbcab95eb1d6289abd97feb3b9967c449b9e24746b42bfde985bab13dd8b5119d565fb0c0979bc

Download Submit
\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exe
MD5
f459080148823ab6b07d432f421fe1cc

SHA1
8ed4123338458dda21521c9c6edb5755947aec08

SHA256
68a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40

SHA512
323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99

Download Submit
\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exe
MD5
f459080148823ab6b07d432f421fe1cc

SHA1
8ed4123338458dda21521c9c6edb5755947aec08

SHA256
68a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40

SHA512
323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99

Download Submit
\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exe
MD5
f459080148823ab6b07d432f421fe1cc

SHA1
8ed4123338458dda21521c9c6edb5755947aec08

SHA256
68a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40

SHA512
323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99

Download Submit
\Users\Admin\Desktop\jre-8u291-windows-x64.exe
MD5
fcc91a877a42ff07e21ed1660818d907

SHA1
3acda10a101c59983c20eb6edbcf5e838bc4f47c

SHA256
c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca

SHA512
1e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d

Download Submit
\Users\Admin\Desktop\jre-8u291-windows-x64.exe
MD5
fcc91a877a42ff07e21ed1660818d907

SHA1
3acda10a101c59983c20eb6edbcf5e838bc4f47c

SHA256
c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca

SHA512
1e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d

Download Submit
\Users\Admin\Desktop\jre-8u291-windows-x64.exe
MD5
fcc91a877a42ff07e21ed1660818d907

SHA1
3acda10a101c59983c20eb6edbcf5e838bc4f47c

SHA256
c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca

SHA512
1e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d

Download Submit
\Users\Admin\Desktop\jre-8u291-windows-x64.exe
MD5
fcc91a877a42ff07e21ed1660818d907

SHA1
3acda10a101c59983c20eb6edbcf5e838bc4f47c

SHA256
c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca

SHA512
1e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d

Download Submit
\Users\Admin\Desktop\jre-8u291-windows-x64.exe
MD5
fcc91a877a42ff07e21ed1660818d907

SHA1
3acda10a101c59983c20eb6edbcf5e838bc4f47c

SHA256
c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca

SHA512
1e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d

Download Submit
\Users\Admin\Desktop\jre-8u291-windows-x64.exe
MD5
fcc91a877a42ff07e21ed1660818d907

SHA1
3acda10a101c59983c20eb6edbcf5e838bc4f47c

SHA256
c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca

SHA512
1e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d

Download Submit
\Users\Admin\Desktop\jre-8u291-windows-x64.exe
MD5
fcc91a877a42ff07e21ed1660818d907

SHA1
3acda10a101c59983c20eb6edbcf5e838bc4f47c

SHA256
c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca

SHA512
1e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d

Download Submit
\Windows\Installer\MSI6500.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
\Windows\Installer\MSI6964.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
\Windows\Installer\MSI6B59.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
memory/584-104-0x0000000000000000-mapping.dmp

Download
memory/772-188-0x0000000000000000-mapping.dmp

Download
memory/924-144-0x0000000000000000-mapping.dmp

Download
memory/944-79-0x0000000000000000-mapping.dmp

Download
memory/1100-134-0x0000000000000000-mapping.dmp

Download
memory/1120-138-0x0000000000000000-mapping.dmp

Download
memory/1172-65-0x0000000000000000-mapping.dmp

Download
memory/1172-67-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1240-135-0x0000000000000000-mapping.dmp

Download
memory/1368-193-0x0000000000000000-mapping.dmp

Download
memory/1508-139-0x0000000000000000-mapping.dmp

Download
memory/1508-141-0x00000000021C0000-0x0000000002430000-memory.dmp

Filesize
2.4MB

Download
memory/1508-142-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1516-208-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1516-207-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1516-204-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1516-205-0x0000000002250000-0x00000000024C0000-memory.dmp

Filesize
2.4MB

Download
memory/1548-192-0x0000000000000000-mapping.dmp

Download
memory/1580-178-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1580-172-0x0000000000000000-mapping.dmp

Download
memory/1580-184-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/1580-185-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/1580-186-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/1580-187-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/1580-182-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/1580-180-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1580-177-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1580-175-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1580-174-0x0000000002300000-0x0000000002570000-memory.dmp

Filesize
2.4MB

Download
memory/1588-167-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/1588-151-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1588-166-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1588-165-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/1588-163-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/1588-160-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/1588-162-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1588-161-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1588-145-0x0000000000000000-mapping.dmp

Download
memory/1588-168-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/1588-169-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/1588-170-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/1588-164-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/1588-147-0x0000000002330000-0x00000000025A0000-memory.dmp

Filesize
2.4MB

Download
memory/1588-159-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1588-154-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1588-155-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/1588-148-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1588-150-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1588-149-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1668-133-0x0000000000000000-mapping.dmp

Download
memory/1732-202-0x0000000000000000-mapping.dmp

Download
memory/1748-171-0x0000000000000000-mapping.dmp

Download
memory/1808-200-0x0000000000000000-mapping.dmp

Download
memory/1808-203-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1808-206-0x00000000022B0000-0x0000000002520000-memory.dmp

Filesize
2.4MB

Download
memory/1828-137-0x0000000000000000-mapping.dmp

Download
memory/1828-190-0x0000000000000000-mapping.dmp

Download
memory/1828-93-0x0000000000000000-mapping.dmp

Download
memory/1956-136-0x0000000000000000-mapping.dmp

Download
memory/1960-89-0x0000000000000000-mapping.dmp

Download
memory/2024-196-0x00000000021C0000-0x0000000002430000-memory.dmp

Filesize
2.4MB

Download
memory/2024-197-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2040-59-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download