Analysis
-
max time kernel
299s -
max time network
257s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
10-07-2021 16:53
Static task
static1
Behavioral task
behavioral1
Sample
dd.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
dd.exe
Resource
win10v20210408
General
-
Target
dd.exe
-
Size
82.1MB
-
MD5
9b5aaf2bfe25d830f482b5516471aea3
-
SHA1
442c40f4dd466a643595a40ae1239c89fca6f9ae
-
SHA256
9de171005e8191a70274184c61dcac5e75b6a4307063c740609209da86592f3c
-
SHA512
508322b9d26d55f291d6511103b15dffd9c2230599d51f28c63dfdf9ff6d494a6240fa7daa1b354a051524ea888da6b7b8f03420c4c209ffa734328c10c10b42
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 11 1976 msiexec.exe -
Executes dropped EXE 22 IoCs
Processes:
jre-8u291-windows-x64.exejre-8u291-windows-x64.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exessvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exeMSI121A.tmpjavaw.exejavaw.exeCristalixLauncher-3.0.145.exejavaw.exepid process 952 jre-8u291-windows-x64.exe 1172 jre-8u291-windows-x64.exe 1960 installer.exe 1828 bspatch.exe 584 unpack200.exe 1668 unpack200.exe 1100 unpack200.exe 1240 unpack200.exe 1956 unpack200.exe 1828 unpack200.exe 1120 unpack200.exe 1508 javaw.exe 1528 ssvagent.exe 924 javaws.exe 1588 jp2launcher.exe 1748 javaws.exe 1580 jp2launcher.exe 1548 MSI121A.tmp 2024 javaw.exe 1516 javaw.exe 1980 CristalixLauncher-3.0.145.exe 1808 javaw.exe -
Processes:
resource yara_rule C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe upx C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe upx \ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe upx \ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe upx \ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe upx -
Loads dropped DLL 64 IoCs
Processes:
jre-8u291-windows-x64.exeMsiExec.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exepid process 1272 1272 1272 952 jre-8u291-windows-x64.exe 1272 1272 1272 1272 1272 1272 944 MsiExec.exe 944 MsiExec.exe 944 MsiExec.exe 1976 msiexec.exe 1828 bspatch.exe 1828 bspatch.exe 1828 bspatch.exe 1960 installer.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 584 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1668 unpack200.exe 1100 unpack200.exe 1100 unpack200.exe 1100 unpack200.exe 1100 unpack200.exe 1100 unpack200.exe 1100 unpack200.exe 1100 unpack200.exe 1100 unpack200.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 5 IoCs
Processes:
rundll32.exeinstaller.exedescription ioc process File created C:\Windows\system32\javaw.exe rundll32.exe File created C:\Windows\system32\WindowsAccessBridge-64.dll rundll32.exe File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe File opened for modification C:\Windows\system32\javaws.exe rundll32.exe File created C:\Windows\system32\java.exe rundll32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
installer.exemsiexec.exedescription ioc process File created C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-processthreads-l1-1-0.dll installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\EET msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\legal\jdk\relaxngcc.md installer.exe File created C:\Program Files\Java\jre1.8.0_291\lib\fonts\LucidaBrightDemiBold.ttf installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Prague msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-synch-l1-2-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_291\release installer.exe File opened for modification C:\Program Files\Java\jre7\COPYRIGHT msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-file-l1-1-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_291\legal\jdk\colorimaging.md installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Cairo msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\CET msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Caracas msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Magadan msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\accessibility.properties msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\flavormap.properties msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\eula.dll msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\lib\ext\access-bridge-64.jar installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\awt.dll msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\lib\ext\dnsns.jar installer.exe File created C:\Program Files\Java\jre1.8.0_291\lib\security\policy\limited\US_export_policy.jar installer.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-6 msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\decora-sse.dll msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2ssv.dll msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\bin\javafx_iio.dll installer.exe File created C:\Program Files\Java\jre1.8.0_291\lib\calendars.properties installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\bin\WindowsAccessBridge-64.dll installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Inuvik msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\dt_socket.dll msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\bin\jfr.dll installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Lima msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\lib\images\cursors\win32_MoveNoDrop32x32.gif installer.exe File created C:\Program Files\Java\jre1.8.0_291\lib\security\java.security installer.exe File opened for modification C:\Program Files\Java\jre7\bin\jsdt.dll msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\bin\wsdetect.dll installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Omsk msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\AST4 msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\bin\eula.dll installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center msiexec.exe File created C:\Program Files\Java\jre1.8.0_291\lib\management\jmxremote.access installer.exe File created C:\Program Files\Java\jre1.8.0_291\bin\jsoundds.dll installer.exe File created C:\Program Files\Java\jre1.8.0_291\lib\deploy\splash_11@2x-lic.gif installer.exe File created C:\Program Files\Java\jre1.8.0_291\bin\fontmanager.dll installer.exe -
Drops file in Windows directory 18 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI6964.tmp msiexec.exe File opened for modification C:\Windows\Installer\f755d2f.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF98A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI11FA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI12D7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6500.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f755d31.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC81B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF989.tmp msiexec.exe File opened for modification C:\Windows\Installer\f755d2d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6B59.tmp msiexec.exe File created C:\Windows\Installer\f755d2d.msi msiexec.exe File created C:\Windows\Installer\f755d33.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI121A.tmp msiexec.exe File opened for modification C:\Windows\Installer\f755d33.ipi msiexec.exe File created C:\Windows\Installer\f755d2f.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI6A4F.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe -
Processes:
installer.exerundll32.exejre-8u291-windows-x64.exedd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_291\\bin" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_291\\bin" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main jre-8u291-windows-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main dd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" installer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "19" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_291\\bin" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" installer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" installer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} installer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_291\\bin" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_291\\bin" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
installer.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_93" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0020-ABCDEFFEDCBB}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0061-ABCDEFFEDCBC}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0093-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0111-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0077-ABCDEFFEDCBB}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0130-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0081-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0266-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBB}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0024-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0117-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0115-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0087-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBB}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0153-ABCDEFFEDCBB} installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0162-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0125-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_125" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0191-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0026-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_51" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0072-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0050-ABCDEFFEDCBB}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0087-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBB} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0098-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBB} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0052-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_52" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBB} installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0157-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0121-ABCDEFFEDCBB}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0247-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0221-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_221" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0087-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_87" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0271-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBC} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0055-ABCDEFFEDCBB} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBA}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBB}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0139-ABCDEFFEDCBA} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0173-ABCDEFFEDCBC}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0247-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0288-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_288" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0093-ABCDEFFEDCBA} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB} installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0103-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0157-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0083-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0249-ABCDEFFEDCBA}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0248-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0093-ABCDEFFEDCBA}\InprocServer32 installer.exe -
Modifies registry class 64 IoCs
Processes:
ssvagent.exerundll32.exeinstaller.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0205-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_205" ssvagent.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBA} rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBC}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0295-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0195-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0238-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_238" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0223-ABCDEFFEDCBA}\InprocServer32 installer.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBB} ssvagent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB} installer.exe Key deleted \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC} ssvagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0076-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0066-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_14" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBB} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0281-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0061-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_61" ssvagent.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0212-ABCDEFFEDCBC} ssvagent.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0170-ABCDEFFEDCBA}\InprocServer32 ssvagent.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0075-ABCDEFFEDCBA}\INPROCSERVER32 rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBA}\INPROCSERVER32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0161-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0261-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0097-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" ssvagent.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0198-ABCDEFFEDCBA}\InprocServer32 ssvagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0071-ABCDEFFEDCBB}\InprocServer32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\InprocServer32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0112-ABCDEFFEDCBC} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0091-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0155-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0130-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0288-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_288" installer.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0065-ABCDEFFEDCBA}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0029-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBC}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBA} ssvagent.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC} rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBA}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_47" rundll32.exe Key deleted \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBC} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0211-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" ssvagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" ssvagent.exe Key deleted \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB} ssvagent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0224-ABCDEFFEDCBB}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0203-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll" ssvagent.exe Key deleted \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBB}\INPROCSERVER32 ssvagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0220-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_220" ssvagent.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0154-ABCDEFFEDCBB} rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0117-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_117" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0239-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_239" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0298-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_298" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0087-ABCDEFFEDCBB} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jnlps\Shell\Open\Command installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0126-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_126" installer.exe -
Processes:
jre-8u291-windows-x64.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde jre-8u291-windows-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 jre-8u291-windows-x64.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
javaws.exejp2launcher.exejavaws.exejp2launcher.exeMSI121A.tmppid process 924 javaws.exe 1588 jp2launcher.exe 1748 javaws.exe 1580 jp2launcher.exe 1548 MSI121A.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
jre-8u291-windows-x64.exepid process 1172 jre-8u291-windows-x64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
jre-8u291-windows-x64.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1172 jre-8u291-windows-x64.exe Token: SeIncreaseQuotaPrivilege 1172 jre-8u291-windows-x64.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeSecurityPrivilege 1976 msiexec.exe Token: SeCreateTokenPrivilege 1172 jre-8u291-windows-x64.exe Token: SeAssignPrimaryTokenPrivilege 1172 jre-8u291-windows-x64.exe Token: SeLockMemoryPrivilege 1172 jre-8u291-windows-x64.exe Token: SeIncreaseQuotaPrivilege 1172 jre-8u291-windows-x64.exe Token: SeMachineAccountPrivilege 1172 jre-8u291-windows-x64.exe Token: SeTcbPrivilege 1172 jre-8u291-windows-x64.exe Token: SeSecurityPrivilege 1172 jre-8u291-windows-x64.exe Token: SeTakeOwnershipPrivilege 1172 jre-8u291-windows-x64.exe Token: SeLoadDriverPrivilege 1172 jre-8u291-windows-x64.exe Token: SeSystemProfilePrivilege 1172 jre-8u291-windows-x64.exe Token: SeSystemtimePrivilege 1172 jre-8u291-windows-x64.exe Token: SeProfSingleProcessPrivilege 1172 jre-8u291-windows-x64.exe Token: SeIncBasePriorityPrivilege 1172 jre-8u291-windows-x64.exe Token: SeCreatePagefilePrivilege 1172 jre-8u291-windows-x64.exe Token: SeCreatePermanentPrivilege 1172 jre-8u291-windows-x64.exe Token: SeBackupPrivilege 1172 jre-8u291-windows-x64.exe Token: SeRestorePrivilege 1172 jre-8u291-windows-x64.exe Token: SeShutdownPrivilege 1172 jre-8u291-windows-x64.exe Token: SeDebugPrivilege 1172 jre-8u291-windows-x64.exe Token: SeAuditPrivilege 1172 jre-8u291-windows-x64.exe Token: SeSystemEnvironmentPrivilege 1172 jre-8u291-windows-x64.exe Token: SeChangeNotifyPrivilege 1172 jre-8u291-windows-x64.exe Token: SeRemoteShutdownPrivilege 1172 jre-8u291-windows-x64.exe Token: SeUndockPrivilege 1172 jre-8u291-windows-x64.exe Token: SeSyncAgentPrivilege 1172 jre-8u291-windows-x64.exe Token: SeEnableDelegationPrivilege 1172 jre-8u291-windows-x64.exe Token: SeManageVolumePrivilege 1172 jre-8u291-windows-x64.exe Token: SeImpersonatePrivilege 1172 jre-8u291-windows-x64.exe Token: SeCreateGlobalPrivilege 1172 jre-8u291-windows-x64.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe Token: SeRestorePrivilege 1976 msiexec.exe Token: SeTakeOwnershipPrivilege 1976 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
jre-8u291-windows-x64.exepid process 1172 jre-8u291-windows-x64.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
dd.exejre-8u291-windows-x64.exejp2launcher.exejp2launcher.exepid process 2040 dd.exe 2040 dd.exe 1172 jre-8u291-windows-x64.exe 1172 jre-8u291-windows-x64.exe 1172 jre-8u291-windows-x64.exe 1172 jre-8u291-windows-x64.exe 1588 jp2launcher.exe 1580 jp2launcher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
jre-8u291-windows-x64.exemsiexec.exeinstaller.exejavaws.exejavaws.exedescription pid process target process PID 952 wrote to memory of 1172 952 jre-8u291-windows-x64.exe jre-8u291-windows-x64.exe PID 952 wrote to memory of 1172 952 jre-8u291-windows-x64.exe jre-8u291-windows-x64.exe PID 952 wrote to memory of 1172 952 jre-8u291-windows-x64.exe jre-8u291-windows-x64.exe PID 1976 wrote to memory of 944 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 944 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 944 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 944 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 944 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1960 1976 msiexec.exe installer.exe PID 1976 wrote to memory of 1960 1976 msiexec.exe installer.exe PID 1976 wrote to memory of 1960 1976 msiexec.exe installer.exe PID 1960 wrote to memory of 1828 1960 installer.exe bspatch.exe PID 1960 wrote to memory of 1828 1960 installer.exe bspatch.exe PID 1960 wrote to memory of 1828 1960 installer.exe bspatch.exe PID 1960 wrote to memory of 1828 1960 installer.exe bspatch.exe PID 1960 wrote to memory of 1828 1960 installer.exe bspatch.exe PID 1960 wrote to memory of 1828 1960 installer.exe bspatch.exe PID 1960 wrote to memory of 1828 1960 installer.exe bspatch.exe PID 1960 wrote to memory of 584 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 584 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 584 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1668 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1668 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1668 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1100 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1100 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1100 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1240 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1240 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1240 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1956 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1956 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1956 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1828 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1828 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1828 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1120 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1120 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1120 1960 installer.exe unpack200.exe PID 1960 wrote to memory of 1508 1960 installer.exe javaw.exe PID 1960 wrote to memory of 1508 1960 installer.exe javaw.exe PID 1960 wrote to memory of 1508 1960 installer.exe javaw.exe PID 1960 wrote to memory of 924 1960 installer.exe javaws.exe PID 1960 wrote to memory of 924 1960 installer.exe javaws.exe PID 1960 wrote to memory of 924 1960 installer.exe javaws.exe PID 924 wrote to memory of 1588 924 javaws.exe jp2launcher.exe PID 924 wrote to memory of 1588 924 javaws.exe jp2launcher.exe PID 924 wrote to memory of 1588 924 javaws.exe jp2launcher.exe PID 1960 wrote to memory of 1748 1960 installer.exe javaws.exe PID 1960 wrote to memory of 1748 1960 installer.exe javaws.exe PID 1960 wrote to memory of 1748 1960 installer.exe javaws.exe PID 1748 wrote to memory of 1580 1748 javaws.exe jp2launcher.exe PID 1748 wrote to memory of 1580 1748 javaws.exe jp2launcher.exe PID 1748 wrote to memory of 1580 1748 javaws.exe jp2launcher.exe PID 1976 wrote to memory of 772 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 772 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 772 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 772 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 772 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1828 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1828 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1828 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1828 1976 msiexec.exe MsiExec.exe PID 1976 wrote to memory of 1828 1976 msiexec.exe MsiExec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd.exe"C:\Users\Admin\AppData\Local\Temp\dd.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe"C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_291\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_291\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 303⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 965EB647DE1B56D027BB22DBD791A5C12⤵
- Loads dropped DLL
-
C:\Program Files\Java\jre1.8.0_291\installer.exe"C:\Program Files\Java\jre1.8.0_291\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_291\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180291F0}2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exe"bspatch.exe" baseimagefam8 newimage diff3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_291\lib/plugin.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_291\lib/javaws.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_291\lib/deploy.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_291\lib/rt.jar"3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_291\lib/jsse.jar"3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_291\lib/charsets.jar"3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_291\lib/ext/localedata.jar"3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_291\bin\ssvagent.exe"C:\Program Files\Java\jre1.8.0_291\bin\ssvagent.exe" -doHKCUSSVSetup3⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe"C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe" -wait -fix -permissions -silent3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe"C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_291" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yOTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe"C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe" -wait -fix -shortcut -silent3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe"C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_291" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yOTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 15F5DBDCD9F4C254170EA018B2526381 M Global\MSI00002⤵
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 1BA7B6BA5CFC12A23CC1494BD49738032⤵
-
C:\Windows\Installer\MSI121A.tmp"C:\Windows\Installer\MSI121A.tmp" C:\Program Files\Java\jre7\;C;22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint2⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /D /T1⤵
-
C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe"C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jre1.8.0_291\bin\VCRUNTIME140.dllMD5
1453290db80241683288f33e6dd5e80e
SHA129fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA2562b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA5124ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-file-l1-2-0.dllMD5
35bc1f1c6fbccec7eb8819178ef67664
SHA1bbcad0148ff008e984a75937aaddf1ef6fda5e0c
SHA2567a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7
SHA5129ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-file-l2-1-0.dllMD5
3bf4406de02aa148f460e5d709f4f67d
SHA189b28107c39bb216da00507ffd8adb7838d883f6
SHA256349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e
SHA5125ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-localization-l1-2-0.dllMD5
8acb83d102dabd9a5017a94239a2b0c6
SHA19b43a40a7b498e02f96107e1524fe2f4112d36ae
SHA256059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413
SHA512b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-processthreads-l1-1-1.dllMD5
9c9b50b204fcb84265810ef1f3c5d70a
SHA10913ab720bd692abcdb18a2609df6a7f85d96db3
SHA25625a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40
SHA512ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-synch-l1-2-0.dllMD5
d175430eff058838cee2e334951f6c9c
SHA17f17fbdcef12042d215828c1d6675e483a4c62b1
SHA2561c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a
SHA5126076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-timezone-l1-1-0.dllMD5
43e1ae2e432eb99aa4427bb68f8826bb
SHA1eee1747b3ade5a9b985467512215caf7e0d4cb9b
SHA2563d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c
SHA51240ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-convert-l1-1-0.dllMD5
285dcd72d73559678cfd3ed39f81ddad
SHA1df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a
SHA2566c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44
SHA51284ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-filesystem-l1-1-0.dllMD5
41fbbb054af69f0141e8fc7480d7f122
SHA13613a572b462845d6478a92a94769885da0843af
SHA256974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c
SHA51297fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-heap-l1-1-0.dllMD5
212d58cefb2347bd694b214a27828c83
SHA1f0e98e2d594054e8a836bd9c6f68c3fe5048f870
SHA2568166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989
SHA512637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-runtime-l1-1-0.dllMD5
883120f9c25633b6c688577d024efd12
SHA1e4fa6254623a2b4cdea61712cdfa9c91aa905f18
SHA2564390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc
SHA512f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-stdio-l1-1-0.dllMD5
29680d7b1105171116a137450c8bb452
SHA1492bb8c231aae9d5f5af565abb208a706fb2b130
SHA2566f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af
SHA51287dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5
-
C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-string-l1-1-0.dllMD5
f816666e3fc087cd24828943cb15f260
SHA1eae814c9c41e3d333f43890ed7dafa3575e4c50e
SHA25645e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a
SHA5126860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581
-
C:\Program Files\Java\jre1.8.0_291\bin\ucrtbase.DLLMD5
61eb0ad4c285b60732353a0cb5c9b2ab
SHA121a1bea01f6ca7e9828a522c696853706d0a457b
SHA25610521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd
SHA51244cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d
-
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exeMD5
bd190f92c29eaf4354f1f636c58c22d8
SHA15adecc55700b31238889abb137e3a4654ba92831
SHA2562effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb
SHA512aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7
-
C:\Program Files\Java\jre1.8.0_291\installer.exeMD5
555df4fdc4bf2b1637c78202220bf3bf
SHA111e572f2b737ca8947358d94554f66fdc007b2f5
SHA25695929d0a6ee3df75a3db2a8f21b644e150ac64838767222bea6621253b29bf04
SHA512ff1bcb82436cb5d6841fec587b17119d3f7437c723bde17500cbcab95eb1d6289abd97feb3b9967c449b9e24746b42bfde985bab13dd8b5119d565fb0c0979bc
-
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\baseimagefam8MD5
22646919b87d1a6dfc371464405b373b
SHA12296c69b12c3e0244fc59586f794457a4735e692
SHA2560a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11
SHA512b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0
-
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exeMD5
2e7543a4deec9620c101771ca9b45d85
SHA1fa33f3098c511a1192111f0b29a09064a7568029
SHA25632a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA5128a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d
-
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exeMD5
2e7543a4deec9620c101771ca9b45d85
SHA1fa33f3098c511a1192111f0b29a09064a7568029
SHA25632a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA5128a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d
-
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\diffMD5
da4e745b8bad3af16ce5a0022a3b392d
SHA10413500743c53204f56b4800e345c9fd64afe080
SHA25601f42f9e600f76278dd2f3d1ffa9fa61d3620d95f15f5570beac2e1fef4d1361
SHA51272d7a0cf4bc56282486a1912c1aa116b8b75775119d16d64975dcc2b77a28080e5fe48f0d92bc7f64ab487792d930691b10b621ccdf27b803092d7db58bed590
-
C:\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\newimageMD5
02f19e36fa82c9eb17b925a799bce392
SHA17ddbaa8a650c827c0919947fed7bf98eec1f0ad7
SHA256deb84d0994611b6387f7885cc536ea3b7f37c15cb334b113b5f4d746c9511ee7
SHA512ad4dff9488ff09140c361adf20cad38cc0bfe5a319c5e3af637ed07eaf9a0337b1fdc19c3edf0aa0d361b8ee83ff519a95e771699b477ea384d5927c46e05f80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
656ae037eaebb20e59e31ba6e406dd17
SHA15488f70aae8898651bb7ebc8ff53fa8222683096
SHA25682747bebfc23c499d660bca3d31829dcd42172125c6d3530c3830b20f959eca9
SHA5125d731b59a051c03923f3b445185139c41f3323eae51f038b2390a98d8847bfa8cda4ce21556ac499739e1b8e215fc2b0b063e8c1c506a97d20f5a5dc9cdfb281
-
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291_x64\jre1.8.0_29164.msiMD5
3cdae39110c1f107a3ac413e69b97b71
SHA1fdc70fb84e9beb500ce801db9581d6a5e6cccd27
SHA256db5d0cde928bba56faeb2ea9e54640a69d131a8ba2d1ad716e85de62cc7753fd
SHA5125c3f6d17567885d60e4b8b83d37080cbd8753edfbfa44a42147cf61d7826ddc235f032cb5ad31079614ccaa03f0b9a951b0620fb6bd3103deb8c53456c8284ca
-
C:\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exeMD5
f459080148823ab6b07d432f421fe1cc
SHA18ed4123338458dda21521c9c6edb5755947aec08
SHA25668a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40
SHA512323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99
-
C:\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exeMD5
f459080148823ab6b07d432f421fe1cc
SHA18ed4123338458dda21521c9c6edb5755947aec08
SHA25668a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40
SHA512323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99
-
C:\Users\Admin\AppData\Local\Temp\jusched.logMD5
916991c368e71294e7f37e9cfa708cb4
SHA1f8909bfebf95281ef72f27c0cf0b7c0b64efc0b3
SHA25630059797cbd320cf0c5213967cfb6636abbdf9dbea8174cce2a63a390e91c965
SHA512ad4894bdf4f397369311dbed7ac259b89da79ab489dd9d72d188b14ad5d87a1f13da1091925bd5f31f3aa1f734a9e38827013255a88c68258c8ed3c602e18a15
-
C:\Users\Admin\AppData\Local\Temp\jusched.logMD5
77083c73bb1a7baf1df9931688cea276
SHA1119050a1ff67e64f1b6c1b94d288fbb318890a70
SHA256b426fb3af23ac89cdde9783b1c3f66da1ff9ee777ae46ee4d5f2b26f409fa79d
SHA5124fbbc443053f1691cd67c861b4e4e96abd289d820564735f0d17e9db1a3c0a3bf09a3e17196d9fdf1dcad3d5cfca8d263eba97421f675266496f732d1d18e958
-
C:\Users\Admin\AppData\Local\Temp\jusched.logMD5
d93a18a03047be160d58cbc916a50c86
SHA184eb799fb85a7486e6404bd62bb0a79e7b4cfa9c
SHA2562d440dda241920bcb384be28bcb3834fff634c2225d018264687c844b54d2ff4
SHA5121821e1a446557d2f7b37cdcd56ebc856aee3cb7be767a5fb22db4dd3c0a25c97aaf75f1327216df43d475711d66187c11e40c4394f7f335504235f81dc92da8d
-
C:\Users\Admin\Desktop\jre-8u291-windows-x64.exeMD5
fcc91a877a42ff07e21ed1660818d907
SHA13acda10a101c59983c20eb6edbcf5e838bc4f47c
SHA256c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca
SHA5121e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d
-
C:\Windows\Installer\MSI6500.tmpMD5
a2a18777e0d4029c9692997f5e3b11bf
SHA14d4d3370d22eb8c3f55de8101fb7c35cf797a834
SHA256ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e
SHA51219e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995
-
C:\Windows\Installer\MSI6964.tmpMD5
a2a18777e0d4029c9692997f5e3b11bf
SHA14d4d3370d22eb8c3f55de8101fb7c35cf797a834
SHA256ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e
SHA51219e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995
-
C:\Windows\Installer\MSI6B59.tmpMD5
a2a18777e0d4029c9692997f5e3b11bf
SHA14d4d3370d22eb8c3f55de8101fb7c35cf797a834
SHA256ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e
SHA51219e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995
-
C:\Windows\Installer\f755d31.msiMD5
3cdae39110c1f107a3ac413e69b97b71
SHA1fdc70fb84e9beb500ce801db9581d6a5e6cccd27
SHA256db5d0cde928bba56faeb2ea9e54640a69d131a8ba2d1ad716e85de62cc7753fd
SHA5125c3f6d17567885d60e4b8b83d37080cbd8753edfbfa44a42147cf61d7826ddc235f032cb5ad31079614ccaa03f0b9a951b0620fb6bd3103deb8c53456c8284ca
-
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-file-l1-2-0.dllMD5
35bc1f1c6fbccec7eb8819178ef67664
SHA1bbcad0148ff008e984a75937aaddf1ef6fda5e0c
SHA2567a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7
SHA5129ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d
-
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-file-l2-1-0.dllMD5
3bf4406de02aa148f460e5d709f4f67d
SHA189b28107c39bb216da00507ffd8adb7838d883f6
SHA256349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e
SHA5125ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace
-
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-localization-l1-2-0.dllMD5
8acb83d102dabd9a5017a94239a2b0c6
SHA19b43a40a7b498e02f96107e1524fe2f4112d36ae
SHA256059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413
SHA512b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4
-
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-processthreads-l1-1-1.dllMD5
9c9b50b204fcb84265810ef1f3c5d70a
SHA10913ab720bd692abcdb18a2609df6a7f85d96db3
SHA25625a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40
SHA512ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd
-
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-synch-l1-2-0.dllMD5
d175430eff058838cee2e334951f6c9c
SHA17f17fbdcef12042d215828c1d6675e483a4c62b1
SHA2561c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a
SHA5126076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b
-
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-timezone-l1-1-0.dllMD5
43e1ae2e432eb99aa4427bb68f8826bb
SHA1eee1747b3ade5a9b985467512215caf7e0d4cb9b
SHA2563d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c
SHA51240ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b
-
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-convert-l1-1-0.dllMD5
285dcd72d73559678cfd3ed39f81ddad
SHA1df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a
SHA2566c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44
SHA51284ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a
-
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-heap-l1-1-0.dllMD5
212d58cefb2347bd694b214a27828c83
SHA1f0e98e2d594054e8a836bd9c6f68c3fe5048f870
SHA2568166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989
SHA512637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe
-
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-runtime-l1-1-0.dllMD5
883120f9c25633b6c688577d024efd12
SHA1e4fa6254623a2b4cdea61712cdfa9c91aa905f18
SHA2564390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc
SHA512f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f
-
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-stdio-l1-1-0.dllMD5
29680d7b1105171116a137450c8bb452
SHA1492bb8c231aae9d5f5af565abb208a706fb2b130
SHA2566f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af
SHA51287dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5
-
\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-string-l1-1-0.dllMD5
f816666e3fc087cd24828943cb15f260
SHA1eae814c9c41e3d333f43890ed7dafa3575e4c50e
SHA25645e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a
SHA5126860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581
-
\Program Files\Java\jre1.8.0_291\bin\ucrtbase.dllMD5
61eb0ad4c285b60732353a0cb5c9b2ab
SHA121a1bea01f6ca7e9828a522c696853706d0a457b
SHA25610521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd
SHA51244cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d
-
\Program Files\Java\jre1.8.0_291\bin\unpack200.exeMD5
bd190f92c29eaf4354f1f636c58c22d8
SHA15adecc55700b31238889abb137e3a4654ba92831
SHA2562effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb
SHA512aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7
-
\Program Files\Java\jre1.8.0_291\bin\vcruntime140.dllMD5
1453290db80241683288f33e6dd5e80e
SHA129fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA2562b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA5124ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91
-
\Program Files\Java\jre1.8.0_291\installer.exeMD5
555df4fdc4bf2b1637c78202220bf3bf
SHA111e572f2b737ca8947358d94554f66fdc007b2f5
SHA25695929d0a6ee3df75a3db2a8f21b644e150ac64838767222bea6621253b29bf04
SHA512ff1bcb82436cb5d6841fec587b17119d3f7437c723bde17500cbcab95eb1d6289abd97feb3b9967c449b9e24746b42bfde985bab13dd8b5119d565fb0c0979bc
-
\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exeMD5
2e7543a4deec9620c101771ca9b45d85
SHA1fa33f3098c511a1192111f0b29a09064a7568029
SHA25632a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA5128a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d
-
\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exeMD5
2e7543a4deec9620c101771ca9b45d85
SHA1fa33f3098c511a1192111f0b29a09064a7568029
SHA25632a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA5128a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d
-
\ProgramData\Oracle\Java\installcache_x64\259356123.tmp\bspatch.exeMD5
2e7543a4deec9620c101771ca9b45d85
SHA1fa33f3098c511a1192111f0b29a09064a7568029
SHA25632a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA5128a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d
-
\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exeMD5
f459080148823ab6b07d432f421fe1cc
SHA18ed4123338458dda21521c9c6edb5755947aec08
SHA25668a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40
SHA512323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99
-
\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exeMD5
f459080148823ab6b07d432f421fe1cc
SHA18ed4123338458dda21521c9c6edb5755947aec08
SHA25668a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40
SHA512323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99
-
\Users\Admin\AppData\Local\Temp\jds259289792.tmp\jre-8u291-windows-x64.exeMD5
f459080148823ab6b07d432f421fe1cc
SHA18ed4123338458dda21521c9c6edb5755947aec08
SHA25668a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40
SHA512323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99
-
\Users\Admin\Desktop\jre-8u291-windows-x64.exeMD5
fcc91a877a42ff07e21ed1660818d907
SHA13acda10a101c59983c20eb6edbcf5e838bc4f47c
SHA256c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca
SHA5121e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d
-
\Users\Admin\Desktop\jre-8u291-windows-x64.exeMD5
fcc91a877a42ff07e21ed1660818d907
SHA13acda10a101c59983c20eb6edbcf5e838bc4f47c
SHA256c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca
SHA5121e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d
-
\Users\Admin\Desktop\jre-8u291-windows-x64.exeMD5
fcc91a877a42ff07e21ed1660818d907
SHA13acda10a101c59983c20eb6edbcf5e838bc4f47c
SHA256c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca
SHA5121e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d
-
\Users\Admin\Desktop\jre-8u291-windows-x64.exeMD5
fcc91a877a42ff07e21ed1660818d907
SHA13acda10a101c59983c20eb6edbcf5e838bc4f47c
SHA256c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca
SHA5121e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d
-
\Users\Admin\Desktop\jre-8u291-windows-x64.exeMD5
fcc91a877a42ff07e21ed1660818d907
SHA13acda10a101c59983c20eb6edbcf5e838bc4f47c
SHA256c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca
SHA5121e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d
-
\Users\Admin\Desktop\jre-8u291-windows-x64.exeMD5
fcc91a877a42ff07e21ed1660818d907
SHA13acda10a101c59983c20eb6edbcf5e838bc4f47c
SHA256c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca
SHA5121e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d
-
\Users\Admin\Desktop\jre-8u291-windows-x64.exeMD5
fcc91a877a42ff07e21ed1660818d907
SHA13acda10a101c59983c20eb6edbcf5e838bc4f47c
SHA256c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca
SHA5121e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d
-
\Windows\Installer\MSI6500.tmpMD5
a2a18777e0d4029c9692997f5e3b11bf
SHA14d4d3370d22eb8c3f55de8101fb7c35cf797a834
SHA256ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e
SHA51219e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995
-
\Windows\Installer\MSI6964.tmpMD5
a2a18777e0d4029c9692997f5e3b11bf
SHA14d4d3370d22eb8c3f55de8101fb7c35cf797a834
SHA256ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e
SHA51219e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995
-
\Windows\Installer\MSI6B59.tmpMD5
a2a18777e0d4029c9692997f5e3b11bf
SHA14d4d3370d22eb8c3f55de8101fb7c35cf797a834
SHA256ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e
SHA51219e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995
-
memory/584-104-0x0000000000000000-mapping.dmp
-
memory/772-188-0x0000000000000000-mapping.dmp
-
memory/924-144-0x0000000000000000-mapping.dmp
-
memory/944-79-0x0000000000000000-mapping.dmp
-
memory/1100-134-0x0000000000000000-mapping.dmp
-
memory/1120-138-0x0000000000000000-mapping.dmp
-
memory/1172-65-0x0000000000000000-mapping.dmp
-
memory/1172-67-0x000007FEFC141000-0x000007FEFC143000-memory.dmpFilesize
8KB
-
memory/1240-135-0x0000000000000000-mapping.dmp
-
memory/1368-193-0x0000000000000000-mapping.dmp
-
memory/1508-139-0x0000000000000000-mapping.dmp
-
memory/1508-141-0x00000000021C0000-0x0000000002430000-memory.dmpFilesize
2.4MB
-
memory/1508-142-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1516-208-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1516-207-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1516-204-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1516-205-0x0000000002250000-0x00000000024C0000-memory.dmpFilesize
2.4MB
-
memory/1548-192-0x0000000000000000-mapping.dmp
-
memory/1580-178-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1580-172-0x0000000000000000-mapping.dmp
-
memory/1580-184-0x0000000002580000-0x0000000002590000-memory.dmpFilesize
64KB
-
memory/1580-185-0x0000000002590000-0x00000000025A0000-memory.dmpFilesize
64KB
-
memory/1580-186-0x00000000025A0000-0x00000000025B0000-memory.dmpFilesize
64KB
-
memory/1580-187-0x00000000025B0000-0x00000000025C0000-memory.dmpFilesize
64KB
-
memory/1580-182-0x0000000002570000-0x0000000002580000-memory.dmpFilesize
64KB
-
memory/1580-180-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1580-177-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1580-175-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1580-174-0x0000000002300000-0x0000000002570000-memory.dmpFilesize
2.4MB
-
memory/1588-167-0x0000000002620000-0x0000000002630000-memory.dmpFilesize
64KB
-
memory/1588-151-0x0000000001E20000-0x0000000001E21000-memory.dmpFilesize
4KB
-
memory/1588-166-0x0000000002610000-0x0000000002620000-memory.dmpFilesize
64KB
-
memory/1588-165-0x0000000002600000-0x0000000002610000-memory.dmpFilesize
64KB
-
memory/1588-163-0x00000000025E0000-0x00000000025F0000-memory.dmpFilesize
64KB
-
memory/1588-160-0x00000000025B0000-0x00000000025C0000-memory.dmpFilesize
64KB
-
memory/1588-162-0x00000000025D0000-0x00000000025E0000-memory.dmpFilesize
64KB
-
memory/1588-161-0x00000000025C0000-0x00000000025D0000-memory.dmpFilesize
64KB
-
memory/1588-145-0x0000000000000000-mapping.dmp
-
memory/1588-168-0x0000000002630000-0x0000000002640000-memory.dmpFilesize
64KB
-
memory/1588-169-0x0000000002640000-0x0000000002650000-memory.dmpFilesize
64KB
-
memory/1588-170-0x0000000002650000-0x0000000002660000-memory.dmpFilesize
64KB
-
memory/1588-164-0x00000000025F0000-0x0000000002600000-memory.dmpFilesize
64KB
-
memory/1588-147-0x0000000002330000-0x00000000025A0000-memory.dmpFilesize
2.4MB
-
memory/1588-159-0x0000000001E20000-0x0000000001E21000-memory.dmpFilesize
4KB
-
memory/1588-154-0x0000000001E20000-0x0000000001E21000-memory.dmpFilesize
4KB
-
memory/1588-155-0x00000000025A0000-0x00000000025B0000-memory.dmpFilesize
64KB
-
memory/1588-148-0x0000000001E20000-0x0000000001E21000-memory.dmpFilesize
4KB
-
memory/1588-150-0x0000000001E20000-0x0000000001E21000-memory.dmpFilesize
4KB
-
memory/1588-149-0x0000000001E20000-0x0000000001E21000-memory.dmpFilesize
4KB
-
memory/1668-133-0x0000000000000000-mapping.dmp
-
memory/1732-202-0x0000000000000000-mapping.dmp
-
memory/1748-171-0x0000000000000000-mapping.dmp
-
memory/1808-200-0x0000000000000000-mapping.dmp
-
memory/1808-203-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1808-206-0x00000000022B0000-0x0000000002520000-memory.dmpFilesize
2.4MB
-
memory/1828-137-0x0000000000000000-mapping.dmp
-
memory/1828-190-0x0000000000000000-mapping.dmp
-
memory/1828-93-0x0000000000000000-mapping.dmp
-
memory/1956-136-0x0000000000000000-mapping.dmp
-
memory/1960-89-0x0000000000000000-mapping.dmp
-
memory/2024-196-0x00000000021C0000-0x0000000002430000-memory.dmpFilesize
2.4MB
-
memory/2024-197-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/2040-59-0x0000000076281000-0x0000000076283000-memory.dmpFilesize
8KB