9de171005e8191a70274184c61dcac5e75b6a4307063c740609209da86592f3c

Resubmissions

10-07-2021 16:53

210710-thekp6z3ka 10

10-07-2021 16:51

210710-yc1gf34hxn 8

Analysis

max time kernel
189s
max time network
293s
platform
windows10_x64
resource
win10v20210408
submitted
10-07-2021 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd.exe
Size

82.1MB
MD5

9b5aaf2bfe25d830f482b5516471aea3
SHA1

442c40f4dd466a643595a40ae1239c89fca6f9ae
SHA256

9de171005e8191a70274184c61dcac5e75b6a4307063c740609209da86592f3c
SHA512

508322b9d26d55f291d6511103b15dffd9c2230599d51f28c63dfdf9ff6d494a6240fa7daa1b354a051524ea888da6b7b8f03420c4c209ffa734328c10c10b42

Score

10^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

21 1464 msiexec.exe

flow	pid	process
21	1464	msiexec.exe

Executes dropped EXE 15 IoCs

Processes:

jre-8u291-windows-x64.exejre-8u291-windows-x64.exeinstaller.exebspatch.exeCristalixLauncher-3.0.145.exejre-8u291-windows-x64.exejre-8u291-windows-x64.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exe

pid	process
412	jre-8u291-windows-x64.exe
1420	jre-8u291-windows-x64.exe
1632	installer.exe
3364	bspatch.exe
1492	CristalixLauncher-3.0.145.exe
2064	jre-8u291-windows-x64.exe
2600	jre-8u291-windows-x64.exe
1156	unpack200.exe
1236	unpack200.exe
1216	unpack200.exe
2060	unpack200.exe
3944	unpack200.exe
1872	unpack200.exe
2504	unpack200.exe
2400	javaw.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Oracle\Java\installcache_x64\259357921.tmp\bspatch.exe	upx
C:\ProgramData\Oracle\Java\installcache_x64\259357921.tmp\bspatch.exe	upx

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exeinstaller.exe

pid	process
1232	MsiExec.exe
1232	MsiExec.exe
1232	MsiExec.exe
1156	unpack200.exe
1236	unpack200.exe
1216	unpack200.exe
2060	unpack200.exe
3944	unpack200.exe
1872	unpack200.exe
2504	unpack200.exe
2400	javaw.exe
2400	javaw.exe
2400	javaw.exe
2400	javaw.exe
2400	javaw.exe
2400	javaw.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe
1632	installer.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3616 icacls.exe

pid	process
3616	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176
Drops file in System32 directory 1 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exejava.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-math-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\deploy\splash_11-lic.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\rt.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\legal\javafx\glib.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\jsse.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-console-l1-2-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-namedpipe-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\JAWTAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\wsdetect.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\fontconfig.bfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\fonts\LucidaSansRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\legal\jdk\mesa3d.md	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	java.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-string-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\lcms.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\legal\jdk\asm.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\README.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-convert-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\t2k.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\legal\jdk\relaxngom.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-timezone-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\release	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\rt.jar	unpack200.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259471750\javaws.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\management\snmp.acl.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-stdio-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\java-rmi.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\keytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\ext\sunmscapi.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\deploy\messages_pt_BR.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\jsse.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\prism_sw.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\rmid.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\unpack.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\legal\javafx\icu_web.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\jsdt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\sunmscapi.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\pack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\legal\javafx\mesa3d.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\deploy\messages_zh_HK.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\psfontj2d.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\j2pcsc.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\javacpl.cpl	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\plugin2\vcruntime140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\images\cursors\win32_CopyDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\net.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\plugin.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\javaws.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\jli.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\jp2ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\cmm\LINEAR_RGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\fonts\LucidaBrightRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\jsound.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\lib\images\cursors\win32_LinkNoDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-processthreads-l1-1-1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-core-synch-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\api-ms-win-crt-string-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\javafx_font.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_291\bin\jfr.dll	installer.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63FC.tmp	msiexec.exe
File created	C:\Windows\Installer\f7511b7.msi	msiexec.exe
File created	C:\Windows\Installer\f7511b4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7511b4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C14.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64A9.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI201C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F64180291F0}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1648 1420 WerFault.exe jre-8u291-windows-x64.exe
3944 4024 WerFault.exe jp2launcher.exe
936 2520 WerFault.exe javaw.exe

pid	pid_target	process	target process
1648	1420	WerFault.exe	jre-8u291-windows-x64.exe
3944	4024	WerFault.exe	jp2launcher.exe
936	2520	WerFault.exe	javaw.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_291\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0053-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0175-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0146-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0108-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0222-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0016-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0047-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0132-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0129-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0158-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0198-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_198"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0088-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0213-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0087-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0231-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0066-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0067-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0152-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0226-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0091-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0084-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0161-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_161"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0087-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0269-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0009-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_62"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0095-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_87"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0200-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0114-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0101-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_101"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0111-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0122-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0011-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0140-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0147-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0150-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0248-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0199-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_199"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0024-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_24"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0108-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBA}\InprocServer32	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0047-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0188-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_188"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0119-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0086-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0267-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0177-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_177"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0227-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0277-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0102-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_102"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_04"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0018-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0087-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0098-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_98"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0133-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0098-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_29"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_51"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0297-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0165-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0195-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_37"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0059-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0207-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0197-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0145-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0119-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0258-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0237-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0096-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0221-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_28"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0072-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_72"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0213-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_213"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0102-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_102"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0138-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0012-ABCDEFFEDCBA}	installer.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1236 NOTEPAD.EXE

pid	process
1236	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

WerFault.exe

pid	process
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-8u291-windows-x64.exemsiexec.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeSecurityPrivilege	1464	msiexec.exe
Token: SeCreateTokenPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeLockMemoryPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeMachineAccountPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeTcbPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeSecurityPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeTakeOwnershipPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeLoadDriverPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeSystemProfilePrivilege	1420	jre-8u291-windows-x64.exe
Token: SeSystemtimePrivilege	1420	jre-8u291-windows-x64.exe
Token: SeProfSingleProcessPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeIncBasePriorityPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeCreatePagefilePrivilege	1420	jre-8u291-windows-x64.exe
Token: SeCreatePermanentPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeBackupPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeRestorePrivilege	1420	jre-8u291-windows-x64.exe
Token: SeShutdownPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeDebugPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeAuditPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeChangeNotifyPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeRemoteShutdownPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeUndockPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeSyncAgentPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeEnableDelegationPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeManageVolumePrivilege	1420	jre-8u291-windows-x64.exe
Token: SeImpersonatePrivilege	1420	jre-8u291-windows-x64.exe
Token: SeCreateGlobalPrivilege	1420	jre-8u291-windows-x64.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeDebugPrivilege	1648	WerFault.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

dd.exejre-8u291-windows-x64.exejre-8u291-windows-x64.exejava.exe

pid	process
996	dd.exe
996	dd.exe
1420	jre-8u291-windows-x64.exe
1420	jre-8u291-windows-x64.exe
1420	jre-8u291-windows-x64.exe
1420	jre-8u291-windows-x64.exe
1420	jre-8u291-windows-x64.exe
2600	jre-8u291-windows-x64.exe
3968	java.exe
2600	jre-8u291-windows-x64.exe
2600	jre-8u291-windows-x64.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

jre-8u291-windows-x64.exemsiexec.exeinstaller.exeCristalixLauncher-3.0.145.exejavaw.exejre-8u291-windows-x64.exe

description	pid	process	target process
PID 412 wrote to memory of 1420	412	jre-8u291-windows-x64.exe	jre-8u291-windows-x64.exe
PID 412 wrote to memory of 1420	412	jre-8u291-windows-x64.exe	jre-8u291-windows-x64.exe
PID 1464 wrote to memory of 1232	1464	msiexec.exe	MsiExec.exe
PID 1464 wrote to memory of 1232	1464	msiexec.exe	MsiExec.exe
PID 1464 wrote to memory of 1632	1464	msiexec.exe	installer.exe
PID 1464 wrote to memory of 1632	1464	msiexec.exe	installer.exe
PID 1632 wrote to memory of 3364	1632	installer.exe	bspatch.exe
PID 1632 wrote to memory of 3364	1632	installer.exe	bspatch.exe
PID 1632 wrote to memory of 3364	1632	installer.exe	bspatch.exe
PID 1492 wrote to memory of 2224	1492	CristalixLauncher-3.0.145.exe	javaw.exe
PID 1492 wrote to memory of 2224	1492	CristalixLauncher-3.0.145.exe	javaw.exe
PID 2224 wrote to memory of 3968	2224	javaw.exe	java.exe
PID 2224 wrote to memory of 3968	2224	javaw.exe	java.exe
PID 2064 wrote to memory of 2600	2064	jre-8u291-windows-x64.exe	jre-8u291-windows-x64.exe
PID 2064 wrote to memory of 2600	2064	jre-8u291-windows-x64.exe	jre-8u291-windows-x64.exe
PID 1632 wrote to memory of 1156	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 1156	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 1236	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 1236	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 1216	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 1216	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 2060	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 2060	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 3944	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 3944	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 1872	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 1872	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 2504	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 2504	1632	installer.exe	unpack200.exe
PID 1632 wrote to memory of 2400	1632	installer.exe	javaw.exe
PID 1632 wrote to memory of 2400	1632	installer.exe	javaw.exe

C:\Users\Admin\AppData\Local\Temp\dd.exe
"C:\Users\Admin\AppData\Local\Temp\dd.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:996

C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe
"C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\jds259301703.tmp\jre-8u291-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds259301703.tmp\jre-8u291-windows-x64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1420 -s 2712
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 6B6B98FA5274E86E9DC364F44FD12809
2⤵
- Loads dropped DLL
PID:1232

C:\Program Files\Java\jre1.8.0_291\installer.exe
"C:\Program Files\Java\jre1.8.0_291\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_291\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180291F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632

C:\ProgramData\Oracle\Java\installcache_x64\259357921.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
PID:3364

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_291\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1156

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_291\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1236

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_291\lib/deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_291\lib/rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2060

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_291\lib/jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3944

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_291\lib/charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872

C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_291\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_291\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504

C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400

C:\Program Files\Java\jre1.8.0_291\bin\ssvagent.exe
"C:\Program Files\Java\jre1.8.0_291\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
PID:4036

C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
PID:2068

C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_291" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yOTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
PID:4024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4024 -s 164
5⤵
- Program crash
PID:3944

C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_291\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
PID:3716

C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_291" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yOTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
PID:3892

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 77062E54C2C0D1ECE17018A6EF13697B E Global\MSI0000
2⤵
PID:1652

C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe
"C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -Djava.net.preferIPv4Stack=true -XX:-UsePerfData -XX:+DisableAttachMechanism -cp C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe ru.cristalix.launcher.Ooo0ooOO0_MoJa_0BoRoNa_SHELKoVII_MaLCHIK_ARBUZN0Go_GLaZa
3⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe
"C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\jds259400359.tmp\jre-8u291-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds259400359.tmp\jre-8u291-windows-x64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2600

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:2332

C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe
"C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe"
1⤵
PID:2704

C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe"
2⤵
PID:2520

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
3⤵
- Modifies file permissions
PID:3616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2520 -s 792
3⤵
- Program crash
PID:936

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\hs_err_pid3968.log
1⤵
- Opens file in notepad (likely ransom note)
PID:1236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_291\bin\VCRUNTIME140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\java.dll
MD5
a4611db044952b28613f163d4887fcbc

SHA1
a75eff4b211e9ddaf47396c493426b2afdf53730

SHA256
7c91cfcbef091681ac52536e3a248027c76ac92d0fcdbae1aa2f1e7e877fbc4a

SHA512
4041afb995b09a3b809f9fa5e21002d9366e8d6ca527879d66805606fd39a07039dc1781222891a04976411c658122131b1cebab3b7615d1bc86503f97dd6263

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\javaw.exe
MD5
5f70c8b0c0b98f5ffdf70759d3147015

SHA1
14004eb6318ae310adc4e1085ec51b4127020df4

SHA256
ac0ca8acb76e95628fdc986b75831ef53d910a68d0f05bd7a9215eba89473211

SHA512
53d32d3e740f767811c5b1637916ec7b35cd841319a5d96c2a13edc3cf07bf6b40c169148529f98cf3f9d62d82f3b772372ef48937d6916d6544efc9786ffb59

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\server\jvm.dll
MD5
0431ad5306dbc9070f866f289b2d970b

SHA1
c8587d71b5d16ad3128a707174f20ffc510eb323

SHA256
1b22bf16fbad4fd7b37d5968fc23d5e07a2a568d3d4f59d4e9e9865a74c500ec

SHA512
e184a895c57afcdc0e0c891894065bba5f5f4cace766d4acca14f2aaafc21719d685a8035d3e1f979c877659d46e590309912939681a8977cbfceb3ee865b0ee

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
MD5
bd190f92c29eaf4354f1f636c58c22d8

SHA1
5adecc55700b31238889abb137e3a4654ba92831

SHA256
2effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb

SHA512
aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
MD5
bd190f92c29eaf4354f1f636c58c22d8

SHA1
5adecc55700b31238889abb137e3a4654ba92831

SHA256
2effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb

SHA512
aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
MD5
bd190f92c29eaf4354f1f636c58c22d8

SHA1
5adecc55700b31238889abb137e3a4654ba92831

SHA256
2effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb

SHA512
aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
MD5
bd190f92c29eaf4354f1f636c58c22d8

SHA1
5adecc55700b31238889abb137e3a4654ba92831

SHA256
2effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb

SHA512
aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
MD5
bd190f92c29eaf4354f1f636c58c22d8

SHA1
5adecc55700b31238889abb137e3a4654ba92831

SHA256
2effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb

SHA512
aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
MD5
bd190f92c29eaf4354f1f636c58c22d8

SHA1
5adecc55700b31238889abb137e3a4654ba92831

SHA256
2effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb

SHA512
aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
MD5
bd190f92c29eaf4354f1f636c58c22d8

SHA1
5adecc55700b31238889abb137e3a4654ba92831

SHA256
2effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb

SHA512
aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7

Download Submit
C:\Program Files\Java\jre1.8.0_291\bin\unpack200.exe
MD5
bd190f92c29eaf4354f1f636c58c22d8

SHA1
5adecc55700b31238889abb137e3a4654ba92831

SHA256
2effa91aba423ba62593b7e5da09b20c6e42390eae3af9b4af84ebb662fc4cfb

SHA512
aabb7e1b1f91dfb8c298d34e4add50a5fd9a39992232218d9b0c518179e445cdc208c83f190f33f6990fc4ba472c86b29359f72c9c51e0cc51fa4cc38c44a1d7

Download Submit
C:\Program Files\Java\jre1.8.0_291\installer.exe
MD5
555df4fdc4bf2b1637c78202220bf3bf

SHA1
11e572f2b737ca8947358d94554f66fdc007b2f5

SHA256
95929d0a6ee3df75a3db2a8f21b644e150ac64838767222bea6621253b29bf04

SHA512
ff1bcb82436cb5d6841fec587b17119d3f7437c723bde17500cbcab95eb1d6289abd97feb3b9967c449b9e24746b42bfde985bab13dd8b5119d565fb0c0979bc

Download Submit
C:\Program Files\Java\jre1.8.0_291\installer.exe
MD5
555df4fdc4bf2b1637c78202220bf3bf

SHA1
11e572f2b737ca8947358d94554f66fdc007b2f5

SHA256
95929d0a6ee3df75a3db2a8f21b644e150ac64838767222bea6621253b29bf04

SHA512
ff1bcb82436cb5d6841fec587b17119d3f7437c723bde17500cbcab95eb1d6289abd97feb3b9967c449b9e24746b42bfde985bab13dd8b5119d565fb0c0979bc

Download Submit
C:\Program Files\Java\jre1.8.0_291\lib\amd64\jvm.cfg
MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Program Files\Java\jre1.8.0_291\lib\charsets.pack
MD5
de62b4cf916ca6e81a13d8b78a7108b7

SHA1
5842b464eb9a54cec06a7215dbd6df598c9afd88

SHA256
a042845d37d9db582fb3225a69a66b69b4f6558127d1e4298e34efbe916b959f

SHA512
ec3d3e26e0bc4ea6630bb0e5fa410075e0c28e91e912a38fd79ccfa6abdbe203864486803aaa7b42f37d266451070997d8a9da6cda4ef1347fcf9ad4ec21a58e

Download Submit
C:\Program Files\Java\jre1.8.0_291\lib\deploy.pack
MD5
b4d4edc98f1101587c40034f8d073e8f

SHA1
3652739f9aae91b4c12282fb4f5afd77d3f592cd

SHA256
02952e1c14924672ab55443bdc16799b62aa3516c3b4e4c3765c307250f4a0e3

SHA512
a5da0aef9b916d2e31b1caeb1ed060edc8ce8ee98bd6edf81070ea22eccc68120695fdd7aa8fc73d65e05c4c020308c53e92ca7fca57d1f49978b3145410ba03

Download Submit
C:\Program Files\Java\jre1.8.0_291\lib\ext\localedata.pack
MD5
668801136b86c6bd56c6212a827dabf6

SHA1
5d1f28bc3d34a1d6e894cb8ceebd39bb733d2563

SHA256
07dd72517acf29761d9fcb093ec56b55407f773f5d672db60a9206af0da07822

SHA512
554b35eb99760036c22b581585c204e874ba9fb6b61d82e8778eb61cc5e92aa6a32a975ead8da9d8a38c66c306225b7e4b9fb35479a6642680bd3447e2c2ef0b

Download Submit
C:\Program Files\Java\jre1.8.0_291\lib\javaws.pack
MD5
32fa11ff25d56760af529c9394038383

SHA1
0ce20675645f8e4ac140b7bbef27367fbb3b7383

SHA256
1fd9f9780d1c28c32ba4f5e06072b3bf50a4551b9deeec9abeaf12fa580ba614

SHA512
e85da53d2cf9a0476b7c44ec7b6999889d8ac431ab8301e6f3c0cb34767b36992c253c258ac000e3157dce81d5c5beae89a14c34ab3340ce3d887f01be1afd70

Download Submit
C:\Program Files\Java\jre1.8.0_291\lib\jsse.pack
MD5
f7399d332dac8f82525bc66df200bf76

SHA1
c48a33c9b65ab99b6eea6a6a5f78a9c2fd3fb281

SHA256
0a882dee35796e2033b7535bd7e11e23fe371197492e08969f20d322541feb98

SHA512
0d6a0262378f4c32fff4a2db6f90866eedfa7a4442aa05c35395993a9771822ec9f245a815ab1cd6db4c02270cb530638019ddacd68eade7bd8e74d94629fc25

Download Submit
C:\Program Files\Java\jre1.8.0_291\lib\plugin.pack
MD5
6e00d9826aef8c297bfd6bd226492538

SHA1
ce3324081a58422bd76a4fd0dd5bcc81296f4c84

SHA256
ddfef2152ab038902b1408c446ba0f2f93cdf4bcf88341e8995757cf8274c207

SHA512
491dafbac5e294064a7776fcbaeb9ad1670eb1a26ae77554e81271b55a35a651e255dc87aad810f49c0de8ce155dc0be0ce6e5af07015b75ac45d2dd987c0fda

Download Submit
C:\Program Files\Java\jre1.8.0_291\lib\rt.pack
MD5
47f868508c242ef534127e9f08814b34

SHA1
778a7a04f314e091e40f0fca33bbf3a3c9d9a326

SHA256
2221436cb8fa738f336b593353482f4a85f36da58bc4c10c888f6854d6bbdbf3

SHA512
b5b9891e2573140ac42741128199408749adb7aa1dceaf2a3649988fd791b8bdc29067c38492e0488e02f84491e736be240e1816347f30094f122681d3fbe835

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259357921.tmp\baseimagefam8
MD5
22646919b87d1a6dfc371464405b373b

SHA1
2296c69b12c3e0244fc59586f794457a4735e692

SHA256
0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11

SHA512
b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259357921.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259357921.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259357921.tmp\diff
MD5
da4e745b8bad3af16ce5a0022a3b392d

SHA1
0413500743c53204f56b4800e345c9fd64afe080

SHA256
01f42f9e600f76278dd2f3d1ffa9fa61d3620d95f15f5570beac2e1fef4d1361

SHA512
72d7a0cf4bc56282486a1912c1aa116b8b75775119d16d64975dcc2b77a28080e5fe48f0d92bc7f64ab487792d930691b10b621ccdf27b803092d7db58bed590

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259357921.tmp\newimage
MD5
02f19e36fa82c9eb17b925a799bce392

SHA1
7ddbaa8a650c827c0919947fed7bf98eec1f0ad7

SHA256
deb84d0994611b6387f7885cc536ea3b7f37c15cb334b113b5f4d746c9511ee7

SHA512
ad4dff9488ff09140c361adf20cad38cc0bfe5a319c5e3af637ed07eaf9a0337b1fdc19c3edf0aa0d361b8ee83ff519a95e771699b477ea384d5927c46e05f80

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8
MD5
22646919b87d1a6dfc371464405b373b

SHA1
2296c69b12c3e0244fc59586f794457a4735e692

SHA256
0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11

SHA512
b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
ecdeeb255530f26ebe0e729a71677e6a

SHA1
3d1aa17349e5229ea514aefba7e7d8c7e9939b11

SHA256
a5ff0e7fcf6e4e8f0351a8011fb721d14bb8d9508ba43d8417bcdd75877f7b66

SHA512
d6ca000ac84d89abdf8fc3817e36eeaa55de7349269dc955d8a62a1eea1043ec149f3cefc58165e16b539b3dad4947e97334ad012ce959145588ae1a7d42a6c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
6395db77af1b060384a2e9ee1125e577

SHA1
3510088a868ca66808ac931b12e8c0499979178e

SHA256
cfac46dabe10c1f426836c7ee48aa2a11d50e914c22c5ce2d92f14243c66d92f

SHA512
da3d289d14636219141216d78ca109a8c73cde77f2d7901c11bae2b74588bc8e5815f374285790400de8e35b78cf893ed2f8a17e5edde4b88b7edab93ff555e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
a7f172e8ac20e8f5af3d88b8c316b57a

SHA1
88f8c22e437d8fb98fc534b54b3617c341fb7c26

SHA256
dbf90cd62a32511e2d708a9f362536424b415598311808b6d4469c68a3532a76

SHA512
a97a776a88338220556d3e363e49ecca3463a871114941d4367acff05612bdab717d2e936a68b974886888a728e9d026dd356f69dbfcb419e6bfcf8284697962

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291_x64\jre1.8.0_29164.msi
MD5
3cdae39110c1f107a3ac413e69b97b71

SHA1
fdc70fb84e9beb500ce801db9581d6a5e6cccd27

SHA256
db5d0cde928bba56faeb2ea9e54640a69d131a8ba2d1ad716e85de62cc7753fd

SHA512
5c3f6d17567885d60e4b8b83d37080cbd8753edfbfa44a42147cf61d7826ddc235f032cb5ad31079614ccaa03f0b9a951b0620fb6bd3103deb8c53456c8284ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259301703.tmp\jre-8u291-windows-x64.exe
MD5
f459080148823ab6b07d432f421fe1cc

SHA1
8ed4123338458dda21521c9c6edb5755947aec08

SHA256
68a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40

SHA512
323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259301703.tmp\jre-8u291-windows-x64.exe
MD5
f459080148823ab6b07d432f421fe1cc

SHA1
8ed4123338458dda21521c9c6edb5755947aec08

SHA256
68a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40

SHA512
323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259400359.tmp\jre-8u291-windows-x64.exe
MD5
f459080148823ab6b07d432f421fe1cc

SHA1
8ed4123338458dda21521c9c6edb5755947aec08

SHA256
68a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40

SHA512
323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259400359.tmp\jre-8u291-windows-x64.exe
MD5
f459080148823ab6b07d432f421fe1cc

SHA1
8ed4123338458dda21521c9c6edb5755947aec08

SHA256
68a480c5e0b9f0e733e392cceb072171679bc6a2179d8c74c1b1461af4ff9e40

SHA512
323790e04826d1a273cd23e180f6825e7acd5f64aafba8982d785dd8f6afb92d65c3c89afd9741e360deaaa7a4756010ba9e006bad32d86a9de0e91f42aaac99

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
5bb56c5936a530f8382427291733a538

SHA1
56567641986cc42ddb29900a3aae309698c09af9

SHA256
ba48c8fee8b27855d7126a090e744dee01cc90696f24d531a8a9c631890bd05d

SHA512
9cf9aef3519fc836557f67c232c0fede47de1b87924101739051e8621fd8111c2c3beab683bbabaa08f1097de1cbf4bba2fa3c99ecf9dfe5380bec860676a0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
ce4ea455f216ade0db43c9d0809c4c7b

SHA1
3ee137dea556262376305d7bf138389d594fb2d4

SHA256
729c8e72caddbcb32fc34bc627595b3b4e88625247c3b3c74e1199bbab981400

SHA512
106b64debea639508a33b51ff1c0f7dc134dfe7c24abf87ce499a32a145b6882f2e6e607ff107b22b56913c89b619eac302a66458ed6bab223a2dee89a3cf1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
a05919249e79b8d9fa76bad014c17ea1

SHA1
62807a4a02c757c48a0d1ca38a27b4572348e409

SHA256
1fdec7e50b4b6c06ffa2be74cb3f4bc5242511825be4dc8cc18ca37b57e8ec4a

SHA512
76902b1732ed9d2431cfcf1ff9e4e1cef7b2c17bb3b47f2943c66d7388a8af68ace82597ca17b2d2602574ba2b2c6bc69863d6a3f225de81bec46365294ca6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
60194cf85031985dd3bc2b88de41a9ba

SHA1
a396b27eb8872fd432fcfb4e9b29edf5162afae2

SHA256
89a1d2616ac5bd3a384b49a616bccdd18119f60782a252401b8db3cc6d1b2f53

SHA512
3ad44eda24bdb9f6a5dce02bdf38c729a78bd64e1887dc6206c08c49c42ddf5bb3fd7a90aca1e2e12287e791bc61762f22464b02b8b0153fc6a88e2b732af4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
447c6f310fb28d9ea0f16ef313f7b9ab

SHA1
2921f6c21bb8fdd856b03395f96ceb24136c80ef

SHA256
4cfb55b5eb664ac8552339aaed6f9648184bd7edd2b0b2a787108a737901ce5f

SHA512
60a3e363f4b30da07a8aef93cd3ec0e4ba0b22b82541e7720e1c385c74da7e337b426a63ac65318afe6d98c0e9c5443b959f39fefb6277ccf422c41ab1d2c693

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
0c344b7989f395bade31319966d1e56b

SHA1
8d14b527b9a7f4bdfe1cf861503c30b9f59a6841

SHA256
639ed3361206b0d4ed3e7c22f7452be40bd63a299a9be142b1b1c94d0cfcb80e

SHA512
e4d6e236a9c12c0c75dcf50feb3b9a215273586c880a58a03594158beed8c585d721cc6446a1fe426f1af259f733396902726b5b0fc2ffe6343f80af3ac0455f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
c90f9a69d819d6341289380d5c531cf2

SHA1
a720e88e9ee5f67e3b8d03fd02f57e9d93e4c653

SHA256
a9f5d24c40d30e267640a811543d07b8b1d4e78c1bc2ce8864455fa22148d89b

SHA512
60cce1b680890b69c5710d92ad2e82b35b1b7907ec375afc645e193cf569df7ab77b1208ca5d371a8c16bd2c0a34eb73031848aee347e5f01d59bcb340e1c50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
3fca4e08e3de5acd0b7701587144e3b8

SHA1
512a04d43c1a0543bc493ade35eea5926f3d9a55

SHA256
b8033c52b22782b94f9be6bf045c63c3366af81a367656302b14a6c7564350b4

SHA512
580be0224fb85dc3d416d9bb0e3f8f3abfc0ee7b8407a22f5279714d0bb85e7d52701188299fd340440127bf23c3804515ab226e14d1b0b97f8186c1a47a7636

Download Submit
C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe
MD5
25b608146d97e46e5cb8d5d4a77440c5

SHA1
ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab

SHA256
8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9

SHA512
3ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9

Download Submit
C:\Users\Admin\Desktop\CristalixLauncher-3.0.145.exe
MD5
25b608146d97e46e5cb8d5d4a77440c5

SHA1
ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab

SHA256
8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9

SHA512
3ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9

Download Submit
C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe
MD5
fcc91a877a42ff07e21ed1660818d907

SHA1
3acda10a101c59983c20eb6edbcf5e838bc4f47c

SHA256
c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca

SHA512
1e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d

Download Submit
C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe
MD5
fcc91a877a42ff07e21ed1660818d907

SHA1
3acda10a101c59983c20eb6edbcf5e838bc4f47c

SHA256
c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca

SHA512
1e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d

Download Submit
C:\Users\Admin\Desktop\jre-8u291-windows-x64.exe
MD5
fcc91a877a42ff07e21ed1660818d907

SHA1
3acda10a101c59983c20eb6edbcf5e838bc4f47c

SHA256
c883e1b36fc6ff815de3124377cc9409c97462060e080a7198e7f28cfce91cca

SHA512
1e1550a86b02c4b41947f7e23aca21632d7d44c8b9adc49bf7e858a696405be8593fb432be1bf12fdad36b899e31950973f45d6cd28f32c0a96757acc8ee736d

Download Submit
C:\Windows\Installer\MSI1C14.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
C:\Windows\Installer\MSI201C.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
C:\Windows\Installer\MSI64A9.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
C:\Windows\Installer\f7511b7.msi
MD5
3cdae39110c1f107a3ac413e69b97b71

SHA1
fdc70fb84e9beb500ce801db9581d6a5e6cccd27

SHA256
db5d0cde928bba56faeb2ea9e54640a69d131a8ba2d1ad716e85de62cc7753fd

SHA512
5c3f6d17567885d60e4b8b83d37080cbd8753edfbfa44a42147cf61d7826ddc235f032cb5ad31079614ccaa03f0b9a951b0620fb6bd3103deb8c53456c8284ca

Download Submit
\Program Files\Java\jre1.8.0_291\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_291\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_291\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_291\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_291\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_291\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_291\bin\vcruntime140.dll
MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Windows\Installer\MSI1C14.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
\Windows\Installer\MSI201C.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
\Windows\Installer\MSI64A9.tmp
MD5
a2a18777e0d4029c9692997f5e3b11bf

SHA1
4d4d3370d22eb8c3f55de8101fb7c35cf797a834

SHA256
ea7e21fb3b26e069c2122c75caf8de7622267a2ce19da711e3bf4e517b81963e

SHA512
19e14810ec00a6dd96c5b099539898c2e9dfce6877a82b43a6fa2a194b3f9e66713b92d907e6016b573bb6533a3cc36a4dd1d78844c83c848a93a278d0246995

Download Submit
memory/1156-199-0x0000000000000000-mapping.dmp

Download
memory/1216-209-0x0000000000000000-mapping.dmp

Download
memory/1232-125-0x0000000000000000-mapping.dmp

Download
memory/1236-205-0x0000000000000000-mapping.dmp

Download
memory/1420-118-0x0000000000000000-mapping.dmp

Download
memory/1632-137-0x0000000000000000-mapping.dmp

Download
memory/1652-310-0x0000000000000000-mapping.dmp

Download
memory/1872-221-0x0000000000000000-mapping.dmp

Download
memory/2060-213-0x0000000000000000-mapping.dmp

Download
memory/2068-237-0x0000000000000000-mapping.dmp

Download
memory/2224-168-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/2224-154-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2224-150-0x00000000027D0000-0x0000000002A40000-memory.dmp

Filesize
2.4MB

Download
memory/2224-151-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2224-149-0x0000000000000000-mapping.dmp

Download
memory/2224-162-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2224-163-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2224-166-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2224-167-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2224-169-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/2400-235-0x0000021941120000-0x0000021941121000-memory.dmp

Filesize
4KB

Download
memory/2400-234-0x00000219429B0000-0x0000021942C20000-memory.dmp

Filesize
2.4MB

Download
memory/2400-229-0x0000000000000000-mapping.dmp

Download
memory/2504-225-0x0000000000000000-mapping.dmp

Download
memory/2520-326-0x000002299AC70000-0x000002299AC80000-memory.dmp

Filesize
64KB

Download
memory/2520-281-0x0000000000000000-mapping.dmp

Download
memory/2520-325-0x000002299AC60000-0x000002299AC70000-memory.dmp

Filesize
64KB

Download
memory/2520-324-0x000002299AC50000-0x000002299AC60000-memory.dmp

Filesize
64KB

Download
memory/2520-323-0x000002299AC40000-0x000002299AC50000-memory.dmp

Filesize
64KB

Download
memory/2520-327-0x000002299AC80000-0x000002299AC90000-memory.dmp

Filesize
64KB

Download
memory/2520-322-0x000002299AC30000-0x000002299AC40000-memory.dmp

Filesize
64KB

Download
memory/2600-178-0x0000000000000000-mapping.dmp

Download
memory/3364-142-0x0000000000000000-mapping.dmp

Download
memory/3616-298-0x0000000000000000-mapping.dmp

Download
memory/3716-242-0x0000000000000000-mapping.dmp

Download
memory/3892-274-0x0000021DCDDB0000-0x0000021DCDDC0000-memory.dmp

Filesize
64KB

Download
memory/3892-283-0x0000021DCDD70000-0x0000021DCDD80000-memory.dmp

Filesize
64KB

Download
memory/3892-304-0x0000021DCDDD0000-0x0000021DCDDE0000-memory.dmp

Filesize
64KB

Download
memory/3892-293-0x0000021DCD5D0000-0x0000021DCD5D1000-memory.dmp

Filesize
4KB

Download
memory/3892-290-0x0000021DCDDC0000-0x0000021DCDDD0000-memory.dmp

Filesize
64KB

Download
memory/3892-285-0x0000021DCDD80000-0x0000021DCDD90000-memory.dmp

Filesize
64KB

Download
memory/3892-244-0x0000000000000000-mapping.dmp

Download
memory/3892-280-0x0000021DCDD60000-0x0000021DCDD70000-memory.dmp

Filesize
64KB

Download
memory/3892-282-0x0000021DCD5D0000-0x0000021DCD5D1000-memory.dmp

Filesize
4KB

Download
memory/3892-278-0x0000021DCDD50000-0x0000021DCDD60000-memory.dmp

Filesize
64KB

Download
memory/3892-276-0x0000021DCDD40000-0x0000021DCDD50000-memory.dmp

Filesize
64KB

Download
memory/3892-273-0x0000021DCDDA0000-0x0000021DCDDB0000-memory.dmp

Filesize
64KB

Download
memory/3892-271-0x0000021DCDD90000-0x0000021DCDDA0000-memory.dmp

Filesize
64KB

Download
memory/3892-251-0x0000021DCD5D0000-0x0000021DCD5D1000-memory.dmp

Filesize
4KB

Download
memory/3892-254-0x0000021DCD5D0000-0x0000021DCD5D1000-memory.dmp

Filesize
4KB

Download
memory/3892-255-0x0000021DCD5D0000-0x0000021DCD5D1000-memory.dmp

Filesize
4KB

Download
memory/3892-257-0x0000021DCD5D0000-0x0000021DCD5D1000-memory.dmp

Filesize
4KB

Download
memory/3892-259-0x0000021DCD5D0000-0x0000021DCD5D1000-memory.dmp

Filesize
4KB

Download
memory/3892-261-0x0000021DCD5D0000-0x0000021DCD5D1000-memory.dmp

Filesize
4KB

Download
memory/3892-263-0x0000021DCD5D0000-0x0000021DCD5D1000-memory.dmp

Filesize
4KB

Download
memory/3892-264-0x0000021DCDD10000-0x0000021DCDD20000-memory.dmp

Filesize
64KB

Download
memory/3892-262-0x0000021DCDD00000-0x0000021DCDD10000-memory.dmp

Filesize
64KB

Download
memory/3892-265-0x0000021DCD5D0000-0x0000021DCD5D1000-memory.dmp

Filesize
4KB

Download
memory/3892-267-0x0000021DCD5D0000-0x0000021DCD5D1000-memory.dmp

Filesize
4KB

Download
memory/3892-269-0x0000021DCDD20000-0x0000021DCDD30000-memory.dmp

Filesize
64KB

Download
memory/3892-270-0x0000021DCDD30000-0x0000021DCDD40000-memory.dmp

Filesize
64KB

Download
memory/3944-217-0x0000000000000000-mapping.dmp

Download
memory/3968-173-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3968-172-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3968-186-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3968-195-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/3968-165-0x0000000000000000-mapping.dmp

Download
memory/3968-183-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3968-170-0x0000000002650000-0x00000000028C0000-memory.dmp

Filesize
2.4MB

Download
memory/3968-184-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3968-194-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/4024-240-0x000001FDA2DE0000-0x000001FDA2DE1000-memory.dmp

Filesize
4KB

Download
memory/4024-238-0x0000000000000000-mapping.dmp

Download
memory/4024-245-0x000001FDA3420000-0x000001FDA3430000-memory.dmp

Filesize
64KB

Download
memory/4024-239-0x000001FDA2DE0000-0x000001FDA2DE1000-memory.dmp

Filesize
4KB

Download
memory/4024-250-0x000001FDA3470000-0x000001FDA3480000-memory.dmp

Filesize
64KB

Download
memory/4024-249-0x000001FDA3460000-0x000001FDA3470000-memory.dmp

Filesize
64KB

Download
memory/4024-246-0x000001FDA3430000-0x000001FDA3440000-memory.dmp

Filesize
64KB

Download
memory/4024-247-0x000001FDA3440000-0x000001FDA3450000-memory.dmp

Filesize
64KB

Download
memory/4024-248-0x000001FDA3450000-0x000001FDA3460000-memory.dmp

Filesize
64KB

Download
memory/4024-243-0x000001FDA3410000-0x000001FDA3420000-memory.dmp

Filesize
64KB

Download
memory/4036-236-0x0000000000000000-mapping.dmp

Download