hxxps://download[.]oracle[.]com/java/18/archive/jdk-18[.]0[.]2[.]1_windows-x64_bin[.]exe

Analysis

max time kernel
286s
max time network
298s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28/12/2022, 02:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://download.oracle.com/java/18/archive/jdk-18.0.2.1_windows-x64_bin.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
1016	jdk-18.0.2.1_windows-x64_bin.exe
4652	jdk-18.0.2.1_windows-x64_bin.exe
4328	SKlauncher 3.0.exe
4472	javaw.exe
2180	SKlauncher 3.0.exe
4180	javaw.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\International\Geo\Nation	javaw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\International\Geo\Nation	javaw.exe

Loads dropped DLL 63 IoCs

pid	Process
308	MsiExec.exe
308	MsiExec.exe
308	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
684	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4472	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe
4180	javaw.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	MsiExec.exe
File opened for modification	C:\Windows\SYSTEM32\jvm.pdb	javaw.exe
File opened for modification	C:\Windows\SYSTEM32\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Windows\SYSTEM32\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\SYSTEM32\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\SYSTEM32\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	MsiExec.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\SYSTEM32\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Windows\SYSTEM32\jvm.pdb	javaw.exe
File opened for modification	C:\Windows\SYSTEM32\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Windows\SYSTEM32\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\SYSTEM32\symbols\dll\jvm.pdb	javaw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\javajpeg.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\jlink.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\conf\management\jmxremote.password.template	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\jmods\java.scripting.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\jmods\jdk.jconsole.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.crypto.mscapi\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.net\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\j2pkcs11.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\jar.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\conf\security\policy\README.txt	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.security.jgss\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\api-ms-win-core-console-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\jmods\jdk.javadoc.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.base\wepoll.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.desktop\libpng.md	MsiExec.exe
File opened for modification	C:\Program Files\Java\jdk-18.0.2.1\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk-18.0.2.1\bin\symbols\dll\jvm.pdb	javaw.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\api-ms-win-core-synch-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.net.http\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\vcruntime140_1.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\include\win32\bridge\AccessBridgeCallbacks.h	MsiExec.exe
File opened for modification	C:\Program Files\Java\jdk-18.0.2.1\bin\dll\jvm.pdb	javaw.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.internal.opt\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.jdi\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\jmods\jdk.jstatd.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.se\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\jrunscript.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\conf\security\policy\limited\default_US_export.policy	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\jmods\jdk.internal.le.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.smartcardio\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.sql\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.xml\bcel.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.dynalink\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\jstack.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.internal.vm.compiler.management\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.desktop\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\j2gss.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\jmods\jdk.jfr.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.localedata\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\lib\jvm.lib	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\include\win32\bridge\AccessBridgePackages.h	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.desktop\jpeg.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.jartool\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.jdwp.agent\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\api-ms-win-crt-time-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.desktop\giflib.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.xml\COPYRIGHT	MsiExec.exe
File opened for modification	C:\Program Files\Java\jdk-18.0.2.1\bin\server\symbols\dll\jvm.pdb	javaw.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\javac.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\jshell.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\rmiregistry.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\lib\jrt-fs.jar	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\api-ms-win-core-timezone-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\api-ms-win-crt-filesystem-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\bin\jmod.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.base\icu.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.accessibility\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\lib\security\public_suffix_list.dat	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\jmods\java.logging.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\java.desktop\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.crypto.ec\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-18.0.2.1\legal\jdk.naming.dns\LICENSE	MsiExec.exe

Drops file in Windows directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIBE97.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e586f20.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8ADC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC610.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC78B.tmp	msiexec.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\dll\jvm.pdb	javaw.exe
File created	C:\Windows\Installer\SourceHash{F3A2A837-F83B-5732-97F2-309BE0F51E0C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CB3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DAE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC77A.tmp	msiexec.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\jvm.pdb	javaw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI89F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC66E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBFC1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC524.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCBD.tmp	msiexec.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\Installer\MSI880A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F46.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9012.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA33E.tmp	msiexec.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\jvm.pdb	javaw.exe
File opened for modification	C:\Windows\Installer\MSI873E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI88E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC39D.tmp	msiexec.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\dll\jvm.pdb	javaw.exe
File created	C:\Windows\Installer\e586f20.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7877.tmp	msiexec.exe
File created	C:\Windows\Installer\e586f22.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0FB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC244.tmp	msiexec.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI847E.tmp	msiexec.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\symbols\dll\jvm.pdb	javaw.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 8a04badea7aed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{D00A534F-B561-483F-B9B9-9D37775FD739}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31005291"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "379011434"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4256583789"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4256583789"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1D8433D0-865F-11ED-A7A3-CAA9CE0ED775} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4076583669"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31005291"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "378979445"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4076583669"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31005291"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31005291"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "378962841"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Environment	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\EUDC	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\System	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\PackageCode = "85A37D526C547CA42A4D3524BBA4D209"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\Version = "301989890"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\jfrfile\shell\open	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\738A2A3FB38F2375792F03B90E5FE1C0\ToolsFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\javaw.exe\IsHostApp	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\738A2A3FB38F2375792F03B90E5FE1C0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\java.exe	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk18.0.2.1_x64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk18.0.2.1_x64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\java.exe\IsHostApp	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\jfrfile\shell	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A46297B6D117AA8000B0D021008	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A46297B6D117AA8000B0D021008\738A2A3FB38F2375792F03B90E5FE1C0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.jar	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JFRFILE\SHELL\OPEN\COMMAND	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.jfr	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\ProductIcon = "C:\\Program Files\\Java\\jdk-18.0.2.1\\\\bin\\java.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\SourceList\PackageName = "jdk18.0.2.164.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile\shell\open\command	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\ProductName = "Java(TM) SE Development Kit 18.0.2.1 (64-bit)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\SourceList\Media\2 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\javaw.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\738A2A3FB38F2375792F03B90E5FE1C0\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command\ = "\"C:\\Program Files\\Java\\jdk-18.0.2.1\\bin\\javaw.exe\" -jar \"%1\" %*"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\jfrfile	MsiExec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\SKlauncher 3.0.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1004	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
256	msiexec.exe
256	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	firefox.exe
Token: SeDebugPrivilege	5056	firefox.exe
Token: SeShutdownPrivilege	1148	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1148	msiexec.exe
Token: SeSecurityPrivilege	256	msiexec.exe
Token: SeCreateTokenPrivilege	1148	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1148	msiexec.exe
Token: SeLockMemoryPrivilege	1148	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1148	msiexec.exe
Token: SeMachineAccountPrivilege	1148	msiexec.exe
Token: SeTcbPrivilege	1148	msiexec.exe
Token: SeSecurityPrivilege	1148	msiexec.exe
Token: SeTakeOwnershipPrivilege	1148	msiexec.exe
Token: SeLoadDriverPrivilege	1148	msiexec.exe
Token: SeSystemProfilePrivilege	1148	msiexec.exe
Token: SeSystemtimePrivilege	1148	msiexec.exe
Token: SeProfSingleProcessPrivilege	1148	msiexec.exe
Token: SeIncBasePriorityPrivilege	1148	msiexec.exe
Token: SeCreatePagefilePrivilege	1148	msiexec.exe
Token: SeCreatePermanentPrivilege	1148	msiexec.exe
Token: SeBackupPrivilege	1148	msiexec.exe
Token: SeRestorePrivilege	1148	msiexec.exe
Token: SeShutdownPrivilege	1148	msiexec.exe
Token: SeDebugPrivilege	1148	msiexec.exe
Token: SeAuditPrivilege	1148	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1148	msiexec.exe
Token: SeChangeNotifyPrivilege	1148	msiexec.exe
Token: SeRemoteShutdownPrivilege	1148	msiexec.exe
Token: SeUndockPrivilege	1148	msiexec.exe
Token: SeSyncAgentPrivilege	1148	msiexec.exe
Token: SeEnableDelegationPrivilege	1148	msiexec.exe
Token: SeManageVolumePrivilege	1148	msiexec.exe
Token: SeImpersonatePrivilege	1148	msiexec.exe
Token: SeCreateGlobalPrivilege	1148	msiexec.exe
Token: SeCreateTokenPrivilege	1148	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1148	msiexec.exe
Token: SeLockMemoryPrivilege	1148	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1148	msiexec.exe
Token: SeMachineAccountPrivilege	1148	msiexec.exe
Token: SeTcbPrivilege	1148	msiexec.exe
Token: SeSecurityPrivilege	1148	msiexec.exe
Token: SeTakeOwnershipPrivilege	1148	msiexec.exe
Token: SeLoadDriverPrivilege	1148	msiexec.exe
Token: SeSystemProfilePrivilege	1148	msiexec.exe
Token: SeSystemtimePrivilege	1148	msiexec.exe
Token: SeProfSingleProcessPrivilege	1148	msiexec.exe
Token: SeIncBasePriorityPrivilege	1148	msiexec.exe
Token: SeCreatePagefilePrivilege	1148	msiexec.exe
Token: SeCreatePermanentPrivilege	1148	msiexec.exe
Token: SeBackupPrivilege	1148	msiexec.exe
Token: SeRestorePrivilege	1148	msiexec.exe
Token: SeShutdownPrivilege	1148	msiexec.exe
Token: SeDebugPrivilege	1148	msiexec.exe
Token: SeAuditPrivilege	1148	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1148	msiexec.exe
Token: SeChangeNotifyPrivilege	1148	msiexec.exe
Token: SeRemoteShutdownPrivilege	1148	msiexec.exe
Token: SeUndockPrivilege	1148	msiexec.exe
Token: SeSyncAgentPrivilege	1148	msiexec.exe
Token: SeEnableDelegationPrivilege	1148	msiexec.exe
Token: SeManageVolumePrivilege	1148	msiexec.exe
Token: SeImpersonatePrivilege	1148	msiexec.exe
Token: SeCreateGlobalPrivilege	1148	msiexec.exe
Token: SeCreateTokenPrivilege	1148	msiexec.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3500	iexplore.exe
3500	iexplore.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
1148	msiexec.exe
1148	msiexec.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3500	iexplore.exe
3500	iexplore.exe
3320	IEXPLORE.EXE
3320	IEXPLORE.EXE
5056	firefox.exe
4652	jdk-18.0.2.1_windows-x64_bin.exe
5056	firefox.exe
5056	firefox.exe
5056	firefox.exe
4472	javaw.exe
4472	javaw.exe
4180	javaw.exe
4180	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 3320	3500	iexplore.exe	66
PID 3500 wrote to memory of 3320	3500	iexplore.exe	66
PID 3500 wrote to memory of 3320	3500	iexplore.exe	66
PID 4684 wrote to memory of 5056	4684	firefox.exe	69
PID 4684 wrote to memory of 5056	4684	firefox.exe	69
PID 4684 wrote to memory of 5056	4684	firefox.exe	69
PID 4684 wrote to memory of 5056	4684	firefox.exe	69
PID 4684 wrote to memory of 5056	4684	firefox.exe	69
PID 4684 wrote to memory of 5056	4684	firefox.exe	69
PID 4684 wrote to memory of 5056	4684	firefox.exe	69
PID 4684 wrote to memory of 5056	4684	firefox.exe	69
PID 4684 wrote to memory of 5056	4684	firefox.exe	69
PID 5056 wrote to memory of 2244	5056	firefox.exe	71
PID 5056 wrote to memory of 2244	5056	firefox.exe	71
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4800	5056	firefox.exe	73
PID 5056 wrote to memory of 4544	5056	firefox.exe	74
PID 5056 wrote to memory of 4544	5056	firefox.exe	74
PID 5056 wrote to memory of 4544	5056	firefox.exe	74
PID 5056 wrote to memory of 4544	5056	firefox.exe	74
PID 5056 wrote to memory of 4544	5056	firefox.exe	74
PID 5056 wrote to memory of 4544	5056	firefox.exe	74
PID 5056 wrote to memory of 4544	5056	firefox.exe	74

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://download.oracle.com/java/18/archive/jdk-18.0.2.1_windows-x64_bin.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3500 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3320
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7C1KFYRT\jdk-18.0.2.1_windows-x64_bin.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7C1KFYRT\jdk-18.0.2.1_windows-x64_bin.exe"
  2⤵
  - Executes dropped EXE
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\jds240578453.tmp\jdk-18.0.2.1_windows-x64_bin.exe
    "C:\Users\Admin\AppData\Local\Temp\jds240578453.tmp\jdk-18.0.2.1_windows-x64_bin.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4652
  - - C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk18.0.2.1_x64\jdk18.0.2.164.msi" WRAPPER=1
      4⤵
      Enumerates connected drives
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1148

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.0.23328248\1475892040" -parentBuildID 20200403170909 -prefsHandle 1560 -prefMapHandle 1552 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 1644 gpu
    3⤵
    PID:2244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.3.846874069\1991463438" -childID 1 -isForBrowser -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 156 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 2200 tab
    3⤵
    PID:4800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.13.361217332\1988109608" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3432 -prefsLen 6938 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 3452 tab
    3⤵
    PID:4544

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:256
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 50A02107D2E34DE35566DDCCF223E1F5 C
  2⤵
  - Loads dropped DLL
  PID:308
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3820
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 7A24F8570D146727B40F00FCCE978022
  2⤵
  - Loads dropped DLL
  PID:684
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 06B3850FB7B83837044BFD7E9442A389 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2984

C:\Users\Admin\Downloads\SKlauncher 3.0.exe
"C:\Users\Admin\Downloads\SKlauncher 3.0.exe"
1⤵
- Executes dropped EXE
PID:4328
- C:\Program Files\Java\jdk-18.0.2.1\bin\javaw.exe
  "C:\Program Files\Java\jdk-18.0.2.1\bin\javaw.exe" -Xms32m -Xmx256m -jar "C:\Users\Admin\Downloads\SKlauncher 3.0.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:4472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1028

C:\Users\Admin\Downloads\SKlauncher 3.0.exe
"C:\Users\Admin\Downloads\SKlauncher 3.0.exe"
1⤵
- Executes dropped EXE
PID:2180
- C:\Program Files\Java\jdk-18.0.2.1\bin\javaw.exe
  "C:\Program Files\Java\jdk-18.0.2.1\bin\javaw.exe" -Xms32m -Xmx256m -jar "C:\Users\Admin\Downloads\SKlauncher 3.0.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:4180

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\hs_err_pid4472.log
1⤵
- Opens file in notepad (likely ransom note)
PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-18.0.2.1\tools.zip

Filesize
291.3MB

MD5
7dc23c7841999ab5b7446144e2df6d65

SHA1
9df608078676bb0e95e6f359d9a3c3a0599d8ea7

SHA256
a0814ccd5edbfdf0c617071185948d40f572cce2454bd57f2015328fa6295728

SHA512
beb838827a863185c775fcf2a2450168ac81a6067f5d5fc88d3355f8626095e4e25ebcbe69d19882b2746ea850250c87a3bdfbef5ce532f28bcabf2565784eed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
da5a9f149955d936a31dc5e456666aac

SHA1
195238d41c1e13448f349f43bb295ef2d55cb47a

SHA256
79ac574c7c45144bb35b59ff79c78dc59b66592715dea01b389e3620db663224

SHA512
60d7d1f5405470ba1e6b80066af2e78240acbea8db58b5a03660874605178aebaa9ce342ca97f17798109e7411e82466db5af064e39eaddc05410f2abe672f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
727B

MD5
aac57b446523b4ac3892bc2da33e5855

SHA1
8f5195bf755b5b187682ef8e092c3497add579df

SHA256
3dfce9fd12087dff886d026d4eb156c27b3a8fac509f38c73fcf79789759d852

SHA512
7babcab7ba6d012176923c3be0b68614284c81a768076f813b8e09ac9f80cc945548f93be71a12ed17e33e52bcb19a2b01849d2390f7c95e67fd1741d2bdc881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
ddaabfaeb5297284372f878514b35e01

SHA1
ebc6206a3396ec69635c289ab7dad4fb4715afd7

SHA256
d1b21e9ad22843f78e6f82422505f8396c06416a919bf97bf61383a44690be14

SHA512
24383dc912ec843f686751c3f3ec21d4c52396fbddd255e4990afbfd41c69057c73c580deb792769d766e5aff16c5ad4dbbc8e88a2972f85902dc661a5e41abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
430B

MD5
7a2d715f60a9d69c7fe370f77d5369b8

SHA1
49405b344fb5a5e2310a0164a16c0d9963234855

SHA256
b37050104fb6f2ac1e20267ffcfc3f143a55b10f9bac4ae58495b0b4aabe9c43

SHA512
550add6056d93a4c4bf8ba89bec2500fde17c988a2e43852b72fda76b476accfaba0b4660e8f36b053d3caf386e503d7afdd97aebdf05cef848544d409de59fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
404B

MD5
ace5d48fa47626006ff765d5c0e947d4

SHA1
0ad2e24777b9bd7f56e2701fb55342d415596a2e

SHA256
6b4a7c0139d00a4a8462e07705657af0bf37cfc7ef3f555e9787de4d3779d88d

SHA512
99bd8d7dc6d9835d5d8cac4b929542bf8832ef63cf427cd3491b598db8acdd8487e9b8f045c7d557a7e2bc321e6ce5feb440fc940c01159f64ef3e1d22e3af78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
b5337693882e1d148d6e2fb901b32935

SHA1
7dc1aa101438a575e4a0e4a71ccfd20b7b1f73de

SHA256
110e450685443b086b5ecabb1b425d2d8dc546595db9b1ba83b1b613d28ed4d9

SHA512
fbbde989cfdcdfe0c7f13074f5f341561d31f2b02cbacfacefe73351e9cf69e6bb5bc569848660d21854ffb4fc7897772ec6f8b87980f8fac0acd1136b21a9ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk18.0.2.1_x64\jdk18.0.2.164.msi

Filesize
152.3MB

MD5
ecda7806cda76f9545bbf465cc006c2f

SHA1
fa875b18f81d373fc2f46513729501c96cbf3c85

SHA256
71d547c0ae19fd8423afaca1bc9f197a105098c0ac31d20611c44d31aeffdca5

SHA512
28d9d084d80fbfa263fd66fbbcc55d667d56cd97f16245780d5abc0b118ee7bead2443a109ac1f6c92a4e5a3631efa3ab8ee9e7c74d1942eac11ee663f8a0176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7C1KFYRT\jdk-18.0.2.1_windows-x64_bin.exe

Filesize
153.4MB

MD5
517ddc7521f023f8d8d6cdf6ed58bb34

SHA1
5f38a445eece5f68cd5454d9b5b14390c2fb3df0

SHA256
cc19ffaa67cbb98333fc5ba17c41707b0116d8f680e6ea693c9429fd952cc1cd

SHA512
1fd79eaff2183c5db0903a00523690f5a835f2193566fc29799fa2d209a8403fe6ec281ee9b18c0703454e220275217357629ab0217d9176d278d604f61aeee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7C1KFYRT\jdk-18.0.2.1_windows-x64_bin.exe.3c1s6eg.partial

Filesize
153.4MB

MD5
517ddc7521f023f8d8d6cdf6ed58bb34

SHA1
5f38a445eece5f68cd5454d9b5b14390c2fb3df0

SHA256
cc19ffaa67cbb98333fc5ba17c41707b0116d8f680e6ea693c9429fd952cc1cd

SHA512
1fd79eaff2183c5db0903a00523690f5a835f2193566fc29799fa2d209a8403fe6ec281ee9b18c0703454e220275217357629ab0217d9176d278d604f61aeee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JKN6VT5Z.cookie

Filesize
610B

MD5
b9eac7b1d844764c750c71ffd346e8a4

SHA1
c1281c0d26b1e538d5f17bfed1ecce15741b24c3

SHA256
f445fada37d1739aca07a6a0591c5fb98a4ee5978509d12947a36f735f72df03

SHA512
97262a8de144f5397d8597cbc6aa5e109b5ad6ebae4cffe083625241ba97f86a7d0cbc5bb64f4f298a065f4822721513394369db9f9d877ad40236a47be860c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\OCAETJ2A.cookie

Filesize
610B

MD5
94f85cffe13bcf138cdcad371eee0d9e

SHA1
bc4a8c745de6e3768620cb9895f87190d2f37397

SHA256
cd966c8ec2bbbae3d46614afbcb66bbcc53225cf0e1eef46d05d7d84e0a3102c

SHA512
4b41bfc0b956049b9365b938221b4554fa63fe5f9fd85eeeffaa5e5496354570914afd5cff936f68e969fbd48c7ddb68e4beb193bbaa7d5381acd845edf8a10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI39AD.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6E4B.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC239.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240578453.tmp\jdk-18.0.2.1_windows-x64_bin.exe

Filesize
153.1MB

MD5
cc56c0398900e270233ec36d1856df33

SHA1
160319810f22fac1e5f7292326f666d86e53282d

SHA256
752a05614e95db3e493c62fd3f5e83cc1cfc3e853de250806905e66e5c990af1

SHA512
1fc00bc0dbc2a880cc1b28792dc383f0a5a4bef9509b7dbe82754ec3baff456b625ff6b873c87db8bc947b397ffb1e1c7fca8cf7d826e3f3644afd4601c01f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240578453.tmp\jdk-18.0.2.1_windows-x64_bin.exe

Filesize
153.1MB

MD5
cc56c0398900e270233ec36d1856df33

SHA1
160319810f22fac1e5f7292326f666d86e53282d

SHA256
752a05614e95db3e493c62fd3f5e83cc1cfc3e853de250806905e66e5c990af1

SHA512
1fc00bc0dbc2a880cc1b28792dc383f0a5a4bef9509b7dbe82754ec3baff456b625ff6b873c87db8bc947b397ffb1e1c7fca8cf7d826e3f3644afd4601c01f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
283KB

MD5
4be6e03dac539bd73b58a1e5b10f92d1

SHA1
a48c64910f47392379588d16f88997179fe29d0c

SHA256
030515311d611a93b447ce2d73382f98063fe29afa6fb1663dd206c9143728b3

SHA512
92bd0b16dc5c932d281eb63032db1bcd2836a79246c917e524f1b2a46191b6ae532d077f54e2856dd5f9a9b5307caf8ed306d762591ee0198b49b47f7294f613

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
285KB

MD5
990efc3ded03895e45172599130c7457

SHA1
76700088fb940a16acd849ac2be2c1853f141bfc

SHA256
91c23f0a2d4ecd1c4109fc685e3d0cbab2b78650c2e6aa0e8fcd02037836b59e

SHA512
2a4b35a82e9a429979726e27b18b48b2d04fc5409b030f9b5b97c1eb0ad7c1646b70b559df51c6ac6fb3939453130c8b74cd8112bb80ef379946f1137e0fe982

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
292KB

MD5
b506475ac3b64f0bb2d35ea5e31cc199

SHA1
4c41118421a42a99a91e20d0873de1cc8a6a2da8

SHA256
22808e256d3adb27fca721f6a8b8d7d26a8e520d2ca973d972455b04c02c8eab

SHA512
e16a9eeb08dbd9dfe9bc3b8d5cbd7cb51115dafae415dad29704c1576a937309fa421a3217db5a3257833b6cc66a77ccdfec3e00d5aa9222338293b89d76c84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
292KB

MD5
35efb390ee6efe454350691e817e64bd

SHA1
679b82b78a0a97f414ba69260fcbfaad15fd30e2

SHA256
eff0dc7dab3f842ad27bd13c7dbdc5da65665ff0da722240d86072c66bce215f

SHA512
908e528a035c5bf9889b9da8f0d17dc18e9f0fe123dc565205474a2890f83f1c132058522da3427fa8086be2ee73b0ac971299028598264133ce383fce7bbcbf

Download Submit
C:\Windows\Installer\MSI7877.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSI873E.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSI880A.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSI88E6.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSI89F1.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSI8ADC.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSI8BB8.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSI8CB3.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSI8DAE.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSI8E7A.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSI8F46.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSI9012.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSIA33E.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSIBE97.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSIBFC1.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSIC0FB.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSIC244.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSIC39D.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
C:\Windows\Installer\MSIC524.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
b71ffbc37108af5a69c0f203bfa30ce2

SHA1
a8497d53959c20cbf502fdb18c067eae6f7f7ad7

SHA256
9ee4f39bf22e571d87cbab2510aa09ef385d3418659c80dd24d92b2fcaa2adfc

SHA512
7ddacfe14019a5799bbe0644d144073e7feb21a3243a8b71328f10dd10d37d835160d14afb2d52b4578847a012c53196c3773bceac5491c3d0ebed0b567c844d

Download Submit
\??\Volume{420c8c0f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{32b82dd6-de39-4155-8b0b-de7736f4f302}_OnDiskSnapshotProp

Filesize
5KB

MD5
b61ae0cd5a268e82fd0d462bb4bd6c85

SHA1
d273174ff18ebbaf82eb38e8160cf6df81686f4d

SHA256
157661c4c3b463ee86f77d15632847d0f6a43c60de1aba1db5e8a0ae0f3194d3

SHA512
b2a910358cdd5e150dfe85097f645b9a2eee09c7a86af7d8980b3c981bbe0b7560703d21279bd3597040fa49e3d7a053460576fc6a449fac1290d13626c2fdac

Download Submit
\Users\Admin\AppData\Local\Temp\MSI39AD.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Users\Admin\AppData\Local\Temp\MSI6E4B.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Users\Admin\AppData\Local\Temp\MSIC239.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI7877.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI873E.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI880A.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI88E6.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI89F1.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI8ADC.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI8BB8.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI8CB3.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI8DAE.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI8E7A.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI8F46.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSI9012.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSIA33E.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSIBE97.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSIBFC1.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSIC0FB.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSIC244.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
\Windows\Installer\MSIC39D.tmp

Filesize
878KB

MD5
5be800b8be59c3b695154fdefec08d08

SHA1
9cbc1f2fb7de9c948bfad1772fa7824de6c3bbc4

SHA256
a36888070e685deab8420e92a0219067ba804b191494e98d48d9afbb0a8ed899

SHA512
d72de20eb962b43fa000a26cbc5a014720a736f0d545493597de8fdfdaa4d3f9a391a0008dadaa6d37b40ce12a1a990add85115d1a4812af388aa075a49a37de

Download Submit
memory/2180-298-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-290-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-275-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-276-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-277-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-278-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-279-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-280-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-281-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-274-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-297-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-296-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-295-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-294-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-293-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-292-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-291-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-282-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-289-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-288-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-287-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-286-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-285-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-284-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-283-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4180-340-0x000001F26A930000-0x000001F26B930000-memory.dmp

Filesize
16.0MB

Download
memory/4180-325-0x000001F26A930000-0x000001F26B930000-memory.dmp

Filesize
16.0MB

Download
memory/4180-327-0x000001F26A930000-0x000001F26B930000-memory.dmp

Filesize
16.0MB

Download
memory/4180-328-0x000001F26A930000-0x000001F26B930000-memory.dmp

Filesize
16.0MB

Download
memory/4180-338-0x000001F26A930000-0x000001F26B930000-memory.dmp

Filesize
16.0MB

Download
memory/4180-339-0x000001F26A930000-0x000001F26B930000-memory.dmp

Filesize
16.0MB

Download
memory/4328-201-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-208-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-229-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-228-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-230-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-231-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-232-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-233-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-195-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-196-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-197-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-198-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-199-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-200-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-202-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-203-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-204-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-205-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-206-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-226-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-225-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-224-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-223-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-222-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-221-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-220-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-219-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-218-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-217-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-216-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-214-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-215-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-213-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-212-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-211-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-210-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-209-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-227-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-207-0x00000000776C0000-0x000000007784E000-memory.dmp

Filesize
1.6MB

Download
memory/4472-273-0x000001D8AB430000-0x000001D8AC430000-memory.dmp

Filesize
16.0MB

Download
memory/4472-272-0x000001D8AB430000-0x000001D8AC430000-memory.dmp

Filesize
16.0MB

Download
memory/4472-271-0x000001D8AB430000-0x000001D8AC430000-memory.dmp

Filesize
16.0MB

Download
memory/4472-270-0x000001D8AB430000-0x000001D8AC430000-memory.dmp

Filesize
16.0MB

Download
memory/4472-269-0x000001D8AB430000-0x000001D8AC430000-memory.dmp

Filesize
16.0MB

Download
memory/4472-267-0x000001D8AB430000-0x000001D8AC430000-memory.dmp

Filesize
16.0MB

Download
memory/4472-259-0x000001D8AB430000-0x000001D8AC430000-memory.dmp

Filesize
16.0MB

Download
memory/4472-250-0x000001D8AB430000-0x000001D8AC430000-memory.dmp

Filesize
16.0MB

Download
memory/4472-249-0x000001D8AB430000-0x000001D8AC430000-memory.dmp

Filesize
16.0MB

Download
memory/4472-247-0x000001D8AB430000-0x000001D8AC430000-memory.dmp

Filesize
16.0MB

Download