820f55fdc13b00d98dc080dd5c53d46bcd3e8f74a01e4099f39096fa7ffb393a

Analysis

max time kernel
208s
max time network
211s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
19/07/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AllInOneMacros_Downloader.jar
Size

5.0MB
MD5

beb06be307e22f588f514abab44f38a3
SHA1

69ca341e46ba097f27121eb987f1bf85f54fbd2c
SHA256

820f55fdc13b00d98dc080dd5c53d46bcd3e8f74a01e4099f39096fa7ffb393a
SHA512

eec3d305daf75f701705e6955fbd70f436a8805bcc85851ea5cac53356f60b63c25fcc2a609da944072420813ba11f0e0579520ac0db8331d62e3df9844025c2
SSDEEP

98304:A3zRryR1U56hGW4MRuhis1ZSnBYIK5nZBSyz5TdGca3G7wUWIZNYMmWgP:A3zRuRlhGsRuhis1qyZBVz5Rw3GUUFHu

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllInOneMacros_Downloader.jar	javaw.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AllInOneMacros_Downloader.jar	javaw.exe

Executes dropped EXE 3 IoCs

pid	Process
4824	jdk-22_windows-x64_bin.exe
3000	jdk-22_windows-x64_bin.exe
5984	javaw.exe

Loads dropped DLL 41 IoCs

pid	Process
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
5984	javaw.exe
5984	javaw.exe
5984	javaw.exe
5984	javaw.exe
5984	javaw.exe
5984	javaw.exe
5984	javaw.exe
5984	javaw.exe
5984	javaw.exe
5984	javaw.exe
5984	javaw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	MsiExec.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	MsiExec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-22\bin\api-ms-win-core-interlocked-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\bin\api-ms-win-crt-math-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\bin\klist.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\jmods\jdk.attach.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\release	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.accessibility\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.nio.mapmode\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\lib\classlist	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\bin\ucrtbase.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\jmods\jdk.internal.jvmstat.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.base\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.datatransfer\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\bin\api-ms-win-core-handle-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\jmods\jdk.jpackage.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.instrument\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.nio.mapmode\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.desktop\colorimaging.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.security.jgss\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\include\jdwpTransport.h	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.xml\jcup.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\lib\security\blocked.certs	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\tools.zip	msiexec.exe
File created	C:\Program Files\Java\jdk-22\bin\vcruntime140_1.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.desktop\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\jmods\java.security.jgss.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.desktop\lcms.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\lib\tzmappings	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\bin\api-ms-win-core-sysinfo-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.security.jgss\LICENSE	MsiExec.exe
File created	C:\Program Files\Common Files\Oracle\Java\javapath_target_240797796\jshell.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\bin\jcmd.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.smartcardio\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.jdi\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.compiler\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.management.agent\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\conf\security\java.security	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\jmods\jdk.jlink.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.base\icu.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.desktop\freetype.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.desktop\jpeg.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.attach\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.security.auth\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\bin\jpackage.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.naming.rmi\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\jmods\jdk.hotspot.agent.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\jmods\jdk.security.auth.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.sql.rowset\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.internal.opt\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.jcmd\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.localedata\cldr.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\bin\saproc.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\conf\security\policy\limited\default_US_export.policy	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\conf\security\policy\limited\exempt_local.policy	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\jdk.jstatd\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\lib\src.zip	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\jmods\jdk.httpserver.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.scripting\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\lib\jfr\default.jfc	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\jmods\java.compiler.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\jmods\jdk.crypto.ec.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\legal\java.security.sasl\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\bin\api-ms-win-crt-conio-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\bin\jawt.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-22\bin\jdb.exe	MsiExec.exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4741.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4322.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI470F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI472F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4752.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a3450.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF578A45C9EA145077.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BDB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BFC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C0D.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF06CB47105291E7D1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3AC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4783.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA22903988AA31675.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e5a3452.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BAA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B67.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BEB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI470E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI37DA.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF661B0FD26E9E0B91.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{AA2685C5-73D8-54BD-A9B7-2701251A8921}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4753.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4763.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a3450.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4730.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001b0fa86b5f6645020000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001b0fa86b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001b0fa86b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1b0fa86b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001b0fa86b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\System	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Environment	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\EUDC	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Console	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command\ = "\"C:\\Program Files\\Java\\jdk-22\\bin\\javaw.exe\" -jar \"%1\" %*"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\ProductName = "Java(TM) SE Development Kit 22.0.2 (64-bit)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\java.exe\IsHostApp	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Media\2 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk22.0.2_x64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\java.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\javaw.exe	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile\shell\open\command	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\javaw.exe\IsHostApp	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5C5862AA8D37DB459A7B721052A19812	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\Version = "369098754"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk22.0.2_x64\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5C5862AA8D37DB459A7B721052A19812\ToolsFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\PackageCode = "C21BE8B2BFEB4A045BED9F6848AC03E0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A46297B6D117AA8000B0D022002	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\PackageName = "jdk22.0.264.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\ProductIcon = "C:\\Program Files\\Java\\jdk-22\\\\bin\\java.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A46297B6D117AA8000B0D022002\5C5862AA8D37DB459A7B721052A19812	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.jar	MsiExec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\jdk-22_windows-x64_bin.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4952	msiexec.exe
4952	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	firefox.exe
Token: SeDebugPrivilege	1524	firefox.exe
Token: SeDebugPrivilege	1524	firefox.exe
Token: SeDebugPrivilege	1524	firefox.exe
Token: SeDebugPrivilege	1524	firefox.exe
Token: SeShutdownPrivilege	5072	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5072	msiexec.exe
Token: SeSecurityPrivilege	4952	msiexec.exe
Token: SeCreateTokenPrivilege	5072	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5072	msiexec.exe
Token: SeLockMemoryPrivilege	5072	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5072	msiexec.exe
Token: SeMachineAccountPrivilege	5072	msiexec.exe
Token: SeTcbPrivilege	5072	msiexec.exe
Token: SeSecurityPrivilege	5072	msiexec.exe
Token: SeTakeOwnershipPrivilege	5072	msiexec.exe
Token: SeLoadDriverPrivilege	5072	msiexec.exe
Token: SeSystemProfilePrivilege	5072	msiexec.exe
Token: SeSystemtimePrivilege	5072	msiexec.exe
Token: SeProfSingleProcessPrivilege	5072	msiexec.exe
Token: SeIncBasePriorityPrivilege	5072	msiexec.exe
Token: SeCreatePagefilePrivilege	5072	msiexec.exe
Token: SeCreatePermanentPrivilege	5072	msiexec.exe
Token: SeBackupPrivilege	5072	msiexec.exe
Token: SeRestorePrivilege	5072	msiexec.exe
Token: SeShutdownPrivilege	5072	msiexec.exe
Token: SeDebugPrivilege	5072	msiexec.exe
Token: SeAuditPrivilege	5072	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5072	msiexec.exe
Token: SeChangeNotifyPrivilege	5072	msiexec.exe
Token: SeRemoteShutdownPrivilege	5072	msiexec.exe
Token: SeUndockPrivilege	5072	msiexec.exe
Token: SeSyncAgentPrivilege	5072	msiexec.exe
Token: SeEnableDelegationPrivilege	5072	msiexec.exe
Token: SeManageVolumePrivilege	5072	msiexec.exe
Token: SeImpersonatePrivilege	5072	msiexec.exe
Token: SeCreateGlobalPrivilege	5072	msiexec.exe
Token: SeCreateTokenPrivilege	5072	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5072	msiexec.exe
Token: SeLockMemoryPrivilege	5072	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5072	msiexec.exe
Token: SeMachineAccountPrivilege	5072	msiexec.exe
Token: SeTcbPrivilege	5072	msiexec.exe
Token: SeSecurityPrivilege	5072	msiexec.exe
Token: SeTakeOwnershipPrivilege	5072	msiexec.exe
Token: SeLoadDriverPrivilege	5072	msiexec.exe
Token: SeSystemProfilePrivilege	5072	msiexec.exe
Token: SeSystemtimePrivilege	5072	msiexec.exe
Token: SeProfSingleProcessPrivilege	5072	msiexec.exe
Token: SeIncBasePriorityPrivilege	5072	msiexec.exe
Token: SeCreatePagefilePrivilege	5072	msiexec.exe
Token: SeCreatePermanentPrivilege	5072	msiexec.exe
Token: SeBackupPrivilege	5072	msiexec.exe
Token: SeRestorePrivilege	5072	msiexec.exe
Token: SeShutdownPrivilege	5072	msiexec.exe
Token: SeDebugPrivilege	5072	msiexec.exe
Token: SeAuditPrivilege	5072	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5072	msiexec.exe
Token: SeChangeNotifyPrivilege	5072	msiexec.exe
Token: SeRemoteShutdownPrivilege	5072	msiexec.exe
Token: SeUndockPrivilege	5072	msiexec.exe
Token: SeSyncAgentPrivilege	5072	msiexec.exe
Token: SeEnableDelegationPrivilege	5072	msiexec.exe
Token: SeManageVolumePrivilege	5072	msiexec.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
5072	msiexec.exe
5072	msiexec.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
1524	firefox.exe
3000	jdk-22_windows-x64_bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1524	1232	firefox.exe	94
PID 1232 wrote to memory of 1524	1232	firefox.exe	94
PID 1232 wrote to memory of 1524	1232	firefox.exe	94
PID 1232 wrote to memory of 1524	1232	firefox.exe	94
PID 1232 wrote to memory of 1524	1232	firefox.exe	94
PID 1232 wrote to memory of 1524	1232	firefox.exe	94
PID 1232 wrote to memory of 1524	1232	firefox.exe	94
PID 1232 wrote to memory of 1524	1232	firefox.exe	94
PID 1232 wrote to memory of 1524	1232	firefox.exe	94
PID 1232 wrote to memory of 1524	1232	firefox.exe	94
PID 1232 wrote to memory of 1524	1232	firefox.exe	94
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 3200	1524	firefox.exe	95
PID 1524 wrote to memory of 2364	1524	firefox.exe	96
PID 1524 wrote to memory of 2364	1524	firefox.exe	96
PID 1524 wrote to memory of 2364	1524	firefox.exe	96
PID 1524 wrote to memory of 2364	1524	firefox.exe	96
PID 1524 wrote to memory of 2364	1524	firefox.exe	96
PID 1524 wrote to memory of 2364	1524	firefox.exe	96
PID 1524 wrote to memory of 2364	1524	firefox.exe	96
PID 1524 wrote to memory of 2364	1524	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\AllInOneMacros_Downloader.jar
1⤵
PID:1948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1900 -prefsLen 25749 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b2d0821-3746-41ba-88a9-f7f697612c2e} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" gpu
    3⤵
    PID:3200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 25785 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e21727be-475e-4014-ad72-dc8bc389b3a4} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" socket
    3⤵
    PID:2364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1488 -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 3232 -prefsLen 25926 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d845fe0-1772-42b7-b812-f829201a78c7} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:1872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3492 -childID 2 -isForBrowser -prefsHandle 3524 -prefMapHandle 3520 -prefsLen 31159 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68de757c-5d55-4f9b-8eab-1d3d88dba78f} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:2688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4492 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4636 -prefMapHandle 4632 -prefsLen 31159 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5b50a4b-08f4-404c-8bde-5fe6c3181eb6} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" utility
    3⤵
    - Checks processor information in registry
    PID:5256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8931a43e-d7f8-4bfe-be23-168aa325b6f5} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:5808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70ab18b1-9210-40f6-8f57-3f1c838d78d0} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:5816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5920 -childID 5 -isForBrowser -prefsHandle 5840 -prefMapHandle 5848 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0862f37e-8682-4886-945f-72f23d322bfd} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:5832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5920 -childID 6 -isForBrowser -prefsHandle 6060 -prefMapHandle 5796 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dab2f35-4034-460e-b981-90bdf04d25bb} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:2464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6324 -childID 7 -isForBrowser -prefsHandle 6316 -prefMapHandle 6312 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25cb4e9c-4624-495d-9fac-b1841491c160} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:6056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -childID 8 -isForBrowser -prefsHandle 6324 -prefMapHandle 6384 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17c8e53f-bfd7-4f44-9e60-c803f865ff27} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:4420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6380 -childID 9 -isForBrowser -prefsHandle 6528 -prefMapHandle 6532 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d2d8dae-b6f6-48e3-835b-241cd4890945} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab
    3⤵
    PID:5840
- - C:\Users\Admin\Downloads\jdk-22_windows-x64_bin.exe
    "C:\Users\Admin\Downloads\jdk-22_windows-x64_bin.exe"
    3⤵
    - Executes dropped EXE
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\jds240780750.tmp\jdk-22_windows-x64_bin.exe
      "C:\Users\Admin\AppData\Local\Temp\jds240780750.tmp\jdk-22_windows-x64_bin.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3000
    - - C:\Windows\System32\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk22.0.2_x64\jdk22.0.264.msi" WRAPPER=1
        5⤵
        Enumerates connected drives
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6044

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\AllInOneMacros_Downloader.jar"
1⤵
PID:5596

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DF4FF9108411C8D786D9B4087CA53394 C
  2⤵
  - Loads dropped DLL
  PID:1356
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5972
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 04B3D12D1FE461AA6D06E1BEC7B4835C
  2⤵
  - Loads dropped DLL
  PID:5536
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding EF5E56A4524E447F785FFD0FE10C5A11 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:2120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5192

C:\Program Files\Java\jdk-22\bin\javaw.exe
"C:\Program Files\Java\jdk-22\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\AllInOneMacros_Downloader.jar"
1⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a3451.rbs

Filesize
10KB

MD5
e126ba047ee95cdab321d63bd38e7402

SHA1
5416199d1bc69cec3a4027a80ee107397924fe9e

SHA256
b081b8a0cad9782fd3cefe71c0b9ca9fc477eb54016fe07ff58a4c24470d345a

SHA512
882be979dc73122557a591752a46132971844fcc61f70f6327ee38af3e0505c0be964ef6533a7e1810d4be36fddd7882161ae890ec69fd1fbceaea7632e2f82f

Download Submit
C:\Program Files\Java\jdk-22\LICENSE

Filesize
6KB

MD5
7369866495acb2d7e57397f06a3ab0ba

SHA1
e75e828ba2898c74b4a682ce5291a69acf9cc55a

SHA256
4d156eecbf6ca462d8cf772552fff874b167f87def9566837fb8e4fb347f29a5

SHA512
6c1ae5229953259a258bf140241afa9dc50b642dbb5a11c183c8920678292266aecc26dd1254c3ce9184fe08c3068e2183a694a9a06f5972cc535015461ff825

Download Submit
C:\Program Files\Java\jdk-22\bin\windowsaccessbridge-64.dll

Filesize
70KB

MD5
753dbe7bb0436064df159acb1f566a8e

SHA1
44b926e69aff2ac192912ac44eb71fe1bd3d4fdf

SHA256
2ae2e250ca71a66c4fe9cc60038d079cd2da2bd2370f68e717abf411b5b9ce51

SHA512
018bd6f5e518e8dc1463a5a395e945796cee20969d5c1e71386afe39986c7e87ca794d6a26a048ee7f0c796429dc577b812c12573610507d0bbd48ea137ed31d

Download Submit
C:\Program Files\Java\jdk-22\legal\java.logging\COPYRIGHT

Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Program Files\Java\jdk-22\legal\java.logging\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url

Filesize
197B

MD5
42bd69cadcf583341dfb2f3d0934cca3

SHA1
cc607f090f32c0c8e09b587b1c042f576b74b46b

SHA256
77ed09de913aa87c8aaa70eaf8b85a2840e803c0585726ef1b19badb63c48baa

SHA512
308dabf7222aaa4a80a7d4d9a868fc059d9bf6093f8f9019e6ba9c0bc1f9f70020ded419048468e3ac5e670c75353786d92f0d593a59b4ea11023a107d943fdf

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
175B

MD5
0b7f7b921d15c8f4651075739aa1c64c

SHA1
a2faad6346abc164c037e168f247ade8b3a50c82

SHA256
7f75a65299b7abfad831523c53a38ca4454d63972b7b33390f0e73a070ae73b9

SHA512
01c96b880b77581c9e149e29e8826a3f04a15c0ab5f5bc004988acaa267eef12e584ff7ac3c9294382093d029cc0cfa185596d8467906d80e9d1d4dda290c9ff

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
171B

MD5
4fbdabfec7f1824eff3a5eac6f063080

SHA1
7183a986222460bbe104aa34a6795bb3ae6fc7ab

SHA256
88a0409faba2aee66c0d0d83a898ed621244d3826ce305a0b9b1f851e302736e

SHA512
bc599d608a9fc5f6b9f675597f90ca7c72d30a137ca256d5efc04f8ebd15c075ee11fb799578a804e8bf8f51806059c3baf0ca64641df534683dd4bebea5c7cf

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
c39adfc52e70ad274eb7787f8a6e2923

SHA1
a5fbe0539756acdd33c047d4134276de0917ed64

SHA256
fbcac82ec829147051f3862e4191ccc80216f519f89875752c44e96ad0d66b10

SHA512
8ad7e9e534e6736fa4e526693891b970220b0b0496f781ec4434e77ff78a16ee4e3b886ff6d3c67ef7cec433f0c340ed76a67410f6b82d2b1d0ea6f1477f365e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
7ad691bbb88822ed40d6fb261496c257

SHA1
bb84cd55cb6722648ae944451ba7341399ff64c1

SHA256
ad91f9eeef43220900aff53e7c0eb648d78138011ac35a2fdb31a251b47125f2

SHA512
7c5e0fc1cc6c032e67015dc2faea4ac3a6f7a4e5a26bcd4ccf58558caa1db35d094c098c393bf09b05f2c8c56031287d79608cb809a4fe3534cae4a30041026e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
727B

MD5
0b05e78f4ce88291c32cf2b2a6d563ac

SHA1
71847eeb2ddea72f841070b144a2f567352d649e

SHA256
40ea912183393ff9f6e9e503f137fb841e1d76129ddeb3eafbbb33217da96c8a

SHA512
579fd615acf3d5532a789ef76d73e786f32df6807fa9845825dd95b29b1964d0812cdbc2f8b2e11f315b178386fd42d2007a5d0e9c651ac98f721b5940208c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
d3b7c082940d15fa4b2239371ef93666

SHA1
b32d917ed6e499020e18c0e359acc9c0ff6fbaac

SHA256
311f181ab84f03ae281fe20136eb8fd23552b8e5f724d558ee10871302920c19

SHA512
4f4aa429e80e9aba48e0eaedb3148f7af50946775366bcee489bd6b6b6cfac6628474b41d8c51eeb1369c7ad2161e23358b138c0899765742eccb4c339e37050

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
e190942cb4ef6e2de8f5b0cede678b8b

SHA1
25cf5af24853c355453a913fbf22ada6583c7f14

SHA256
228e0e4c73f67bb0dd681151a9cfed540005e0109a70338809eb3c6cd07f66f5

SHA512
6cc2287f27805a282ab5e1188842de67c789d1d4b29ee4c59ff2019ce7cd2885d94b55822a9d1217663864bb6f797d73ce2409ae3c4a4efc289db83c4d093565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
412B

MD5
1dda30017350cede45af6fb77426e852

SHA1
e1af128e953090646db5a4af4e16e81ea4b787f6

SHA256
9c20275496a360321a86c279e617a5750c4f42148022fbb727564551970c19a4

SHA512
244dea3061d9fee9f5ce104173be4372e14e08fca4f0374f039c9658c91730bdf35b2ae5a25fa7ccc39604f4df232ad3b2a5128420170a66463f8df2834b7da4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
0bb349ac16cc8211dad6ce3ce66d92de

SHA1
d8421ef6514e60f4b4ce6ba7f746731cd18de1b0

SHA256
7e40340d0f227addc9bf8d399d4a85d4c9672764688f280ed1964317d78cae35

SHA512
4ba1d8d5f7f0f20f5d7bc3e9ea28f4cba62b35633e13e60204ec373cbf53c6501855cd9d2bac0810bd36d3cf2cd93b0acbfda0769945a9b200408413124a8663

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz8w575m.default-release\thumbnails\168ce875a2188cce97924a11f6a918df.png

Filesize
11KB

MD5
9fcff1981ba28d48686634d4968200e9

SHA1
e7b32912dd78c88bad8868fb3b3c05f236632c67

SHA256
53a07dc104fb196c9209a437c9025b13bc746a6047cba6a273103a1a5a9f8b40

SHA512
80b941c808d665969a3e178649c7e6254c880f748b04d023b0a9efbd0bf11d9075c137022ffaf02be14c1c5b08d596b7c06983d9f456e8500cd112aabca1f5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI14A2.tmp

Filesize
947KB

MD5
a5f00b94876c9a227eef8999066da036

SHA1
6ef74b6a240472ea6ea6e90f5746b7fda43c9e27

SHA256
85826dd6020d59ba225786162a18239b4d67c4909a0f3ec49a50430484afad2e

SHA512
7d35528df363cdce14b596187a746286306ab4776170cf8b0ad36e5d5db265b70ad8dd2aa88b0d65841fc21d49e5054028e6b023ce19fd008e6aa80b65bb0a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
196KB

MD5
3459a5655517544b44490fbc1a6aeb85

SHA1
429b846bf2af0bb5eb48e70ebb3c3ee5ded3e743

SHA256
6c1fb0266ae87fc07c6efc779b39b36bee9fcb893e7e94f6990b76490639ca24

SHA512
f64b525f588af5e88224fe57e8d816940718704dd6705f9319c20276af042116e6ef5209d07d31b953962e35fca0d7bee79e61b8e391848fc1b253fea88c3bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
196KB

MD5
33dbacda9cc30a07ff610c9d9b926e2f

SHA1
6b98b4ab4fce33338b3b38c6164473b9c5997a54

SHA256
680c90469ab2da8f738c3a73a3cc8b878b687cedc4fbdf1dd0fbc3524b8c6976

SHA512
c13ba4f8627da04caa8f331f20a8fb6b13e4dd523b498473da2e86ebab847ed43103ce0e006c296d0a7c740fb0eb8db74c7162fa60f780356397b673d72fd497

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
e7a334b85dc3d8eb4a66eafcb5275b61

SHA1
43a29e38b627a9f97b448a8b8441eae1a65a57ba

SHA256
7fa9de7dd8f781e5b61c928449feaf987a5aa1a390e19f1fc59e4b8645d27433

SHA512
8d36460a6ce6f5acc7010a329151677b3b6c34f042a1a947937b49cf5974b7790fd06cd58c4e4f860af84e4a0ad9e09fb124c1ce29678f57d692f023f50a3c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
172KB

MD5
c64d19ac7f965c28fc67ce4b13c13949

SHA1
d9324245bc6c8ec5e79d9fe7c8496fed93ed9574

SHA256
8963d8de8e9df29277551896872facce2fbde292198dfa606ee48ed7f60aa13e

SHA512
eebfdca691bcf27f39e9be75e1a40474aefaf8509ccef2e55685e17b1fdecc88518f09fd0e769b3055988f969af65511cbcdec32fa5fc11a09af9a1decfb0587

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
192KB

MD5
aa4a5413bc65a72526463c7ee75a1c48

SHA1
c85f2622697f742c105ecf35f4bcb32556e1bb58

SHA256
033e0a5b2d47707e4bc752f5e86b9546bb1280dc2a7421032e87f142f3f2e066

SHA512
3dfd54bda5d59e23fd5cb7a2fb7a3ad6f5c837ce2eca5e9ecc213dd9592904eda20d1b38992dd6f17cbb91477d02df8e1540626d0f8ef4e638f6e9efb448e710

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\AlternateServices.bin

Filesize
8KB

MD5
a492fda7a3d9861c2b201737d4abafbc

SHA1
6d1a33207ed89fddbecc85abff69792d76ea1394

SHA256
fe12888950006befadc245574b1fa09799d078d9a9dc6b4ff2d54fe98958c7e5

SHA512
27cd1dc0771b473e734ed3f22e909411f882d60ee6ab34d4b47e1046346caa7ff5488017a25ad4871637c07e0759f6c495564b02616ab2529775b446ac2d11cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
a41cb6d6eb313c2f39bdeba40045325c

SHA1
2ce1cf7574b5f7a1f7e33c09a44d875d97f7fc49

SHA256
0a1160bc080484820e3be338155684e7868a935e3bbc0a8932d19e7669b0abbc

SHA512
82e9276b13a6f8d7d20415de20f5b0be28c51f7454bf3874a8886612ceb307bd02da59985bcdacc93abe256f9b42389e097d27737def1f03ef7851f5b227561d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
7034c08f9f698187cf77a2c2f1c85566

SHA1
2f39f3210c36e6c27d0d41543e7a8dfe5458cc29

SHA256
1f9c05afc26a7c628ed3b8720930380f2726efb74db6727f9ae67fc5ad9f47b0

SHA512
42229ecd1b7519ad2e9530f54029cc8eb2bd600c20b1f42ca0dd5ea4e14ae38f84a9a6cf581d3ce9c28088eef81ef144c694f0f20c0ed299938dc3d5285b8647

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\pending_pings\24f049f3-9466-4d3d-87f9-41230eca7815

Filesize
982B

MD5
0573b6e42d74281483a5a51f37c1ffc7

SHA1
fc53d8169c255075f0ff2b13fdcf0ba422b5f711

SHA256
dac63f84a59182bc7c05ac27d5f8f7f61863126b0cdad80ed02859658c1e5ea6

SHA512
fa990da08a079a0b6d32c54bd0b471a65ec8bcb0349a6b3837f0a27b4bbe3582209f9636f0c4e2f29998e2640958b7134533e7b21378cb0ab49b8bc61d7cc8fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\datareporting\glean\pending_pings\628706be-1224-4c79-8adb-fd462d78bfee

Filesize
659B

MD5
16fd2f74e9080e57493fb3841efd867b

SHA1
b26ef4735692ebdf49b524e53f076f627c8cba89

SHA256
56446e7b364d479cf56db095234b4077ce2cc37ff69c780b7421f4a88f6f1415

SHA512
f04ac9d36d834b837d750e46e48598504c6e6183c73b4e28d0caabaca61a5db4dbf441a6f04b0b80261b2f2342bc80cba4aa9f9f2905d6ed726fbf797e6cf752

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs-1.js

Filesize
12KB

MD5
003b8fc80d4a9be97440141b0e0c1750

SHA1
123890063d2f0b61089c5f6d076f4a91f7af38ad

SHA256
77505105add298365d8a0914bde32a4c39a6b7f241044ecb4984796defd4b2de

SHA512
e5232a77c50dea23b5220aed4dbc2d9dde811273385c4a6243026cbc8594224f4cb60899e020f3012e358604f5de413a8f2fbab6e1b3f3a73842ef86c0d8604a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\prefs.js

Filesize
8KB

MD5
5da23425968755587a9afd0228eb5a13

SHA1
640a5ff31c9714d71289cd82ba17a02a8e277dfb

SHA256
7069df812ffcf85bc4969c01111c7775c0ff77ac4a351191480961a5b529083a

SHA512
2529b338eb260f23a60a419e02c08a6ef3c8f3a66ae80d38accb02c65aa2da63e05b66cf941e12cfe2465b4d99cb8c2d395021a3b9196f6872084f9db852c9dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
90646067bbf7d2eaf35b000b3b7f3f40

SHA1
35dc8e8991ad4de0081681ee77988e0cfbea3136

SHA256
e3b870f47ca3153de1e1ec9591b40e72263d684cf35140da5fe3d871e02a190a

SHA512
70caca4af775c10d6ca456aa347e86eb95193db5986fee934bb707f31eae7f763928f479b39dbcb665f79fcad529bc2ad814439ee17630fb1e2f8c018c83eab7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
b05983c240ab578a35bd6266ac325ae3

SHA1
3c43222f44e7d42e0d54b2b8e7599193cff12c21

SHA256
7d9909317892b4b484537eb2a49a62998550be7ab52f7017590d7018a329e4dc

SHA512
2377411d09a69e3dfef201fa156d52457222e6e14b9528d5bd17e0605d773c521fe8851011b0ef5457b79ec7bdd2a974377c2dbb5d0b15ee0acf72b89cbfaa3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
96708bce884ee146ec287e3c1bdf4ba1

SHA1
ca5577ca0f357dffa8362c2abcda3fe674e5a72a

SHA256
97ba52ad172b4d3df1be4f3d6602656383f44df4e53280aa0f4dd9c571714026

SHA512
1fdbf182db88948530ed810082a0952f7e58fd6460d1fae912df85fec70d8c3857d30e203b8b6479f250676841a03e327e3651075f6a70ac8924784c7efe189b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
287159623ab90465238a4b3c882fef93

SHA1
dc0e52d86c8f335d1ab43fe6737b34d325bfc163

SHA256
49dc72127de4a014d2badf592a24e321552de45701c04d59470834bc2b0c900c

SHA512
3fe27c894f947a8fa77d6d4388cc9d30131dcba360242b879d3f49c8727c89849bdb7d85f5be979b59ab4d0ecaed60e0e1d574e67ad499ea4860a981800b2f39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
465a386bcd55c508d6a4f5ff4f8816fa

SHA1
1ce3b32e50e9d467025b8bbd25f6bd652edbfa70

SHA256
1c96aa4ca727a0f92026ebb41312d7fe8602fe8d2ab13f3dde0a272ef5a02328

SHA512
45cd1fc6c59618191f3d60b6513e6e8fbb1e7cceecbdf955e507e480a4818ec6b3b7dbf3ae6ddeb09a9cc2885e2519d6b5a1ab96f4253d8aef8e731d7d915c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
5f02e5e7cebba9af6cf45a0148a89780

SHA1
65b475c30a4d884ebd380393834b9329f1fdd753

SHA256
5ba82f88d683454b0ee79d048a6a393c81bf844633d80d0bac1168e1fe0a7fec

SHA512
5a255dc8e0671914cfae31d65127be4f404ca255c34aaaf66c274bdd9cb71ea19f41ebed259d778166b987a139e214228965152f2ed44233718a5ed1d549a7f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz8w575m.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
d39eba281cfd79b84ca1b1ffc568c33a

SHA1
f667171779b1b47a43e97076e44edd7d1fc31b96

SHA256
ed6085c4c87f5fc1ce4056b4ec5a31789d7ed455510f1a46b66b1f1a65840ef0

SHA512
dbe6f17f5bab4afb9d6a06647b6a171e60895c6a253dc4ba6d930cbe8535414d65d3ff6586bcb8532e927cb441c9ee297938426758911eb24d79b9cf7f17e3a1

Download Submit
C:\Users\Admin\Downloads\jdk-22_windows-x64_bin.exe:Zone.Identifier

Filesize
170B

MD5
cfe8a9d83ac913fa5d87d2b977f2fea6

SHA1
cfd44f1b5b774f1f5ce234eab8943f30e1bb0331

SHA256
dae2e6704d7bdb232be8639e98b51379c6a996251a4d3aacbaefc6783538909d

SHA512
2a8f4dcc24fc06515ecfd079ce49ceded0b8f28b0195ea3db39f5a182095728aee49f03ef5b55cbc1891475273262bedfb2402aa5b0cbc64f0039dccee8dcca7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
a6821af797e446b860c4da3d0568733c

SHA1
e69c8a167e526df72fb681d36a20a36b16862f1c

SHA256
82779039cb7482361bc8e0c1242ba4f17ddd90d7138ac7e08e0dd0a1f23ee77b

SHA512
3cb5d3a1725bf6fbf593a956972f34e7e46a50a6415c524475127f1f878199469d3f5466dcb726479d8613b18dfa40c6a2407339b67a8f9825ab9a007ddfa979

Download Submit
\??\Volume{6ba80f1b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{54b62e1d-4c6d-4769-847f-e11d0897aa79}_OnDiskSnapshotProp

Filesize
6KB

MD5
e24edbd6232c7c0a6343e7bcbf41d35f

SHA1
39ec446be742cbf69076e30367532a78c6c49db2

SHA256
acc8c11efce0f357e7fb9b86719772c1288332187bc01adce4dbe849a436a7be

SHA512
182643c1c914a6418e8469fe88a3bae9c92c0f476fba6ff28ee0b792addb3634e5be1f18597daab7a85ed11cb789d913a4efc4baac2d4536b2622480565b8e6d

Download Submit
memory/1948-2-0x0000024B00000000-0x0000024B00270000-memory.dmp

Filesize
2.4MB

Download
memory/1948-13-0x0000024B00000000-0x0000024B00270000-memory.dmp

Filesize
2.4MB

Download
memory/1948-12-0x0000024B78CC0000-0x0000024B78CC1000-memory.dmp

Filesize
4KB

Download
memory/5596-366-0x0000024184470000-0x00000241846E0000-memory.dmp

Filesize
2.4MB

Download
memory/5596-364-0x0000024182C30000-0x0000024182C31000-memory.dmp

Filesize
4KB

Download
memory/5596-361-0x0000024182C30000-0x0000024182C31000-memory.dmp

Filesize
4KB

Download
memory/5596-351-0x0000024184470000-0x00000241846E0000-memory.dmp

Filesize
2.4MB

Download