Overview
overview
7Static
static
3mmc-cracked-win32.zip
windows11-21h2-x64
7UltimMC/Qt5Core.dll
windows11-21h2-x64
3UltimMC/Qt5Gui.dll
windows11-21h2-x64
3UltimMC/Qt...rk.dll
windows11-21h2-x64
3UltimMC/Qt5Svg.dll
windows11-21h2-x64
3UltimMC/Qt...ts.dll
windows11-21h2-x64
3UltimMC/Qt5Xml.dll
windows11-21h2-x64
3UltimMC/UltimMC.exe
windows11-21h2-x64
3UltimMC/ic...on.dll
windows11-21h2-x64
3UltimMC/im...if.dll
windows11-21h2-x64
3UltimMC/im...ns.dll
windows11-21h2-x64
3UltimMC/im...co.dll
windows11-21h2-x64
3UltimMC/im...eg.dll
windows11-21h2-x64
3UltimMC/im...vg.dll
windows11-21h2-x64
3UltimMC/im...mp.dll
windows11-21h2-x64
3UltimMC/ja...ck.jar
windows11-21h2-x64
1UltimMC/ja...ch.jar
windows11-21h2-x64
1UltimMC/li...ix.dll
windows11-21h2-x64
3UltimMC/li...++.dll
windows11-21h2-x64
3UltimMC/li....dll.a
windows11-21h2-x64
3UltimMC/li...ip.dll
windows11-21h2-x64
3UltimMC/li...ow.dll
windows11-21h2-x64
3UltimMC/libeay32.dll
windows11-21h2-x64
3UltimMC/li...-1.dll
windows11-21h2-x64
3UltimMC/libssp-0.dll
windows11-21h2-x64
3UltimMC/li...-6.dll
windows11-21h2-x64
3UltimMC/li...-1.dll
windows11-21h2-x64
3UltimMC/pl...ws.dll
windows11-21h2-x64
3UltimMC/qt.conf
windows11-21h2-x64
3UltimMC/ssleay32.dll
windows11-21h2-x64
3UltimMC/zlib1.dll
windows11-21h2-x64
3Analysis
-
max time kernel
414s -
max time network
408s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-09-2024 17:07
Static task
static1
Behavioral task
behavioral1
Sample
mmc-cracked-win32.zip
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
UltimMC/Qt5Core.dll
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
UltimMC/Qt5Gui.dll
Resource
win11-20240802-en
Behavioral task
behavioral4
Sample
UltimMC/Qt5Network.dll
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
UltimMC/Qt5Svg.dll
Resource
win11-20240802-en
Behavioral task
behavioral6
Sample
UltimMC/Qt5Widgets.dll
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
UltimMC/Qt5Xml.dll
Resource
win11-20240802-en
Behavioral task
behavioral8
Sample
UltimMC/UltimMC.exe
Resource
win11-20240802-en
Behavioral task
behavioral9
Sample
UltimMC/iconengines/qsvgicon.dll
Resource
win11-20240802-en
Behavioral task
behavioral10
Sample
UltimMC/imageformats/qgif.dll
Resource
win11-20240802-en
Behavioral task
behavioral11
Sample
UltimMC/imageformats/qicns.dll
Resource
win11-20240802-en
Behavioral task
behavioral12
Sample
UltimMC/imageformats/qico.dll
Resource
win11-20240802-en
Behavioral task
behavioral13
Sample
UltimMC/imageformats/qjpeg.dll
Resource
win11-20240802-en
Behavioral task
behavioral14
Sample
UltimMC/imageformats/qsvg.dll
Resource
win11-20240802-en
Behavioral task
behavioral15
Sample
UltimMC/imageformats/qwbmp.dll
Resource
win11-20240802-en
Behavioral task
behavioral16
Sample
UltimMC/jars/JavaCheck.jar
Resource
win11-20240802-en
Behavioral task
behavioral17
Sample
UltimMC/jars/NewLaunch.jar
Resource
win11-20240802-en
Behavioral task
behavioral18
Sample
UltimMC/libLauncher_iconfix.dll
Resource
win11-20240802-en
Behavioral task
behavioral19
Sample
UltimMC/libLauncher_nbt++.dll
Resource
win11-20240802-en
Behavioral task
behavioral20
Sample
UltimMC/libLauncher_nbt++.dll.a
Resource
win11-20240802-en
Behavioral task
behavioral21
Sample
UltimMC/libLauncher_quazip.dll
Resource
win11-20240802-en
Behavioral task
behavioral22
Sample
UltimMC/libLauncher_rainbow.dll
Resource
win11-20240802-en
Behavioral task
behavioral23
Sample
UltimMC/libeay32.dll
Resource
win11-20240802-en
Behavioral task
behavioral24
Sample
UltimMC/libgcc_s_dw2-1.dll
Resource
win11-20240802-en
Behavioral task
behavioral25
Sample
UltimMC/libssp-0.dll
Resource
win11-20240802-en
Behavioral task
behavioral26
Sample
UltimMC/libstdc++-6.dll
Resource
win11-20240802-en
Behavioral task
behavioral27
Sample
UltimMC/libwinpthread-1.dll
Resource
win11-20240802-en
Behavioral task
behavioral28
Sample
UltimMC/platforms/qwindows.dll
Resource
win11-20240802-en
Behavioral task
behavioral29
Sample
UltimMC/qt.conf
Resource
win11-20240802-en
Behavioral task
behavioral30
Sample
UltimMC/ssleay32.dll
Resource
win11-20240802-en
Behavioral task
behavioral31
Sample
UltimMC/zlib1.dll
Resource
win11-20240802-en
General
-
Target
mmc-cracked-win32.zip
-
Size
13.8MB
-
MD5
c0ff728c671e8d9816c6787a4e4f174e
-
SHA1
e622a89fb553fae8261191a5e531d2f0550cf4e8
-
SHA256
4e187aa04e5e6bc6c16c492d318b5cf916320d8a3e549c8a7f7dfae1f12f751c
-
SHA512
66bc702b685bf645ed86a5a75aadf4a489258d43df841e6331935e7882209c7cef5260f5c51732c5dfb563a68199c01e10be7f2fbee3df9af0b1a61183fa9dc6
-
SSDEEP
393216:LMZ4H6D1S86aamvvbwm8XtUmimAgj6jrxszxvteoWAaKeYF:Lm7g86yb5ItUm96jr6tvQoWjKeYF
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
javaw.exejavaw.exejavaw.exepid process 1440 javaw.exe 4296 javaw.exe 1356 javaw.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exejavaw.exejavaw.exejavaw.exepid process 2460 MsiExec.exe 2460 MsiExec.exe 2460 MsiExec.exe 2460 MsiExec.exe 3324 MsiExec.exe 3324 MsiExec.exe 3324 MsiExec.exe 3324 MsiExec.exe 3324 MsiExec.exe 3324 MsiExec.exe 3324 MsiExec.exe 3324 MsiExec.exe 3324 MsiExec.exe 3324 MsiExec.exe 3324 MsiExec.exe 3324 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 3628 MsiExec.exe 1440 javaw.exe 1440 javaw.exe 1440 javaw.exe 1440 javaw.exe 1440 javaw.exe 1440 javaw.exe 1440 javaw.exe 1440 javaw.exe 1440 javaw.exe 1440 javaw.exe 1440 javaw.exe 4296 javaw.exe 4296 javaw.exe 4296 javaw.exe 4296 javaw.exe 4296 javaw.exe 4296 javaw.exe 4296 javaw.exe 4296 javaw.exe 4296 javaw.exe 4296 javaw.exe 4296 javaw.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in System32 directory 2 IoCs
Processes:
MsiExec.exedescription ioc process File created C:\Windows\system32\WindowsAccessBridge-64.dll MsiExec.exe File opened for modification C:\Windows\system32\WindowsAccessBridge-64.dll MsiExec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MsiExec.exedescription ioc process File created C:\Program Files\Java\jdk-22\conf\management\jmxremote.access MsiExec.exe File created C:\Program Files\Java\jdk-22\jmods\jdk.internal.opt.jmod MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\javap.exe MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\jli.dll MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.desktop\giflib.md MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.security.jgss\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\jaas.dll MsiExec.exe File created C:\Program Files\Java\jdk-22\jmods\jdk.unsupported.jmod MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\verify.dll MsiExec.exe File created C:\Program Files\Java\jdk-22\jmods\java.naming.jmod MsiExec.exe File created C:\Program Files\Java\jdk-22\jmods\jdk.accessibility.jmod MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\windowsaccessbridge-64.dll MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.base\icu.md MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.transaction.xa\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.xml.crypto\santuario.md MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.jdwp.agent\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-22\lib\fontconfig.bfc MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.se\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.management\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.compiler\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-22\jmods\jdk.charsets.jmod MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.xml\xerces.md MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.attach\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.jpackage\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\jaccesswalker.exe MsiExec.exe File created C:\Program Files\Java\jdk-22\conf\security\policy\unlimited\default_US_export.policy MsiExec.exe File created C:\Program Files\Java\jdk-22\include\win32\bridge\AccessBridgeCallbacks.h MsiExec.exe File created C:\Program Files\Java\jdk-22\include\win32\jawt_md.h MsiExec.exe File created C:\Program Files\Java\jdk-22\lib\security\default.policy MsiExec.exe File created C:\Program Files\Java\jdk-22\lib\ct.sym MsiExec.exe File created C:\Program Files\Java\jdk-22\jmods\jdk.jstatd.jmod MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.base\asm.md MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.desktop\freetype.md MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.jdi\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-22\conf\management\jmxremote.password.template MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.jconsole\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-22\lib\security\public_suffix_list.dat MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.jartool\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.jcmd\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\api-ms-win-crt-private-l1-1-0.dll MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\jshell.exe MsiExec.exe File created C:\Program Files\Java\jdk-22\include\classfile_constants.h MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.security.jgss\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\java.dll MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.charsets\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.internal.vm.ci\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.localedata\thaidict.md MsiExec.exe File created C:\Program Files\Java\jdk-22\include\jvmticmlr.h MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.instrument\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.javadoc\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\dt_shmem.dll MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\freetype.dll MsiExec.exe File created C:\Program Files\Java\jdk-22\jmods\java.sql.rowset.jmod MsiExec.exe File created C:\Program Files\Java\jdk-22\jmods\jdk.localedata.jmod MsiExec.exe File created C:\Program Files\Java\jdk-22\jmods\jdk.jlink.jmod MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.hotspot.agent\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\jdk.incubator.vector\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.net.http\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-22\legal\java.scripting\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-22\bin\zip.dll MsiExec.exe File created C:\Program Files\Java\jdk-22\conf\jaxp.properties MsiExec.exe File created C:\Program Files\Java\jdk-22\jmods\jdk.jcmd.jmod MsiExec.exe File created C:\Program Files\Java\jdk-22\jmods\jdk.management.jmod MsiExec.exe File created C:\Program Files\Java\jdk-22\include\win32\bridge\AccessBridgePackages.h MsiExec.exe -
Drops file in Windows directory 38 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e5c847a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8D18.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8F24.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9698.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A33.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFCBFC3FC8271E3C11.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF030BB5C2C716A962.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI8CC9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8E84.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8EF3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8D39.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8EC4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A66.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A79.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A8A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A9B.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5c847a.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8E45.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A67.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A78.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFC7929ACACC2843CA.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI88DF.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9A56.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9E07.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF055185456A9EC2CC.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI9A8B.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{AA2685C5-73D8-54BD-A9B7-2701251A8921} msiexec.exe File opened for modification C:\Windows\Installer\MSI8C79.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8D28.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8DA7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8F04.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A44.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\e5c847c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9A55.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A23.tmp msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
UltimMC.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UltimMC.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000010ed058f6a88e7de0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000010ed058f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090010ed058f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d10ed058f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000010ed058f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
msiexec.exejavaw.exejavaw.exejavaw.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier javaw.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 javaw.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 javaw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision javaw.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor javaw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision javaw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision javaw.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 javaw.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ javaw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString javaw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier javaw.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor javaw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz javaw.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 14 IoCs
Processes:
MsiExec.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Printers MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Console MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Environment MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\EUDC MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\System MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe -
Modifies registry class 38 IoCs
Processes:
msiexec.exeMsiExec.exeMiniSearchHost.exemsedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5C5862AA8D37DB459A7B721052A19812 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\ProductName = "Java(TM) SE Development Kit 22.0.2 (64-bit)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\Version = "369098754" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\java.exe\IsHostApp MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\PackageCode = "C21BE8B2BFEB4A045BED9F6848AC03E0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2842058299-443432012-2465494467-1000\{C9C31891-8D00-4753-B764-207476B303D2} msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\ProductIcon = "C:\\Program Files\\Java\\jdk-22\\\\bin\\java.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A46297B6D117AA8000B0D022002 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\javaw.exe\IsHostApp MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5C5862AA8D37DB459A7B721052A19812\ToolsFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Media\2 = "DISK1;1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A46297B6D117AA8000B0D022002\5C5862AA8D37DB459A7B721052A19812 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Applications\java.exe MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\Applications\javaw.exe MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\jarfile\shell\open\command MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\Media\1 = "DISK1;1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.jar MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\SourceList\PackageName = "jdk-22_windows-x64_bin.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command\ = "\"C:\\Program Files\\Java\\jdk-22\\bin\\javaw.exe\" -jar \"%1\" %*" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5C5862AA8D37DB459A7B721052A19812\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\jarfile MsiExec.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 374381.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\jdk-22_windows-x64_bin.msi:Zone.Identifier msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
UltimMC.exepid process 2516 UltimMC.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
UltimMC.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsiexec.exejavaw.exemsedge.exepid process 2516 UltimMC.exe 2516 UltimMC.exe 5936 msedge.exe 5936 msedge.exe 4476 msedge.exe 4476 msedge.exe 5056 msedge.exe 5056 msedge.exe 1076 identity_helper.exe 1076 identity_helper.exe 1260 msedge.exe 1260 msedge.exe 5412 msedge.exe 5412 msedge.exe 748 msiexec.exe 748 msiexec.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe 1356 javaw.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
UltimMC.exepid process 2516 UltimMC.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
msedge.exepid process 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4172 msiexec.exe Token: SeIncreaseQuotaPrivilege 4172 msiexec.exe Token: SeSecurityPrivilege 748 msiexec.exe Token: SeCreateTokenPrivilege 4172 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4172 msiexec.exe Token: SeLockMemoryPrivilege 4172 msiexec.exe Token: SeIncreaseQuotaPrivilege 4172 msiexec.exe Token: SeMachineAccountPrivilege 4172 msiexec.exe Token: SeTcbPrivilege 4172 msiexec.exe Token: SeSecurityPrivilege 4172 msiexec.exe Token: SeTakeOwnershipPrivilege 4172 msiexec.exe Token: SeLoadDriverPrivilege 4172 msiexec.exe Token: SeSystemProfilePrivilege 4172 msiexec.exe Token: SeSystemtimePrivilege 4172 msiexec.exe Token: SeProfSingleProcessPrivilege 4172 msiexec.exe Token: SeIncBasePriorityPrivilege 4172 msiexec.exe Token: SeCreatePagefilePrivilege 4172 msiexec.exe Token: SeCreatePermanentPrivilege 4172 msiexec.exe Token: SeBackupPrivilege 4172 msiexec.exe Token: SeRestorePrivilege 4172 msiexec.exe Token: SeShutdownPrivilege 4172 msiexec.exe Token: SeDebugPrivilege 4172 msiexec.exe Token: SeAuditPrivilege 4172 msiexec.exe Token: SeSystemEnvironmentPrivilege 4172 msiexec.exe Token: SeChangeNotifyPrivilege 4172 msiexec.exe Token: SeRemoteShutdownPrivilege 4172 msiexec.exe Token: SeUndockPrivilege 4172 msiexec.exe Token: SeSyncAgentPrivilege 4172 msiexec.exe Token: SeEnableDelegationPrivilege 4172 msiexec.exe Token: SeManageVolumePrivilege 4172 msiexec.exe Token: SeImpersonatePrivilege 4172 msiexec.exe Token: SeCreateGlobalPrivilege 4172 msiexec.exe Token: SeCreateTokenPrivilege 4172 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4172 msiexec.exe Token: SeLockMemoryPrivilege 4172 msiexec.exe Token: SeIncreaseQuotaPrivilege 4172 msiexec.exe Token: SeMachineAccountPrivilege 4172 msiexec.exe Token: SeTcbPrivilege 4172 msiexec.exe Token: SeSecurityPrivilege 4172 msiexec.exe Token: SeTakeOwnershipPrivilege 4172 msiexec.exe Token: SeLoadDriverPrivilege 4172 msiexec.exe Token: SeSystemProfilePrivilege 4172 msiexec.exe Token: SeSystemtimePrivilege 4172 msiexec.exe Token: SeProfSingleProcessPrivilege 4172 msiexec.exe Token: SeIncBasePriorityPrivilege 4172 msiexec.exe Token: SeCreatePagefilePrivilege 4172 msiexec.exe Token: SeCreatePermanentPrivilege 4172 msiexec.exe Token: SeBackupPrivilege 4172 msiexec.exe Token: SeRestorePrivilege 4172 msiexec.exe Token: SeShutdownPrivilege 4172 msiexec.exe Token: SeDebugPrivilege 4172 msiexec.exe Token: SeAuditPrivilege 4172 msiexec.exe Token: SeSystemEnvironmentPrivilege 4172 msiexec.exe Token: SeChangeNotifyPrivilege 4172 msiexec.exe Token: SeRemoteShutdownPrivilege 4172 msiexec.exe Token: SeUndockPrivilege 4172 msiexec.exe Token: SeSyncAgentPrivilege 4172 msiexec.exe Token: SeEnableDelegationPrivilege 4172 msiexec.exe Token: SeManageVolumePrivilege 4172 msiexec.exe Token: SeImpersonatePrivilege 4172 msiexec.exe Token: SeCreateGlobalPrivilege 4172 msiexec.exe Token: SeCreateTokenPrivilege 4172 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4172 msiexec.exe Token: SeLockMemoryPrivilege 4172 msiexec.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
msedge.exemsiexec.exepid process 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4172 msiexec.exe 4172 msiexec.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
UltimMC.exejavaw.exeMiniSearchHost.exepid process 2516 UltimMC.exe 2516 UltimMC.exe 2516 UltimMC.exe 1356 javaw.exe 5040 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
UltimMC.exemsedge.exedescription pid process target process PID 2516 wrote to memory of 1036 2516 UltimMC.exe javaw.exe PID 2516 wrote to memory of 1036 2516 UltimMC.exe javaw.exe PID 2516 wrote to memory of 4416 2516 UltimMC.exe javaw.exe PID 2516 wrote to memory of 4416 2516 UltimMC.exe javaw.exe PID 2516 wrote to memory of 3172 2516 UltimMC.exe javaw.exe PID 2516 wrote to memory of 3172 2516 UltimMC.exe javaw.exe PID 2516 wrote to memory of 4436 2516 UltimMC.exe javaw.exe PID 2516 wrote to memory of 4436 2516 UltimMC.exe javaw.exe PID 2516 wrote to memory of 4820 2516 UltimMC.exe javaw.exe PID 2516 wrote to memory of 4820 2516 UltimMC.exe javaw.exe PID 2516 wrote to memory of 5576 2516 UltimMC.exe javaw.exe PID 2516 wrote to memory of 5576 2516 UltimMC.exe javaw.exe PID 4476 wrote to memory of 836 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 836 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 4656 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 5936 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 5936 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 944 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 944 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 944 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 944 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 944 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 944 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 944 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 944 4476 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mmc-cracked-win32.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\UltimMC.exe"C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\UltimMC.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/JavaCheck.jar2⤵
-
C:\Program Files\Java\jdk-1.8\bin\javaw.exe"C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -jar C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/JavaCheck.jar2⤵
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exejavaw -jar C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/JavaCheck.jar2⤵
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exejavaw -Xms512m -Xmx1024m -jar C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/JavaCheck.jar2⤵
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/JavaCheck.jar2⤵
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/JavaCheck.jar2⤵
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/JavaCheck.jar2⤵
-
C:\Program Files\Java\jdk-1.8\bin\javaw.exe"C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -jar C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/JavaCheck.jar2⤵
-
C:\Program Files\Java\jdk-22\bin\javaw.exe"C:\Program Files\Java\jdk-22\bin\javaw.exe" -jar C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/JavaCheck.jar2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exejavaw -jar C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/JavaCheck.jar2⤵
-
C:\Program Files\Java\jdk-22\bin\javaw.exe"C:\Program Files\Java\jdk-22\bin\javaw.exe" -jar C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/JavaCheck.jar2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Program Files\Java\jdk-22\bin\javaw.exe"C:\Program Files\Java\jdk-22\bin\javaw.exe" -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump -Xms512m -Xmx1024m -Duser.language=en -javaagent:C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/injectors/authlib-injector-1.2.5.jar=http://127.0.0.1:49819 -Dauthlibinjector.noShowServerName -Djava.library.path=C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/instances/1.21.1/natives -cp C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/jars/NewLaunch.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/github/oshi/oshi-core/6.4.10/oshi-core-6.4.10.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/google/code/gson/gson/2.10.1/gson-2.10.1.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/google/guava/guava/32.1.2-jre/guava-32.1.2-jre.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/ibm/icu/icu4j/73.2/icu4j-73.2.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/mojang/authlib/6.0.54/authlib-6.0.54.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/mojang/blocklist/1.0.10/blocklist-1.0.10.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/mojang/brigadier/1.3.10/brigadier-1.3.10.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/mojang/datafixerupper/8.0.16/datafixerupper-8.0.16.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/mojang/logging/1.2.7/logging-1.2.7.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/mojang/patchy/2.2.10/patchy-2.2.10.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/mojang/text2speech/1.17.9/text2speech-1.17.9.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/commons-codec/commons-codec/1.16.0/commons-codec-1.16.0.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/commons-io/commons-io/2.15.1/commons-io-2.15.1.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/commons-logging/commons-logging/1.2/commons-logging-1.2.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/io/netty/netty-buffer/4.1.97.Final/netty-buffer-4.1.97.Final.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/io/netty/netty-codec/4.1.97.Final/netty-codec-4.1.97.Final.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/io/netty/netty-common/4.1.97.Final/netty-common-4.1.97.Final.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/io/netty/netty-handler/4.1.97.Final/netty-handler-4.1.97.Final.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/io/netty/netty-resolver/4.1.97.Final/netty-resolver-4.1.97.Final.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/io/netty/netty-transport-classes-epoll/4.1.97.Final/netty-transport-classes-epoll-4.1.97.Final.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/io/netty/netty-transport-native-unix-common/4.1.97.Final/netty-transport-native-unix-common-4.1.97.Final.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/io/netty/netty-transport/4.1.97.Final/netty-transport-4.1.97.Final.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/it/unimi/dsi/fastutil/8.5.12/fastutil-8.5.12.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/net/java/dev/jna/jna-platform/5.14.0/jna-platform-5.14.0.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/net/java/dev/jna/jna/5.14.0/jna-5.14.0.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/net/sf/jopt-simple/jopt-simple/5.0.4/jopt-simple-5.0.4.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/apache/commons/commons-compress/1.26.0/commons-compress-1.26.0.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/apache/httpcomponents/httpcore/4.4.16/httpcore-4.4.16.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/apache/logging/log4j/log4j-api/2.22.1/log4j-api-2.22.1.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/apache/logging/log4j/log4j-core/2.22.1/log4j-core-2.22.1.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/apache/logging/log4j/log4j-slf4j2-impl/2.22.1/log4j-slf4j2-impl-2.22.1.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/jcraft/jorbis/0.0.17/jorbis-0.0.17.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/joml/joml/1.10.5/joml-1.10.5.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-freetype/3.3.3/lwjgl-freetype-3.3.3.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-freetype/3.3.3/lwjgl-freetype-3.3.3-natives-windows.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-freetype/3.3.3/lwjgl-freetype-3.3.3-natives-windows-arm64.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-freetype/3.3.3/lwjgl-freetype-3.3.3-natives-windows-x86.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-glfw/3.3.3/lwjgl-glfw-3.3.3.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-glfw/3.3.3/lwjgl-glfw-3.3.3-natives-windows.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-glfw/3.3.3/lwjgl-glfw-3.3.3-natives-windows-arm64.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-glfw/3.3.3/lwjgl-glfw-3.3.3-natives-windows-x86.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-jemalloc/3.3.3/lwjgl-jemalloc-3.3.3.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-jemalloc/3.3.3/lwjgl-jemalloc-3.3.3-natives-windows.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-jemalloc/3.3.3/lwjgl-jemalloc-3.3.3-natives-windows-arm64.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-jemalloc/3.3.3/lwjgl-jemalloc-3.3.3-natives-windows-x86.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-openal/3.3.3/lwjgl-openal-3.3.3.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-openal/3.3.3/lwjgl-openal-3.3.3-natives-windows.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-openal/3.3.3/lwjgl-openal-3.3.3-natives-windows-arm64.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-openal/3.3.3/lwjgl-openal-3.3.3-natives-windows-x86.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-opengl/3.3.3/lwjgl-opengl-3.3.3.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-opengl/3.3.3/lwjgl-opengl-3.3.3-natives-windows.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-opengl/3.3.3/lwjgl-opengl-3.3.3-natives-windows-arm64.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-opengl/3.3.3/lwjgl-opengl-3.3.3-natives-windows-x86.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-stb/3.3.3/lwjgl-stb-3.3.3.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-stb/3.3.3/lwjgl-stb-3.3.3-natives-windows.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-stb/3.3.3/lwjgl-stb-3.3.3-natives-windows-arm64.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-stb/3.3.3/lwjgl-stb-3.3.3-natives-windows-x86.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-tinyfd/3.3.3/lwjgl-tinyfd-3.3.3.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-tinyfd/3.3.3/lwjgl-tinyfd-3.3.3-natives-windows.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-tinyfd/3.3.3/lwjgl-tinyfd-3.3.3-natives-windows-arm64.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl-tinyfd/3.3.3/lwjgl-tinyfd-3.3.3-natives-windows-x86.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl/3.3.3/lwjgl-3.3.3.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl/3.3.3/lwjgl-3.3.3-natives-windows.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl/3.3.3/lwjgl-3.3.3-natives-windows-arm64.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lwjgl/lwjgl/3.3.3/lwjgl-3.3.3-natives-windows-x86.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/lz4/lz4-java/1.8.0/lz4-java-1.8.0.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/org/slf4j/slf4j-api/2.0.9/slf4j-api-2.0.9.jar;C:/Users/Admin/Documents/mmc-cracked-win32/UltimMC/libraries/com/mojang/minecraft/1.21.1/minecraft-1.21.1-client.jar org.multimc.EntryPoint2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffd450b3cb8,0x7ffd450b3cc8,0x7ffd450b3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5804 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5840 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1872 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2536 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6784 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\jdk-22_windows-x64_bin.msi"2⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,276244713704443850,3970993934323204745,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4816 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 3D94232F885DF82F7CDC1E3CC4707C02 C2⤵
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 0A24799B62032D1D49C5AA18B6A8CEDB2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding C52FB5DB690029C6723EB6515442B702 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5c847b.rbsFilesize
10KB
MD5432d3245ef7758d66888772bf327fe73
SHA10feb4b992edad0d4330c619f1c738fb7664e0ba6
SHA25641eac1dc0210904b4a2f7105a31634292c2df7c19fa6d6c0737510f13a9eadb7
SHA5123586ec7e6cb5ec03f66cff9b6975e68e6a7309a4596a50b1448ded360f3bdda59483f018f1fcccc2acf22209f292152fc0b23ed310aad42c728b133aa035f54a
-
C:\Program Files\Java\jdk-22\bin\windowsaccessbridge-64.dllFilesize
70KB
MD5753dbe7bb0436064df159acb1f566a8e
SHA144b926e69aff2ac192912ac44eb71fe1bd3d4fdf
SHA2562ae2e250ca71a66c4fe9cc60038d079cd2da2bd2370f68e717abf411b5b9ce51
SHA512018bd6f5e518e8dc1463a5a395e945796cee20969d5c1e71386afe39986c7e87ca794d6a26a048ee7f0c796429dc577b812c12573610507d0bbd48ea137ed31d
-
C:\Program Files\Java\jdk-22\legal\java.logging\COPYRIGHTFilesize
35B
MD54586c3797f538d41b7b2e30e8afebbc9
SHA13419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA2567afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3
-
C:\Program Files\Java\jdk-22\legal\java.logging\LICENSEFilesize
33B
MD516989bab922811e28b64ac30449a5d05
SHA151ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA25686e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA51286571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.urlFilesize
197B
MD542bd69cadcf583341dfb2f3d0934cca3
SHA1cc607f090f32c0c8e09b587b1c042f576b74b46b
SHA25677ed09de913aa87c8aaa70eaf8b85a2840e803c0585726ef1b19badb63c48baa
SHA512308dabf7222aaa4a80a7d4d9a868fc059d9bf6093f8f9019e6ba9c0bc1f9f70020ded419048468e3ac5e670c75353786d92f0d593a59b4ea11023a107d943fdf
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.urlFilesize
175B
MD50b7f7b921d15c8f4651075739aa1c64c
SHA1a2faad6346abc164c037e168f247ade8b3a50c82
SHA2567f75a65299b7abfad831523c53a38ca4454d63972b7b33390f0e73a070ae73b9
SHA51201c96b880b77581c9e149e29e8826a3f04a15c0ab5f5bc004988acaa267eef12e584ff7ac3c9294382093d029cc0cfa185596d8467906d80e9d1d4dda290c9ff
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBFilesize
471B
MD5082b8b3edf3d011642b7962bc214a5ac
SHA15f6986de80040ecd61466c4eda3a38ec3c0acf07
SHA2563275d5a4ea2a4faca01711ca6c2e9c07656f64b8bac2e97173aa4ff08d3aef43
SHA5125b96a06fa03aadbacc718e8c38ef12703606602a165ff4d06be6179188e9d86c8208dca15dd2d361f81446ad5858737c89a0c79a0f5b24f80d2959ff3a167375
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBDFilesize
727B
MD5353b71f70b49c6f7711d76f07b947298
SHA143a2c08e8f642b8924b2d5c3d52846e503433db5
SHA25689c65592a26ee7097f8d11b5e6c29d85d68d2bc49c62e7ee7dd5700f04eb775c
SHA512571400154ddebcf2c239310ed5dd39a1bbda91cd12a2c7270502ca5342fb2b66b228124c35bd96efbf3d4773a1e16f6267515aacd0f16e3a309984e10978aeec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
727B
MD54b6db32e31836998fae054aff41e9985
SHA10aa00bd7dc0830fd745229945fb812e0888cc02b
SHA256b512a1c486317232d145385c52910dcd3fe98a26543c463a054de9864710c6b6
SHA51259e48c5911fadd6f6fa43f75099dd13d7f8f21e7ad417000a07c50180d701693c6d2cd3dcdfa141d60cdf567ceb14ecc0ea99f8887ab877c037d8611a5407b92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBFilesize
400B
MD5f5ad82758d69b258c16ae2dfdd222423
SHA1cacdee2e0f5793f5cf7bbcbdbbead03550c39a44
SHA256c6b9921510ef23b34c6353d52905bd55da634616b8116524090652c94406d372
SHA5121f65ab9cb1f1b2771a39ddc765dd7fff3c6d7b5d5eee4ba1586537cc9f8f4510e8d1b118f1ea440c15ebc7decdd7ec0249a2082af7cbf2aa279023f65145ab53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBDFilesize
412B
MD5332900b899c0be29acabcab8d3711c2f
SHA13ee3646f682052383f84e7f624b17b4da4d84dbe
SHA2568bd60d27e971d53acc7087b5f7c1f8f3b929e746148f84958e920e43e12a8884
SHA5120923636e523a03e4b9f87645fb721f36e6cb2e0f20128ed0fa75577028a7d2c291dbe0a9a4d4cc76359a8b81f9ec735dc744cfd9461281b74b9dbe5824055a6e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
412B
MD5ef59112d6d0f0700ef1b13021b64a188
SHA127bc7f879b8dc53e9d1bd8e5519ff0bd3cbbfae7
SHA256199709268e32674e8f182fdf854395a1e34fbe08540e1212f2a9c69f188bf12c
SHA512d6159eb90f1fe6c9e30464d04e8c8b7488c021f6469f287a109c8737c25955bd273ae38eebe89c99e0184bcf5848c4ce8d6fe0d5b172ea47f28cf72bc8ae3655
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5228fefc98d7fb5b4e27c6abab1de7207
SHA1ada493791316e154a906ec2c83c412adf3a7061a
SHA256448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2
SHA512fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5026e0c65239e15ba609a874aeac2dc33
SHA1a75e1622bc647ab73ab3bb2809872c2730dcf2df
SHA256593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292
SHA5129fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5df8d0b2deebf4fad91508f622a2048a2
SHA1af20ac0ece99042e2d85be069c0f18aa662172ee
SHA25688f3670dbb63520b35aa8d6bba6dc4d006715763f3f56703b4731f0df9193562
SHA5125746750661da2919a15d8fccbaedb6367ec89ddf1252c8be30ec95887dcda7c91564f6a74cd7a0a94a1c6393a3264aac141daf8624a39d8cb53aa02fb50ac17f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5792d55416ebdc2c08c0480b70a97335e
SHA1127d59267159f7074d0efb01ad63e8420d9fabd3
SHA2567d66e2db7f8f04913069c2681da756405ce4e2aa43a8678d43dc1103c7b9230e
SHA51226d047181f4a27af277b7ebd7b858840e6be2fd9d0789489af0af5468d7b1672c7839a9685551998ad5bc63969b3069ac1bf1154c9e4bcbc9a72cc8187cc444f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e136df978535aae0caa078eb016defec
SHA152b2bad537b8a1a0b3cc62f5ef009ef3501766c8
SHA256389efd63c212b47ee346693f4b752ea4961ed6a894f1781a1be3359ba8dae999
SHA512de5d18a0514f35c0c1fea993348a705d3d22e0e9efb0ddca49e47b5a459aa97d8e0a762b8d217fd0bdd11ce1b1875d48125e03e8a17547b8268fdbaa61e75e5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f3c5115d95230a11907254515122207f
SHA1f4c054f66919e82975c48dd28c0045408d5e01ce
SHA25625bb46ba09aced6a3261af6f44d307870d6185c82250ef73fb0ef46c4f304831
SHA5125608061a07abd2885e3c8af001fb1a459fdaec8ec36a82e04e8e2af904308ce8fb7bc77fb4ef6fa23450a26448810387f3169ca0d21d2e529a64176ee51eafc7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5fb7061c6432b310606964847f7963418
SHA123e91dca4716f49d6032f2e847a41e2ebafa5a77
SHA2562ef6678f66f693c7e4edcdcc75549653c49b1df84775d13b9a9306847b1e7816
SHA512034995936f79c254c39afa536f647e7b891af1deac6ca1bb50484ee3b47e41c38d812df29ea9be71a4c9da69fbaaa89aad36dfde33d847749710233e192632ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD56391efb81ee281e456fbc495fe8d1eab
SHA1689803b64b3e204a53966ac280cb170334a30e68
SHA256573a538570a2ebf1b11a7e082788ad46876942aa140e440e3a36b1fbed9acba4
SHA512166618a5e9078f28bea3b85254a3de3c7ae4905f18602529cd0e444fd216d568a5ac8173df1c801a9fd6a544c39ecd33eaf07206bb10d15cea9b62da9ced0712
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d608b518-f8d1-4395-b132-d96e96df117a.tmpFilesize
10KB
MD524ae49b693fa0f2b80dc6160f23e62ca
SHA19e970f7b1a79ff7ebb8375d53f408f6afbd1ea32
SHA256726a4a41731442fc716a793c067b4ebefc188206ec72b097a31b059e9f27fbfe
SHA51274c29c5b9dd0c4b253e52e8fbcb7518e8c6cda96feacfa07dd4e07c2b11b0dcdd7c086322b3e9049b837e29e24d307269e264d6573d0e50c482eb243d6e4b43a
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD53c25ee47481cb7e84ce3ce42081d51d3
SHA1eec0e660d605f51ef71ae7155f25aaf0099ca96a
SHA256d6c36c2effb0a840226e7f42f294632f6dbad2dfeb7255ffeeafd69ea980d978
SHA5124deac1f21d5113ed55c59e7350f3176af30109db5f4a30b7711e5045371530b5dda92e48fd26226ecf0049bff4021dfd57bcf18da6c4e814f354683da9bb4acb
-
C:\Users\Admin\AppData\Local\Temp\MSI5FFA.tmpFilesize
947KB
MD5a5f00b94876c9a227eef8999066da036
SHA16ef74b6a240472ea6ea6e90f5746b7fda43c9e27
SHA25685826dd6020d59ba225786162a18239b4d67c4909a0f3ec49a50430484afad2e
SHA5127d35528df363cdce14b596187a746286306ab4776170cf8b0ad36e5d5db265b70ad8dd2aa88b0d65841fc21d49e5054028e6b023ce19fd008e6aa80b65bb0a3b
-
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna9876608289229429466.dllFilesize
248KB
MD5719d6ba1946c25aa61ce82f90d77ffd5
SHA194d2191378cac5719daecc826fc116816284c406
SHA25669c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
164KB
MD5c5eea8f0f6a69282bb7697f9c7316ca1
SHA14728a8c0b74cbd1eee75704fc94c7acffffb211e
SHA256e705f1b08da8aa367bd88477e61a6fd27f6de0d61f6311e96bdb361fd9524550
SHA512e0a78f5845d289f1296f68fad37eca61326a346a8ef5fc4cf09982f73ef30897efa37a295b9ec83d712145520b7d89398fce0580df4ecdb45d95f28c383a2ffb
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
174KB
MD579fba647ec90055e637f5dfb1da2f6a7
SHA16f4af69ca929c93038ebf1054d9e00a96ba4d4ec
SHA2561e433233b75ea0e0affbd593875198fb5c4cbab13a33648729bff6f8f1eb6b9e
SHA5127a935c7810732f744b9b50da06f3c1003484f4a5f40b37e2d2b479aa3f0f786e9cb9f7f270e600d420e5fab7fd9be242133dab020b88da297e778109950ac5d6
-
C:\Users\Admin\AppData\Local\Temp\lwjgl_Admin\3.3.3+5\x64\glfw.dllFilesize
484KB
MD58cabdbe3d67546771b02af5d42073cfe
SHA12e19147110b9872a52814956bab151a7aa80ce58
SHA256affa7e54eb0dedce4a5721c327c1a16035edbbd039cd402e08107d6d2d55eb1a
SHA512b7f46feef779e5772fc7711fda601fdda6ee4bf41d4fb87735a0b8fdc5fdbbdab23ba1760989e15d66cf9ba65409933cbce858eda169d04f13f401198245ad1f
-
C:\Users\Admin\AppData\Local\Temp\lwjgl_Admin\3.3.3+5\x64\jemalloc.dllFilesize
389KB
MD5e58d41175587d4355fe06bf8b8a1ab32
SHA16403f8243ea983a225b3bcda6c821a0029ad9ee2
SHA2569abf0095066ebab37b78968e11370a8078313e48cb5be8eda01f67623c6a6248
SHA512fc432ddb67dce8a672ac268d25f01d40c1d614e4ef34cbac6c4a2c01742ebab5d00c7ef5d9f0ef46ce0b3b6a4d5ace581fcf8c247d492c3882f561015d9e2ae4
-
C:\Users\Admin\AppData\Local\Temp\lwjgl_Admin\3.3.3+5\x64\lwjgl.dllFilesize
468KB
MD5d8ea3886d9f59b514bfa5b24ab69c0ab
SHA12bf57942dff5360889f0e89c58d5acdc54e5f1ea
SHA256a39adf52947fafd954c2a86ce031abb8c59825f7ee50337ac8c41e4280abe82d
SHA512ba8af0415c7b0454dd8bdccf78ed59da3bb5cc5f631dd060d3cd0eaf74d8f55d7531248b6b8a995ba5b672dc0386d3fa198e8c761f2e1cc0304da0dc029bf29e
-
C:\Users\Admin\AppData\Local\Temp\lwjgl_Admin\3.3.3+5\x64\lwjgl_tinyfd.dllFilesize
246KB
MD5e7349669dee3093d266849685efecc60
SHA1e7c3d94ad9d83f0762dfd82780d2a683d5d9b3c0
SHA256ec7d76e6ef7a99628ef6f8b6e544294b700108c341837779e6e2c01c0bc3da9c
SHA51241d772a4a9673db43a4584af78d5c128278b27efc01b7da47a9f8f629fd004aa8e4c63186d93b6cb7b664325272f0a291a1e80d9ae799910989171c1cdec34c8
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\accounts.json.tv2516Filesize
685B
MD596616e7e211795c9a725c8e50e81fe02
SHA1065f9987f3a55bda0a9fb53ab26db3b74ae50692
SHA256e48734ca0cc4c910ca7bcf0e2bb731a844b8b33191692c26544a1f3fc3a6d6a8
SHA512290face3a32fceae73f4c12734d500b8e352bede3b2deda4e2a55621e6da860217a5fb6f25834096d9d161a192d59ee81ace7a2f9fb1172640096a18b3a7f1f3
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\assets\indexes\17.jsonFilesize
437KB
MD54be4b2031e11b0e4850b95cde6c81530
SHA1a4fe1e7e5c19730b0014771d2cc2bf7ca3f8033e
SHA25676ad92068fe16a79658fbb24b455b0cb603807981e1d2d912050216bfddd73cf
SHA5121df80d3e891e52cb661a470e06d368a2afeaa3625ca1de6b28ecf0b367157cdcb5da18453efd2dac75f3d52c164dc2924f57bbd5728c6cc7641f4c437816fccc
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\assets\objects\ec\ec92a55cb324afd2b78cb6f7b1426fd80bf4d754.Qf2516Filesize
438KB
MD5078b15d73729b693dc31fb5dbd2e8686
SHA1ec92a55cb324afd2b78cb6f7b1426fd80bf4d754
SHA256cc29fb5e5ebf4ca7f983b012af208371db40388c94385de59d7d758ebf9e69a5
SHA512debbc0a4463c8ddb56b16ef9aaeed2a64f6b05dc9b11928c27a0ac34c83d1caeaa8f53816093db5a6630970d46516e019d18f1bd799a67c922644cae578e9751
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\instance.cfg.EU2516Filesize
716B
MD549038929c85c8966a3b9c537aca6f02d
SHA188b6fd50ae30efdf1c17c52f1d8fd3ab18eabb9d
SHA2565e0781431e265cfca6a42bea7f9f4809c50c96470b6cf33db7d27e41f6e62b1a
SHA512564d59fab3553f0cc4dd999ea92a6bc0a5c67a261e770f4cd9d6b1f4f88463083489f30265cd788e4548653442ba5efdf7192e27d7eb1e7356147178b604879d
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\instance.cfg.Hk2516Filesize
957B
MD5af49545c707f156c26b0fa81540295ed
SHA1efa72322b211ee90c490cbd4ea0191115456600e
SHA256e3de82a8d1206124ff047063103ccb76d311a5b4fbb734aca01a3a0f9a318509
SHA512b0accad9652bad21772ca5289b98d471428ca8cf8f65501bb98d58f46fb2ea8d4bbcee51c0fb741355f0b037303f78b7eb03b482d43503aa51394298eb7b16bb
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\instance.cfg.MQ2516Filesize
976B
MD53eec9f07ff3bef6fffd6d6e3fc62ea21
SHA1c41c1e0f295a55865c3a3db1c796fece292db189
SHA25665614eb02ccd10f9dc8e918aded73d638d17731c9f4964704aac552f8d3092a1
SHA5124256b959d0c5e6a05c7ac6518e72beef9b52f29ce3d2427bf2e245715876e872daf219f913b8013c0f74ebf7310e50a060770df7e6364f91f6697082979d488e
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\instance.cfg.Tb2516Filesize
1KB
MD52f24c9a56afc31a3093a6db8cc97f45b
SHA1bfc1259271cfa80a0aa95b706a8ac3071d4b9e3f
SHA2564490f3089443a2ebc7e695bd6c68b18718630780810ef30f55f5a8b36503cccf
SHA5122acbbe62d596d63d83822757c7e1568dcff1e18e56ce26f57bc02cceab0d6e047f17be9e12887454626894febf45f5707ec5178881878bcc0e8d8e5ccd72a402
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\instance.cfg.WC2516Filesize
872B
MD5d502ab0ce5edc506b8234a96e0b7988c
SHA168d4f8849deb718b61378583378e649b0609cf05
SHA25656b115d3ff714c6fa8de4c27075b9f2b5521e396820e6cd3f237e1744809573a
SHA512e40dd8da8ee4bb560b14d6e3503412a2b2cccedd27bfe32f9be12b3c282260f8cecd010a1540307aa423f911e9d073d22645cf967b721699857c4b923475389e
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\instance.cfg.Xb2516Filesize
1KB
MD5281b1a4d81cf03dbec7ab94fbb3fdcf1
SHA1e99bececaf4ae60abbe60e78383dc8672ca9ee95
SHA256fd3ad24be42b57ddaeb3346f78f30a052bbb5082927f06430de7405061be490d
SHA512d2b99ed8769bc32f9c859e906e0051ab1ad5a260f5e1dbd3a194fa7c8fc2f325eed3d78d87bbb6614f235e028076ea8cbb190ca55ce405f32dd30abe3fc2f474
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\instance.cfg.Xv2516Filesize
1KB
MD5cbc8d6955912a7b1af730a346b255e74
SHA1b3bf1128dd77cd47ac8935486d1ea4246099fec4
SHA256ca0c37b8c41099ad5e1f202ae1e746afca3499c6b21792f746ca689eb3a65ae8
SHA5124f02e4e2dca33f2ed779a3eb48e54ff8c4988ab7eb3c45f44467959131bfc522ffa243614bc5cfdbfa95b802930adee5c369a2ccb6deb2a4c0e29e9c030709d9
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\instance.cfg.aS2516Filesize
775B
MD5c91d4423dd69d5d665fee9c9e4b9d388
SHA1798378d0e59d090a9524d2ae9f61ccfe931e656e
SHA25682d7c071396d9c17b080e57f58063764e3184e0d3f27dd08785642360d6523ef
SHA512ce48e101755ad159a8175cd573ffa35c7a1a613dae8890cd306fbc474fb8e0701f79ee9ec2249603dc3640e4c3f2d18ebe9e67310aca8d330c1ad03f33f0855c
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\instance.cfg.mi2516Filesize
853B
MD563d4ad668251ea22ccc13b6f2ae687d8
SHA13127fe5ec0111fdc1badcc3a5d679f3a9e58c8cc
SHA2564164233146175b2576ffa11152271e962233071571b8125d4c05d3984770b2e9
SHA5128f3ca3f8d5ce04a85795ee058e962343eaa131c89a4abb9238adfe5685748f732b23d21e424f653319ffd7f0bf03a5609166f0eaba681e7e5c872551f559a2a7
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\instance.cfg.qa2516Filesize
667B
MD59b9ea036553cf9caebd34c2c4ae64289
SHA1e25f3717deaf441251d586228e481ce3b7fb2cb0
SHA25665f1e8849790881c02ed664635231a5d5f6ac2a470b7938c77bf55edf5708bd4
SHA512594f4e7993879bdb349196b3f347fe6a1ad870e8d964e7dda00a13576c842c04ee66969ab794a7bf4620ded14236e7a03295caac9b10e0b9bc6cbdbb4c864d33
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\instance.cfg.ys2516Filesize
879B
MD5791ea5c1fe55c10b7467ad12cef3d87a
SHA150f4840d5e9b997a553924436461d8901218b739
SHA256f3487f5d56d38a54a61c3adc0b187f250f609bf3459fdae84dd73aa059585e17
SHA5129115b70e5417f6923f8c7b7c695be7e0c462e597b2d897b713319a1421d449c21a208a78ec276e9be2e48cc2ca0a0100699c67616ce6ad7e311ba2a241375619
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\1.21.1\mmc-pack.jsonFilesize
251B
MD5ba71325ddb15e8d24937e1bf8e1dae6e
SHA151ce41dfede5700eb3cd08ef3c2077ee80b1d524
SHA256c695268142aa31c2ac9fdfad24db9b1e20fb781ce7a92afbe31cd8ad356b1baa
SHA51219e699b79d7fa723ed3563ba04101dd748d39860da25211bcd8ecc5e6c2537f56fa080cb480e203a4702606233f8ad56f7c83097757d456d29c3ff2aee0006df
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\instances\instgroups.jsonFilesize
52B
MD5e779e78d956ca4bf36d98ec3c326d88d
SHA113cca38b02da0fadf1f83b64964d52f1233203d8
SHA2560dd2a2f647bd2d34e72ba82fe690d52b8cb0d36a57cf0c59c119e241d0c478d0
SHA512fd1fab8367f3e8dc0e8c17211b3aa2115ea6ad5e6c319a28cd0033ae84923f96f2c2556cbff1bb8de22f2e0b7ef1c521b19881d11eb1690efb3b4700e9d87509
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\ultimmc.cfg.MF2516Filesize
1021B
MD5435592f3b148f2187140fbf0f26fbc1b
SHA12992102dee79e85b2acc925b2d8ac0d9af071037
SHA256ca7afbe5483fad1a48f4571d498d846689983878f58f1c229c6185a5edf3e7f8
SHA5121a5ab385927963263fe33cadaa6d2063f4e2cb565bdcf1236a14c8a36bc5fc1a804f9a8f78a6414d05b035890eb2ee6484dbd632a33d372cb226917c8f5c8ed5
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\ultimmc.cfg.gn2516Filesize
1KB
MD5793f2e8ff83790c4a9dc833999c4421b
SHA1a67a226facc3b028f19cc0a427f05ed3cdde3c07
SHA2566cd7f4b772a6a34d2fb4b71273c16ba50188905deca1d7565c5c69cdb7e63c7b
SHA512bad7977cf883ca7a7abb8380ed0396396d6788b6f1834cc07ce2af689ec1f901365a09c633e6cf4244716fc1cdcac101df6d28ba87d6acb04011feb8addb9546
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\ultimmc.cfg.re2516Filesize
1KB
MD57a81e13d43115eafba0d309f00afb1c1
SHA153e46806b9340743f012e4b20bad51d8a0e529c8
SHA256b8de40c844ebf76414a84762abd8cbf7c86d353fcb9ad6ee15a273025e5f2be4
SHA5123ad47e2ac9eebe20e039b5e967f2dcd49236ae21c94d7917ecee95de4aaedf5c8281e966ab7560416b937d48640f039c81c320faccb482cd8d4b985a03754757
-
C:\Users\Admin\Documents\mmc-cracked-win32\UltimMC\ultimmc.cfg.sa2516Filesize
1KB
MD5b6aba2ffc083a42dc113146fd7a4d565
SHA114c7c6664b49aee20293382ace91bc820ac1e801
SHA256e6baa0eeaa47501f39e13a231074c253488818bbd4c940b7697384c3bd726be1
SHA5125ba93e445a29fa4baf6ba665ff1754e48f59c8904fdfa8d12c42229e24066184d0d4900a3c57b73455b5710ab75dba13dfbb89ac9cf02c263377d9c8abfd1cda
-
C:\Users\Admin\Downloads\jdk-22_windows-x64_bin.msi:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
12.8MB
MD5ca86f9b41a267494a2c7d129e08abeb7
SHA1ac747f4fcbc677e45eb6d1ef7c2b4ae3186432c3
SHA2560acd6a140615977bb8a2522894c01d9cea6e7628f115f6510452a5b21c613183
SHA512cf28191d256f1af2fd37bbfb0f3eea3b39045c9f68f286b4db5275f6a1ec18643dc0367e4bf4822003d136747742eaa23b88488006106c260678fba3168da181
-
\??\Volume{8f05ed10-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{eb0e46af-2b89-41b0-8cbf-59c3f81db142}_OnDiskSnapshotPropFilesize
6KB
MD5d144f65cf0b810dd1731618c2a5ded79
SHA1b1337063b661dda832cde9606bc29251593c662e
SHA25683bec4eb860f8bd9d3cd7cc2ac945d115212cf55d17344fa2229fa5b611f906f
SHA51229beca02cccdc6ad2103bdb9939a0c294abe6ed400fd0547aa0a111bbd0be82f9f1167cc88a8af0ebfab321d644feaa8500e5f74a8dfa8ca132b55cc11288499
-
memory/1036-54-0x0000023419FA0000-0x0000023419FA1000-memory.dmpFilesize
4KB
-
memory/2516-104-0x000000006C600000-0x000000006C615000-memory.dmpFilesize
84KB
-
memory/2516-132-0x000000006A880000-0x000000006A9F6000-memory.dmpFilesize
1.5MB
-
memory/2516-90-0x0000000061B80000-0x0000000061B98000-memory.dmpFilesize
96KB
-
memory/2516-92-0x0000000066C00000-0x0000000066C3E000-memory.dmpFilesize
248KB
-
memory/2516-85-0x0000000000400000-0x0000000000A3D000-memory.dmpFilesize
6.2MB
-
memory/2516-86-0x0000000070940000-0x000000007095C000-memory.dmpFilesize
112KB
-
memory/2516-87-0x0000000061740000-0x0000000061771000-memory.dmpFilesize
196KB
-
memory/2516-98-0x00000000015D0000-0x0000000001B45000-memory.dmpFilesize
5.5MB
-
memory/2516-91-0x0000000069700000-0x0000000069894000-memory.dmpFilesize
1.6MB
-
memory/2516-93-0x0000000068880000-0x0000000068DAF000-memory.dmpFilesize
5.2MB
-
memory/2516-88-0x000000006C8C0000-0x000000006C8FF000-memory.dmpFilesize
252KB
-
memory/2516-95-0x000000006E940000-0x000000006E964000-memory.dmpFilesize
144KB
-
memory/2516-96-0x000000006FC40000-0x000000006FD41000-memory.dmpFilesize
1.0MB
-
memory/2516-97-0x0000000064940000-0x0000000064954000-memory.dmpFilesize
80KB
-
memory/2516-99-0x0000000000DD0000-0x0000000000DDC000-memory.dmpFilesize
48KB
-
memory/2516-101-0x000000006E600000-0x000000006E674000-memory.dmpFilesize
464KB
-
memory/2516-102-0x0000000004D60000-0x0000000004F72000-memory.dmpFilesize
2.1MB
-
memory/2516-103-0x0000000006160000-0x0000000006171000-memory.dmpFilesize
68KB
-
memory/2516-0-0x00000000015D0000-0x0000000001B45000-memory.dmpFilesize
5.5MB
-
memory/2516-105-0x000000006E840000-0x000000006E852000-memory.dmpFilesize
72KB
-
memory/2516-130-0x00000000015D0000-0x0000000001B45000-memory.dmpFilesize
5.5MB
-
memory/2516-89-0x0000000063400000-0x0000000063415000-memory.dmpFilesize
84KB
-
memory/2516-106-0x00000000626C0000-0x0000000062706000-memory.dmpFilesize
280KB
-
memory/2516-107-0x0000000061B00000-0x0000000061B10000-memory.dmpFilesize
64KB
-
memory/2516-108-0x0000000067740000-0x000000006779F000-memory.dmpFilesize
380KB
-
memory/2516-109-0x0000000066AC0000-0x0000000066AD0000-memory.dmpFilesize
64KB
-
memory/2516-110-0x0000000070700000-0x0000000070714000-memory.dmpFilesize
80KB
-
memory/2516-100-0x000000006A880000-0x000000006A9F6000-memory.dmpFilesize
1.5MB
-
memory/2516-94-0x0000000061DC0000-0x0000000062404000-memory.dmpFilesize
6.3MB
-
memory/2516-3-0x0000000070940000-0x000000007095C000-memory.dmpFilesize
112KB
-
memory/2516-125-0x0000000068880000-0x0000000068DAF000-memory.dmpFilesize
5.2MB
-
memory/2516-126-0x0000000061DC0000-0x0000000062404000-memory.dmpFilesize
6.3MB
-
memory/2516-5-0x000000006C8C0000-0x000000006C8FF000-memory.dmpFilesize
252KB
-
memory/2516-21-0x0000000006160000-0x0000000006171000-memory.dmpFilesize
68KB
-
memory/2516-14-0x0000000004D60000-0x0000000004F72000-memory.dmpFilesize
2.1MB
-
memory/2516-6-0x0000000000400000-0x0000000000A3D000-memory.dmpFilesize
6.2MB
-
memory/2516-2-0x00000000015D0000-0x0000000001B45000-memory.dmpFilesize
5.5MB
-
memory/2516-4-0x0000000061740000-0x0000000061771000-memory.dmpFilesize
196KB
-
memory/2516-7-0x0000000068881000-0x0000000068B29000-memory.dmpFilesize
2.7MB
-
memory/3172-57-0x00000238763C0000-0x00000238763C1000-memory.dmpFilesize
4KB
-
memory/4416-53-0x00000214058B0000-0x00000214058B1000-memory.dmpFilesize
4KB
-
memory/4436-70-0x0000020E4C730000-0x0000020E4C731000-memory.dmpFilesize
4KB