adwind | f25d6b99e30f5c689eb4e8112d5fa8a58529aeb36d6d9b7905b9e5eec94bdac4

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yWorAvKu.exe
Size

1.0MB
MD5

acf7ad3cd2ff2f71d7aeaf8a78ee641e
SHA1

2c2dd1a2a5b9703737db85c2f5374955f0af5f06
SHA256

f25d6b99e30f5c689eb4e8112d5fa8a58529aeb36d6d9b7905b9e5eec94bdac4
SHA512

7db0d59d63e9d92c234fb9c374b910c7cfcec972e874a57a41e014d7786dea5da63d7a686750ac73a9c1ed568fff2a1f5426730bc953077c8f7851fb118dfd53
SSDEEP

24576:ZrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9Tva0h5z:Z2EYTb8atv1orq+pEiSDTj1VyvBa0h

Score

10^/10

adwind discovery execution persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/BagelsTR23

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/jre-1.8.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/PopUp2023TR.pdf

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Adwind family
adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind4

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2536	powershell.exe
15	2032	powershell.exe
16	1940	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4880	java.exe

Loads dropped DLL 11 IoCs

pid	Process
4880	java.exe
4880	java.exe
4880	java.exe
4880	java.exe
4880	java.exe
4880	java.exe
4880	java.exe
4880	java.exe
4880	java.exe
4880	java.exe
4880	java.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jre-1.8\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1738939862486.tmp"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2536	powershell.exe
1940	powershell.exe
2032	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1972	yWorAvKu.exe
1972	yWorAvKu.exe
2536	powershell.exe
2536	powershell.exe
2032	powershell.exe
1940	powershell.exe
1940	powershell.exe
2032	powershell.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1972	yWorAvKu.exe
1972	yWorAvKu.exe
1972	yWorAvKu.exe
1972	yWorAvKu.exe
1972	yWorAvKu.exe
4476	AcroRd32.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1972	yWorAvKu.exe
1972	yWorAvKu.exe
1972	yWorAvKu.exe
1972	yWorAvKu.exe
1972	yWorAvKu.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4476	AcroRd32.exe
4880	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2536	1972	yWorAvKu.exe	84
PID 1972 wrote to memory of 2536	1972	yWorAvKu.exe	84
PID 1972 wrote to memory of 2032	1972	yWorAvKu.exe	89
PID 1972 wrote to memory of 2032	1972	yWorAvKu.exe	89
PID 1972 wrote to memory of 1940	1972	yWorAvKu.exe	90
PID 1972 wrote to memory of 1940	1972	yWorAvKu.exe	90
PID 2032 wrote to memory of 4476	2032	powershell.exe	95
PID 2032 wrote to memory of 4476	2032	powershell.exe	95
PID 2032 wrote to memory of 4476	2032	powershell.exe	95
PID 4476 wrote to memory of 1460	4476	AcroRd32.exe	99
PID 4476 wrote to memory of 1460	4476	AcroRd32.exe	99
PID 4476 wrote to memory of 1460	4476	AcroRd32.exe	99
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 4852	1460	RdrCEF.exe	100
PID 1460 wrote to memory of 1912	1460	RdrCEF.exe	101
PID 1460 wrote to memory of 1912	1460	RdrCEF.exe	101
PID 1460 wrote to memory of 1912	1460	RdrCEF.exe	101
PID 1460 wrote to memory of 1912	1460	RdrCEF.exe	101
PID 1460 wrote to memory of 1912	1460	RdrCEF.exe	101
PID 1460 wrote to memory of 1912	1460	RdrCEF.exe	101
PID 1460 wrote to memory of 1912	1460	RdrCEF.exe	101
PID 1460 wrote to memory of 1912	1460	RdrCEF.exe	101
PID 1460 wrote to memory of 1912	1460	RdrCEF.exe	101
PID 1460 wrote to memory of 1912	1460	RdrCEF.exe	101
PID 1460 wrote to memory of 1912	1460	RdrCEF.exe	101

C:\Users\Admin\AppData\Local\Temp\yWorAvKu.exe
"C:\Users\Admin\AppData\Local\Temp\yWorAvKu.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\cKmpIwCkO.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F229C11A00F7D1BFA3220E551048C81B --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4FDF05DB9F44F66A2F4CC17F828DDA70 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4FDF05DB9F44F66A2F4CC17F828DDA70 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=611248F8855F11AE91143BE99D6DAFA2 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2414CCA27DE1F75942ECE3D98E64FA72 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2414CCA27DE1F75942ECE3D98E64FA72 --renderer-client-id=5 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DCF2A7AA188BB1C75D739D237758BA47 --mojo-platform-channel-handle=2736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AFA2D864917418E8A8185E3DF549D011 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\gJjfhvVkyrFF.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\java.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\cKmpIwCkO.jar
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4880
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1738939862486.tmp" /f"
      4⤵
      PID:3184
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1738939862486.tmp" /f
        5⤵
        Adds Run key to start application
        
        PID:736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
bc6a5b50fd6e64596fae1a48d56814b7

SHA1
30641cd9d5cf6ca77ffe7810f91a6fff8600c187

SHA256
fc6aae39892c1cdc87dad2417ebde0e7c062c87d99d19130e489b988d6301cad

SHA512
69d70089e67f71a56eec2353ee3ebe537f2332682e917dcc1bd2e2a3f85b589dc81cac5980e21b08d3caac515443a1d36e74196d95848abb98e1fe27ba66a99f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
027f752ee0cbbc3ac151148c1292faee

SHA1
79a3e6fd6e0a6db95f8d45eb761a629c260f937c

SHA256
0359fc2210c62b1c352b0583904cb485b6310146c4f47b6838b08350bd25a1da

SHA512
0db6ef15ed79c8dea5ab0596c6221b396b63164ba8250c5cab384e4e5664d72108cdc87b0a7318e56a1ed9b99276bf8cc170130bda85c54534f86c6eb2420a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.pdf

Filesize
11KB

MD5
58201ad042b6b286a6dc1a37d71b4742

SHA1
1bf88a6fd953315c7617435b0dadd732d3305678

SHA256
54e35e2363d5f6d6977e4adf74d2f0f72bd5d095574fd93157813bde4c2e1d5d

SHA512
3dc2b64323e151922f7d609dac1da43dc54a5fe245033799a6ea107756f1ac5400378bfdf60bd54854168a249d388f0b1a6719da2b92e6fdf2ee510e1c26953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.ps1

Filesize
534B

MD5
a64028a2acb1c58c00c5242946f58c9c

SHA1
352e26e43c322db3b1643a8ffeb0fad0e5549259

SHA256
c2d9264c4bde6225998c5da0201da0b6c8e7f48121cf55fd837d86ef6d4606fd

SHA512
b1afac1dd3b10308377af2b03cd188aab2810e184b2d019f4bee77b8096fea69ffb37346ded7c13e3868855baf47a7d3cbeca72cc1cd22761c6c5896f123e47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mosegjor.qvz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKmpIwCkO.jar

Filesize
639KB

MD5
29574e16e238e6cc692d0e25e6eee8e9

SHA1
fb832f9714283524a65f6176fe67cb2399055fbb

SHA256
e555f0cbe5d44740393caed3e4008f338b05f10f23e6e1abc3aa6a52033ce5d6

SHA512
7ff2edb0bbedcd9bda168cb15715f964e26a102de4cea1c4d5fdfef88e17c9476bdf2c0fc874f00c3b11045c43d8f5bb29958fd3d4549c0f72a0de807d02b0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKmpIwCkO.ps1

Filesize
646B

MD5
ab621449b1acc88a3b374eea51d49c9a

SHA1
bbf67121fdafbd76c8eeb7c09f201bf2c1090db7

SHA256
8120e4693352d587b506bff96b066700a6192cfa916090fa6c6ead29c5511aa6

SHA512
847bd5af9c20bc29c0828bb8cb75b8bef2a8cd462d4e12dbb363d54f5e783d1c71006171fe4e78d3a9dfca9a56385422a8468d52692be40b97f41e0b0e4a21f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJjfhvVkyrFF.ps1

Filesize
1KB

MD5
dd4cd8a5a68c798ff62b7f9f0ec5e724

SHA1
6531ce5997564834f3c6341639af46c23bbdd3ab

SHA256
1337813ba48522510ee97329f25325813f82592b4c8ca53bc6fa864484366184

SHA512
44b866a549487144ffa6338b4600ba75f5eecebcf60c2027cd90f27216c009548532c64e2088fd444b20828abb2ae31b0632d2f883e95c8a3a2ce05c0c2d6529

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\awt.dll

Filesize
1.3MB

MD5
cb169ea7ffbfe38799ecf59c167590dc

SHA1
a3d10df6a2a5b09d8f9037bba873c9aa1bbb6256

SHA256
3cd05d3fcda801dd94a2c791e0887a4cb9b73f4b5c109d90ef880a48593cebae

SHA512
91b9837ccfa9e9792d76d719d13b714ebaa6683302f0c705a2d6fb8a388b7afe641c7f4b4807412544cda4f499091930ff497ed832c49ec930d5daf3e99546fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\java.dll

Filesize
161KB

MD5
edf93b96cf81c95f5fbd76482469caec

SHA1
c833df945ae41d8d0980d3bcd53a3de42a956ff6

SHA256
4d5a3a2ba54fd6584ae5e2950246a98b17969b5b78622dcb7e57f7d58486d09d

SHA512
fc3f4dfbeaa40595192c586aa9f181227d34f7af780160625d31b7e2aedd562819dda8f1b8741fe9a3ebbef589a6e448b2dfe13340492e9e9775ce7da3c21436

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\java.exe

Filesize
302KB

MD5
66a6eeaaea8ff0fc87d4f35438695bf6

SHA1
5798e8ff9d365ce66c82727cf54a98501b099f3e

SHA256
04364c6981b9053b4df5e1dec465079e95f45b616ccf53f31a1dbf1cad177507

SHA512
8451a755105e59665cd3c28f513c65f9bff5d17090a644d95df6139a32410776df8fad60678cfeebff1250e4f57f2f497c56b104939c4f4906c42af08cbf9077

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\msvcp140.dll

Filesize
564KB

MD5
1ba6d1cf0508775096f9e121a24e5863

SHA1
df552810d779476610da3c8b956cc921ed6c91ae

SHA256
74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

SHA512
9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\net.dll

Filesize
104KB

MD5
f6cc9b78f8f4e59b37f31c0e32eeb419

SHA1
2ee2ce9aecd4e5b00cd94bb30bb45c5aa84c8dc2

SHA256
17922f0b7d8d2dfea836c151da13e721d977ff19df41674105ffdfed6f139d8c

SHA512
70344363190213d504e285987bf714b5084e54364e61d04fbeaa8a9cc977b8cb4cd9ea3277fca639895624f80158584c76773f11d90eaa4afdb10da4eb4b3346

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\nio.dll

Filesize
66KB

MD5
b36e43eb98a724a2edeffc0533e45946

SHA1
f1f4bc4eea2c434e530b9d86ecfbb83580f823dc

SHA256
0cd8b099b1845be520653f486b1709e32a7028f8d930322220bd74450b3580a1

SHA512
866578b8d911568b6ca72bcc86ce29baf29b282b0389158c13603b493fbba4c49335d7cf7dd0fdce3ae3473bd9a0777555ff7f1583308effb785ab8a5dd328fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\server\jvm.dll

Filesize
8.5MB

MD5
0acb8aceab05d023c766d21939f1f9fe

SHA1
896c504374ae2dcf70c9bec64e8107e4d871625f

SHA256
b4d3cda302697a0c5d2969e33d4d97d1a31f65fa856e14b27164acbe9fd014ed

SHA512
aa369ad95f4765dea8eb4a593872a3316648c818f2f8c264b2ce3c45f5b16130fbbfd9f625d0959bdd696537fe20a046334c4663c564ef9e24f71513597dfbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\sunec.dll

Filesize
142KB

MD5
6072e699f460f4254776ca1f9a406e79

SHA1
5227b00708e4e8ea5dc13113d274ef0db7228f3d

SHA256
5dda4daadff033f6bc8a0bd355f9ea9843f9ab3d6d5348740a9c7589b3fd3869

SHA512
c5e7b76cac294ecda70f4bf8eae7cfe78148b9c37ddead5b874422b5734cb91fb7e5fbcbbf14f42e808da2d65060ad545e412785377c038e74978eab3291aa24

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\vcruntime140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\vcruntime140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\verify.dll

Filesize
55KB

MD5
68ca18425b8ef44243b794dea2a55b70

SHA1
0c34eb939f9eeaad585996d5f52fe1bf3a04603f

SHA256
dbee8d54bd5f261f1eb94adcfc0e087f903415d262eb37ae0f514cf2ab718ed1

SHA512
34342e0f84fef35427b1c8a451e5290a2287fbc2fd66c5c0beeecce600d7d387887d5412c085d01e022a2535f490f75031e60abcac71f4aba58163e2977b4587

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\bin\zip.dll

Filesize
87KB

MD5
77865c4062605e74727ea7a3db474391

SHA1
274552acd1995c468ec29c10d12edd42dcaa5db6

SHA256
eaee23327d28c553f21eb73c6eb0a52094f9d3432041a7376e13d6e4e2fbae25

SHA512
2bab60352c5e366546c906effc8a21063471d409e033c6213f638290d070347003c6b8c5e539df973907f645ee09d8075d8c0d163b517bdcc26bea51a6aca417

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\accessibility.properties

Filesize
149B

MD5
2ed483df31645d3d00c625c00c1e5a14

SHA1
27c9b302d2d47aae04fc1f4ef9127a2835a77853

SHA256
68ef2f3c6d7636e39c6626ed1bd700e3a6b796c25a9e5feca4533abfacd61cdf

SHA512
4bf6d06f2ceaf070df4bd734370def74a6dd545fd40efd64a948e1422470ef39e37a4909feeb8f0731d5badb3dd9086e96dace6bdca7bbd3078e8383b16894da

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\amd64\jvm.cfg

Filesize
634B

MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\charsets.jar

Filesize
2.9MB

MD5
34310de6757bd2021b0f29c79c8b6df3

SHA1
e5156de43298c88411f0f99f5152613aeb7056d2

SHA256
8229a599d810c127b07544a00212bd9507a3f959ce8dedeae36d19b486fc38eb

SHA512
c76e962b8dd56256b61a1d6271f02463418cdc5451d8cf6d46619cee164ea0c5d4604ba8a4238da530946fa6f76a660a2bee8ad3c294cb96f174e2231af171ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\ext\meta-index

Filesize
1KB

MD5
af03d781ec85caa0f45e6e29830ce112

SHA1
ef3dd2f731903182e47cb83cdf275f5f0e58b3db

SHA256
8c55ed28260fcd7fd4e5d68e871a735148c01a711545602c2c26aa9d6653c05c

SHA512
df080f8c206ba125f5ce4129640fc05e9fc5b00fd87fe08866bbc7b67f5caa3ec2792dd874d49253a70ea0a9c3856c2e8ba4c39728656854a290cfdf6ba683a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\ext\sunec.jar

Filesize
46KB

MD5
3aa818677b2110d869452f4c1e5d8ee4

SHA1
9debfbf1878c636b139939b50c08aae64e87017f

SHA256
b50669bd14f4859f967c742549d3a7432c38b408a692a26ea14071c10114acd2

SHA512
bf35be4fe4e6fd78d2c5ce98e941965be56af03598297ac361a0ddfbd39599b7bc4da3a713c527ad72fbc2fb89b454b6a141c1e863c44d5592563305048d4ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\ext\sunjce_provider.jar

Filesize
290KB

MD5
9f6496509e258d781b424555e4ecdc63

SHA1
46bbd3b61807306cfc01261caed05ab17ebee8e3

SHA256
f34ab951cf5b4e0bc0fe7be81d960a0a81602a14a2272a9f0d145295a4e863fb

SHA512
2836927225f779377fca68bf0ce698d4b528437392adb25b4b7b253127badda85321788bcd4e5dd3d6b00f8739b937759284606657df7aca80264abb8dd4ee34

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\jce.jar

Filesize
120KB

MD5
3021dcbcc482c06331017d76779ab822

SHA1
3526265b6ee1a829712cf1c76240de085fb37d5a

SHA256
7ec62b7f02c2344b1d1484869e45bbb5c6723ec1d89c8c194df84e43b6312600

SHA512
b02fd3f3f0e43488d45d95a316611e944c0dcd47ca37fcaf3b698202b8338d58389035a8842f230e76bdc1d1450fa1cb35fac003860c02e8cd1d0521a01feb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\jfr.jar

Filesize
566KB

MD5
bfd9973fe4252042510ddbf6a355b4b6

SHA1
c4aa898f77d712e50f3c77006a8fb399cda7ac58

SHA256
34b04e7f1a986e31bae55ad59ee221e25f5588165ca237749f70d3efe260ac87

SHA512
7ea482e9e72d516c71ac588918d6f1deab2fd6b246c39e21f2f2cef948801508fdca46920308815c3a991deab1be58ad3f4e625271156d2ecedf0c16bce63c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\jsse.jar

Filesize
1.7MB

MD5
5091ec1cc2e577c73512f592363372cc

SHA1
b94203c5c64b5b068c2d73f125144508e21e9d2f

SHA256
dd43aba9348336404ca80828056ae5d8caf0e7072958abe1bff0e9524b5cd615

SHA512
fbb1ddda0899c387b0d6814fbfe4350aadb42b1ec7113a5628f9e0edfbf4eb66cb74c4b916a2cc81d1f26a98795249f5169e9228d658e1d84866d05b2508f405

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\meta-index

Filesize
2KB

MD5
689c0cbde7697f43642bf1134f4b70af

SHA1
307db1c4a9570f01479dea98f6b5bd33a1deb759

SHA256
6bd7ea02b9456a3730755e76d4ee1ccc04c524e93366cd74d7f42ac628d4ec77

SHA512
13afe0797d9c2c7ab8721fbedab42225b41f45059a9167c046a11e1bf6e03ad82accaed42884dff335b66ec41d3608d0d0bd06582af51634a81550c81baff2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\net.properties

Filesize
6KB

MD5
40ecda055b0667a3cc0b272cf4fe415e

SHA1
9aa14cc3fe10b8d097555e273026b5507ab7d09d

SHA256
f4567500fd182e9912c7ed58633eba1737619ebefc79c52a583df54a0226127a

SHA512
7dc981cb41848a66484c2a3e85a3dcff76a10a23cf9f800f1933d985b380ef77a8e2145a03ca430eac0c5e2895a323c500fdf7d38e9675f2c971da143ff54e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\resources.jar

Filesize
3.4MB

MD5
989c16470da4e0afeb98b6f3b951da5c

SHA1
dc8640d5a9b515c22d75a884da509171cde58daf

SHA256
561bebf0ddb83772d5aa75e83c8dc31de0d2cfaabe70014256b9751df50cfa9e

SHA512
71bc3300d0466b8e23467399ab60464361b8825cda350eccb31644090ab94a6e69899cfe15defca5b6ea4e659355d5a1934fd36d1b6bacdcafd2de747cc63bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\security\blacklisted.certs

Filesize
2KB

MD5
8273f70416f494f7fa5b6c70a101e00e

SHA1
aeaebb14fbf146fbb0aaf347446c08766c86ca7f

SHA256
583500b76965eb54b03493372989ab4d3426f85462d1db232c5ae6706a4d6c58

SHA512
e697a57d64ace1f302300f83e875c2726407f8daf7c1d38b07ab8b4b11299fd698582d825bee817a1af85a285f27877a9e603e48e01c72e482a04dc7ab12c8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\security\java.security

Filesize
57KB

MD5
724bf69fe7e2c763cd97c50c111d240f

SHA1
fa3bb1e8e8d2d920565f9260f705e76635591482

SHA256
30bdfb34c332d3822d93b119342b2686b8203209ac8dfa60e3ccb642b6ba11c4

SHA512
00ae66dcad3fbc2b32efcba2dffef5504b263ba0dd3aa2b12578b5c978a1625a1852a68e10c1af73effeac19a4f66614c1072d78ca60499a9bfd5f48af0ba9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar

Filesize
7KB

MD5
7cd241931e581db39238b62fd5880097

SHA1
ada41f7c008a5f46c82babd0875c9f9d8b7c7527

SHA256
c400958b3fb149c0d16a036b3d0d57fcf590f503e9581b026e4859ba5b9cf5f3

SHA512
817ee4fde105e43c689f48be4b90a2ec671a398a505d76a0fbe4bb684ac8543929861a71db37667cf636c747b7fa6f9f511b07545039e1c79bf0247162325f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-1.8\jre-1.8\lib\security\policy\unlimited\local_policy.jar

Filesize
7KB

MD5
7780e7612ff3b7127200204a2826ad48

SHA1
4b7043eba4b0831d7e28888f667e08d26bd7cde3

SHA256
4e3798894678465564ef479254deb85ef9221a2c82894d3fd1c4b2e3d45ce341

SHA512
cf3d0ede0544eab6bf57a92e964df19eb16a16e8991126b00abb43415894be80aed13ee969960766877cba1ffc525689632f1810f4e46b26eb2107dc584989b9

Download Submit
memory/1940-174-0x0000021CFFFB0000-0x0000021CFFFC2000-memory.dmp

Filesize
72KB

Download
memory/1940-173-0x0000021CFFF20000-0x0000021CFFF2A000-memory.dmp

Filesize
40KB

Download
memory/2536-12-0x00007FFA2A000000-0x00007FFA2AAC1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-14-0x00007FFA2A000000-0x00007FFA2AAC1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-18-0x00007FFA2A000000-0x00007FFA2AAC1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-1-0x00007FFA2A003000-0x00007FFA2A005000-memory.dmp

Filesize
8KB

Download
memory/2536-2-0x0000024E747E0000-0x0000024E74802000-memory.dmp

Filesize
136KB

Download
memory/4880-819-0x0000022C5FB40000-0x0000022C5FB41000-memory.dmp

Filesize
4KB

Download
memory/4880-822-0x0000022C5FB40000-0x0000022C5FB41000-memory.dmp

Filesize
4KB

Download