Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 16:54
Static task
static1
Behavioral task
behavioral1
Sample
jre-8u281-windows-x64.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
jre-8u281-windows-x64.exe
Resource
win10v20201028
General
-
Target
jre-8u281-windows-x64.exe
-
Size
79.7MB
-
MD5
c6136758f1fec04a2f7f01249280c315
-
SHA1
5835e46596fe9f4dfe48fd5dd3947dc650d196ec
-
SHA256
27fd9a85f2b49ae6a11b15e36ab28c0493d5572357edf2990a65a2b56f1e1157
-
SHA512
045f33920fb3882d8f24c06e2179934601396636d2ddc360a2a6f03862e40b188506f8da530e4197e4a0e1c79cda48987e810425079377f357fbcf7950c6b030
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 11 1620 msiexec.exe 12 1620 msiexec.exe -
Executes dropped EXE 17 IoCs
Processes:
jre-8u281-windows-x64.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exessvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exeMSI2CDD.tmppid process 1384 jre-8u281-windows-x64.exe 792 installer.exe 304 bspatch.exe 1928 unpack200.exe 1880 unpack200.exe 1772 unpack200.exe 1484 unpack200.exe 336 unpack200.exe 1328 unpack200.exe 1164 unpack200.exe 1496 javaw.exe 948 ssvagent.exe 1644 javaws.exe 972 jp2launcher.exe 892 javaws.exe 1084 jp2launcher.exe 568 MSI2CDD.tmp -
Processes:
resource yara_rule C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe upx C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe upx \ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe upx \ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe upx \ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe upx -
Loads dropped DLL 64 IoCs
Processes:
jre-8u281-windows-x64.exeMsiExec.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exepid process 776 jre-8u281-windows-x64.exe 1248 1248 1228 MsiExec.exe 1228 MsiExec.exe 1228 MsiExec.exe 1620 msiexec.exe 304 bspatch.exe 304 bspatch.exe 304 bspatch.exe 792 installer.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1928 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1880 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe 1772 unpack200.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 5 IoCs
Processes:
rundll32.exeinstaller.exedescription ioc process File created C:\Windows\system32\javaw.exe rundll32.exe File created C:\Windows\system32\WindowsAccessBridge-64.dll rundll32.exe File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe File opened for modification C:\Windows\system32\javaws.exe rundll32.exe File created C:\Windows\system32\java.exe rundll32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
installer.exemsiexec.exejp2launcher.exedescription ioc process File created C:\Program Files\Java\jre1.8.0_281\bin\gstreamer-lite.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\bin\zip.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\lib\deploy\messages_zh_HK.properties installer.exe File created C:\Program Files\Java\jre1.8.0_281\lib\ext\sunjce_provider.jar installer.exe File created C:\Program Files\Java\jre1.8.0_281\bin\plugin2\npjp2.dll installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Whitehorse msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Damascus msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Vancouver msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\jaas_nt.dll msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-processthreads-l1-1-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\legal\jdk\giflib.md installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\bin\klist.exe installer.exe File created C:\Program Files\Java\jre1.8.0_281\bin\lcms.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\lib\ext\sunec.jar installer.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\profile.jfc msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\lib\ext\access-bridge-64.jar installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius msiexec.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\lib\deploy\splash@2x.gif installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\bin\w2k_lsa_auth.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\lib\security\blacklist installer.exe File opened for modification C:\Program Files\Java\jre7\LICENSE msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Manila msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\sound.properties msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\GRAY.pf msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-heap-l1-1-0.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\bin\wsdetect.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\lib\deploy\messages_es.properties installer.exe File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Matamoros msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\jvm.hprof.txt msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\lib\deploy\messages_pt_BR.properties installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\lib\hijrah-config-umalqura.properties installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Asuncion msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\bin\glib-lite.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\legal\jdk\cldr.md installer.exe File created C:\Program Files\Java\jre1.8.0_281\lib\fonts\LucidaTypewriterBold.ttf installer.exe File opened for modification C:\Program Files\Java\jre7\bin\glib-lite.dll msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\lib\images\cursors\cursors.properties installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9 msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\bin\plugin2\msvcp140.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\lib\fonts\LucidaTypewriterRegular.ttf installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Sydney msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\security\java.policy msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\bin\java_crw_demo.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\bin\hs_err_pid1084.log jp2launcher.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn msiexec.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1 msiexec.exe File created C:\Program Files\Java\jre1.8.0_281\bin\eula.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\bin\glass.dll installer.exe File created C:\Program Files\Java\jre1.8.0_281\legal\javafx\directshow.md installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belem msiexec.exe -
Drops file in Windows directory 17 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\f748c69.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI2CDD.tmp msiexec.exe File created C:\Windows\Installer\f748c67.msi msiexec.exe File created C:\Windows\Installer\f748c6b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI98D3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D71.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9E4C.tmp msiexec.exe File created C:\Windows\Installer\f748c6d.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI14D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2CCC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9890.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA002.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI14C8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2F0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\f748c67.msi msiexec.exe File created C:\Windows\Installer\f748c69.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe -
Processes:
installer.exerundll32.exejre-8u281-windows-x64.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin" installer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "19" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} installer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} installer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main jre-8u281-windows-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_281\\bin" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe" installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7} rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
installer.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0191-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_191" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB} installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0145-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_145" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0151-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0182-ABCDEFFEDCBA}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_24" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0178-ABCDEFFEDCBA}\InprocServer32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0175-ABCDEFFEDCBC} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBB} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0218-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0077-ABCDEFFEDCBA} installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0168-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0162-ABCDEFFEDCBB}\INPROCSERVER32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_21" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0105-ABCDEFFEDCBB} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBC} installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBB}\INPROCSERVER32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBB} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0093-ABCDEFFEDCBA}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBC}\InprocServer32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0109-ABCDEFFEDCBB}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0143-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_02" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0199-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0133-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_133" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0261-ABCDEFFEDCBC} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0264-ABCDEFFEDCBB}\InprocServer32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0137-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0147-ABCDEFFEDCBC}\InprocServer32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0120-ABCDEFFEDCBB} installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBB} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0176-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_46" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0016-ABCDEFFEDCBB} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0068-ABCDEFFEDCBB} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0174-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0171-ABCDEFFEDCBC}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0217-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0085-ABCDEFFEDCBB}\INPROCSERVER32 installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA} installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0177-ABCDEFFEDCBA}\InprocServer32 installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0244-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0074-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0229-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_229" installer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0268-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0032-ABCDEFFEDCBC}\InprocServer32 installer.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0204-ABCDEFFEDCBA}\INPROCSERVER32 installer.exe -
Modifies registry class 64 IoCs
Processes:
rundll32.exessvagent.exeinstaller.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBA}\INPROCSERVER32 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" ssvagent.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0171-ABCDEFFEDCBA} rundll32.exe Key deleted \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0126-ABCDEFFEDCBA}\INPROCSERVER32 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0202-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_202" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0137-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_137" installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" ssvagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" ssvagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0088-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0238-ABCDEFFEDCBA} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBB}\InprocServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}\InprocServer32 installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0068-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0201-ABCDEFFEDCBA}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0227-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_227" rundll32.exe Key deleted \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0255-ABCDEFFEDCBC}\INPROCSERVER32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_75" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0031-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_25" ssvagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0092-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_92" ssvagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_52" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBA}\InprocServer32 rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0170-ABCDEFFEDCBC}\INPROCSERVER32 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0277-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0137-ABCDEFFEDCBB}\INPROCSERVER32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBC} installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0177-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" ssvagent.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0252-ABCDEFFEDCBC} ssvagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0190-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_190" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0049-ABCDEFFEDCBA} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBB} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0198-ABCDEFFEDCBA} installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0021-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" ssvagent.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0090-ABCDEFFEDCBB} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0117-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_93" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_80" ssvagent.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB} installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0028-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" ssvagent.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBA}\InprocServer32 ssvagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_04" rundll32.exe Key deleted \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBB} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0184-ABCDEFFEDCBA} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0134-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_134" rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBC} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jnlps installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0132-ABCDEFFEDCBB} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0152-ABCDEFFEDCBB}\InprocServer32 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0167-ABCDEFFEDCBA} installer.exe Key deleted \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBB}\INPROCSERVER32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBB} installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0262-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" ssvagent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBA} rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBB} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0109-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0148-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" installer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0176-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" ssvagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" ssvagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_281\\bin\\jp2iexp.dll" rundll32.exe Key deleted \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0129-ABCDEFFEDCBB} rundll32.exe -
Processes:
jre-8u281-windows-x64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 jre-8u281-windows-x64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde jre-8u281-windows-x64.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
javaws.exejp2launcher.exejavaws.exejp2launcher.exeMSI2CDD.tmppid process 1644 javaws.exe 972 jp2launcher.exe 892 javaws.exe 1084 jp2launcher.exe 568 MSI2CDD.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
jre-8u281-windows-x64.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1384 jre-8u281-windows-x64.exe Token: SeIncreaseQuotaPrivilege 1384 jre-8u281-windows-x64.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeSecurityPrivilege 1620 msiexec.exe Token: SeCreateTokenPrivilege 1384 jre-8u281-windows-x64.exe Token: SeAssignPrimaryTokenPrivilege 1384 jre-8u281-windows-x64.exe Token: SeLockMemoryPrivilege 1384 jre-8u281-windows-x64.exe Token: SeIncreaseQuotaPrivilege 1384 jre-8u281-windows-x64.exe Token: SeMachineAccountPrivilege 1384 jre-8u281-windows-x64.exe Token: SeTcbPrivilege 1384 jre-8u281-windows-x64.exe Token: SeSecurityPrivilege 1384 jre-8u281-windows-x64.exe Token: SeTakeOwnershipPrivilege 1384 jre-8u281-windows-x64.exe Token: SeLoadDriverPrivilege 1384 jre-8u281-windows-x64.exe Token: SeSystemProfilePrivilege 1384 jre-8u281-windows-x64.exe Token: SeSystemtimePrivilege 1384 jre-8u281-windows-x64.exe Token: SeProfSingleProcessPrivilege 1384 jre-8u281-windows-x64.exe Token: SeIncBasePriorityPrivilege 1384 jre-8u281-windows-x64.exe Token: SeCreatePagefilePrivilege 1384 jre-8u281-windows-x64.exe Token: SeCreatePermanentPrivilege 1384 jre-8u281-windows-x64.exe Token: SeBackupPrivilege 1384 jre-8u281-windows-x64.exe Token: SeRestorePrivilege 1384 jre-8u281-windows-x64.exe Token: SeShutdownPrivilege 1384 jre-8u281-windows-x64.exe Token: SeDebugPrivilege 1384 jre-8u281-windows-x64.exe Token: SeAuditPrivilege 1384 jre-8u281-windows-x64.exe Token: SeSystemEnvironmentPrivilege 1384 jre-8u281-windows-x64.exe Token: SeChangeNotifyPrivilege 1384 jre-8u281-windows-x64.exe Token: SeRemoteShutdownPrivilege 1384 jre-8u281-windows-x64.exe Token: SeUndockPrivilege 1384 jre-8u281-windows-x64.exe Token: SeSyncAgentPrivilege 1384 jre-8u281-windows-x64.exe Token: SeEnableDelegationPrivilege 1384 jre-8u281-windows-x64.exe Token: SeManageVolumePrivilege 1384 jre-8u281-windows-x64.exe Token: SeImpersonatePrivilege 1384 jre-8u281-windows-x64.exe Token: SeCreateGlobalPrivilege 1384 jre-8u281-windows-x64.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
jre-8u281-windows-x64.exejp2launcher.exejp2launcher.exepid process 1384 jre-8u281-windows-x64.exe 1384 jre-8u281-windows-x64.exe 1384 jre-8u281-windows-x64.exe 1384 jre-8u281-windows-x64.exe 972 jp2launcher.exe 1084 jp2launcher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
jre-8u281-windows-x64.exemsiexec.exeinstaller.exejavaws.exejavaws.exedescription pid process target process PID 776 wrote to memory of 1384 776 jre-8u281-windows-x64.exe jre-8u281-windows-x64.exe PID 776 wrote to memory of 1384 776 jre-8u281-windows-x64.exe jre-8u281-windows-x64.exe PID 776 wrote to memory of 1384 776 jre-8u281-windows-x64.exe jre-8u281-windows-x64.exe PID 1620 wrote to memory of 1228 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 1228 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 1228 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 1228 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 1228 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 792 1620 msiexec.exe installer.exe PID 1620 wrote to memory of 792 1620 msiexec.exe installer.exe PID 1620 wrote to memory of 792 1620 msiexec.exe installer.exe PID 792 wrote to memory of 304 792 installer.exe bspatch.exe PID 792 wrote to memory of 304 792 installer.exe bspatch.exe PID 792 wrote to memory of 304 792 installer.exe bspatch.exe PID 792 wrote to memory of 304 792 installer.exe bspatch.exe PID 792 wrote to memory of 304 792 installer.exe bspatch.exe PID 792 wrote to memory of 304 792 installer.exe bspatch.exe PID 792 wrote to memory of 304 792 installer.exe bspatch.exe PID 792 wrote to memory of 1928 792 installer.exe unpack200.exe PID 792 wrote to memory of 1928 792 installer.exe unpack200.exe PID 792 wrote to memory of 1928 792 installer.exe unpack200.exe PID 792 wrote to memory of 1880 792 installer.exe unpack200.exe PID 792 wrote to memory of 1880 792 installer.exe unpack200.exe PID 792 wrote to memory of 1880 792 installer.exe unpack200.exe PID 792 wrote to memory of 1772 792 installer.exe unpack200.exe PID 792 wrote to memory of 1772 792 installer.exe unpack200.exe PID 792 wrote to memory of 1772 792 installer.exe unpack200.exe PID 792 wrote to memory of 1484 792 installer.exe unpack200.exe PID 792 wrote to memory of 1484 792 installer.exe unpack200.exe PID 792 wrote to memory of 1484 792 installer.exe unpack200.exe PID 792 wrote to memory of 336 792 installer.exe unpack200.exe PID 792 wrote to memory of 336 792 installer.exe unpack200.exe PID 792 wrote to memory of 336 792 installer.exe unpack200.exe PID 792 wrote to memory of 1328 792 installer.exe unpack200.exe PID 792 wrote to memory of 1328 792 installer.exe unpack200.exe PID 792 wrote to memory of 1328 792 installer.exe unpack200.exe PID 792 wrote to memory of 1164 792 installer.exe unpack200.exe PID 792 wrote to memory of 1164 792 installer.exe unpack200.exe PID 792 wrote to memory of 1164 792 installer.exe unpack200.exe PID 792 wrote to memory of 1496 792 installer.exe javaw.exe PID 792 wrote to memory of 1496 792 installer.exe javaw.exe PID 792 wrote to memory of 1496 792 installer.exe javaw.exe PID 792 wrote to memory of 1644 792 installer.exe javaws.exe PID 792 wrote to memory of 1644 792 installer.exe javaws.exe PID 792 wrote to memory of 1644 792 installer.exe javaws.exe PID 1644 wrote to memory of 972 1644 javaws.exe jp2launcher.exe PID 1644 wrote to memory of 972 1644 javaws.exe jp2launcher.exe PID 1644 wrote to memory of 972 1644 javaws.exe jp2launcher.exe PID 792 wrote to memory of 892 792 installer.exe javaws.exe PID 792 wrote to memory of 892 792 installer.exe javaws.exe PID 792 wrote to memory of 892 792 installer.exe javaws.exe PID 892 wrote to memory of 1084 892 javaws.exe jp2launcher.exe PID 892 wrote to memory of 1084 892 javaws.exe jp2launcher.exe PID 892 wrote to memory of 1084 892 javaws.exe jp2launcher.exe PID 1620 wrote to memory of 748 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 748 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 748 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 748 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 748 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 1100 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 1100 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 1100 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 1100 1620 msiexec.exe MsiExec.exe PID 1620 wrote to memory of 1100 1620 msiexec.exe MsiExec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jre-8u281-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\jre-8u281-windows-x64.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 71ADC49F15CEC242A5B2540F27DF1B0E2⤵
- Loads dropped DLL
-
C:\Program Files\Java\jre1.8.0_281\installer.exe"C:\Program Files\Java\jre1.8.0_281\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_281\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180281F0}2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exe"bspatch.exe" baseimagefam8 newimage diff3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_281\lib/plugin.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_281\lib/javaws.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_281\lib/deploy.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_281\lib/rt.jar"3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_281\lib/jsse.jar"3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_281\lib/charsets.jar"3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe"C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_281\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_281\lib/ext/localedata.jar"3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_281\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_281\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking3⤵
- Executes dropped EXE
-
C:\Program Files\Java\jre1.8.0_281\bin\ssvagent.exe"C:\Program Files\Java\jre1.8.0_281\bin\ssvagent.exe" -doHKCUSSVSetup3⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe"C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe" -wait -fix -permissions -silent3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe"C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_281" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yODFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe"C:\Program Files\Java\jre1.8.0_281\bin\javaws.exe" -wait -fix -shortcut -silent3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe"C:\Program Files\Java\jre1.8.0_281\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_281" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yODFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI4MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjgxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 1CDC5156D9295322A315F586E5C0A4C1 M Global\MSI00002⤵
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding B1F4431852DB20DEAD57B289D447908C2⤵
-
C:\Windows\Installer\MSI2CDD.tmp"C:\Windows\Installer\MSI2CDD.tmp" C:\Program Files\Java\jre7\;C;22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint2⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jre1.8.0_281\bin\VCRUNTIME140.dllMD5
1453290db80241683288f33e6dd5e80e
SHA129fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA2562b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA5124ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-file-l1-2-0.dllMD5
35bc1f1c6fbccec7eb8819178ef67664
SHA1bbcad0148ff008e984a75937aaddf1ef6fda5e0c
SHA2567a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7
SHA5129ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-file-l2-1-0.dllMD5
3bf4406de02aa148f460e5d709f4f67d
SHA189b28107c39bb216da00507ffd8adb7838d883f6
SHA256349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e
SHA5125ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-localization-l1-2-0.dllMD5
8acb83d102dabd9a5017a94239a2b0c6
SHA19b43a40a7b498e02f96107e1524fe2f4112d36ae
SHA256059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413
SHA512b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-processthreads-l1-1-1.dllMD5
9c9b50b204fcb84265810ef1f3c5d70a
SHA10913ab720bd692abcdb18a2609df6a7f85d96db3
SHA25625a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40
SHA512ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-synch-l1-2-0.dllMD5
d175430eff058838cee2e334951f6c9c
SHA17f17fbdcef12042d215828c1d6675e483a4c62b1
SHA2561c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a
SHA5126076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-timezone-l1-1-0.dllMD5
43e1ae2e432eb99aa4427bb68f8826bb
SHA1eee1747b3ade5a9b985467512215caf7e0d4cb9b
SHA2563d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c
SHA51240ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-convert-l1-1-0.dllMD5
285dcd72d73559678cfd3ed39f81ddad
SHA1df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a
SHA2566c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44
SHA51284ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-environment-l1-1-0.dllMD5
5cce7a5ed4c2ebaf9243b324f6618c0e
SHA1fdb5954ee91583a5a4cbb0054fb8b3bf6235eed3
SHA256aa3e3e99964d7f9b89f288dbe30ff18cbc960ee5add533ec1b8326fe63787aa3
SHA512fc85a3be23621145b8dc067290bd66416b6b1566001a799975bf99f0f526935e41a2c8861625e7cfb8539ca0621ed9f46343c04b6c41db812f58412be9c8a0de
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-filesystem-l1-1-0.dllMD5
41fbbb054af69f0141e8fc7480d7f122
SHA13613a572b462845d6478a92a94769885da0843af
SHA256974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c
SHA51297fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-heap-l1-1-0.dllMD5
212d58cefb2347bd694b214a27828c83
SHA1f0e98e2d594054e8a836bd9c6f68c3fe5048f870
SHA2568166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989
SHA512637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-math-l1-1-0.dllMD5
fb79420ec05aa715fe76d9b89111f3e2
SHA115c6d65837c9979af7ec143e034923884c3b0dbd
SHA256f6a93fe6b57a54aac46229f2ed14a0a979bf60416adb2b2cfc672386ccb2b42e
SHA512c40884c80f7921addced37b1bf282bb5cb47608e53d4f4127ef1c6ce7e6bb9a4adc7401389bc8504bf24751c402342693b11cef8d06862677a63159a04da544e
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-runtime-l1-1-0.dllMD5
883120f9c25633b6c688577d024efd12
SHA1e4fa6254623a2b4cdea61712cdfa9c91aa905f18
SHA2564390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc
SHA512f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-stdio-l1-1-0.dllMD5
29680d7b1105171116a137450c8bb452
SHA1492bb8c231aae9d5f5af565abb208a706fb2b130
SHA2566f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af
SHA51287dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-string-l1-1-0.dllMD5
f816666e3fc087cd24828943cb15f260
SHA1eae814c9c41e3d333f43890ed7dafa3575e4c50e
SHA25645e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a
SHA5126860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-time-l1-1-0.dllMD5
143a735134cd8c889ec7d7b85298705b
SHA1906ac1f3a933dd57798ae826bbefa3096c20d424
SHA256b48310b0837027f756d62c37ea91af988baa403cbcbd01cb26b6fdae21ea96a2
SHA512c9abe209508afae2d1776391f73b658c9a25628876724344023e0fc8a790ecb7dbce75fddae267158d08a8237f83336b1d2bd5b5ce0a8eed7dd41cbe0c031d48
-
C:\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-utility-l1-1-0.dllMD5
6f1a1dfb2761228ccc7d07b8b190054c
SHA1117d66360c84a0088626e22d8b3b4b685cb70d56
SHA256c81c4bba4e5f205359ad145963f6fbd074879047c66569f52b6d66711108e1ed
SHA512480b4f9179d5da56010fa90e1937fe3a232f2f8682596c16eeaed08f57cf8cffeaa506060429501764f695cb6c5b3e56b0037de948c4d0e3933f022a0b4103d2
-
C:\Program Files\Java\jre1.8.0_281\bin\ucrtbase.DLLMD5
61eb0ad4c285b60732353a0cb5c9b2ab
SHA121a1bea01f6ca7e9828a522c696853706d0a457b
SHA25610521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd
SHA51244cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d
-
C:\Program Files\Java\jre1.8.0_281\bin\unpack200.exeMD5
9bc8abeedf17b7e6bf826dd8ddeec12b
SHA15bdf9e3f1ccd272c20e85dc3782065ce2cda4285
SHA2563122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1
SHA512425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f
-
C:\Program Files\Java\jre1.8.0_281\installer.exeMD5
fa4ee41538e227270b4c5043c5f01659
SHA1c4f2b6ef6037e5b5b4bc7ac923ceafbd6fa9d34c
SHA256a1444bfdcad52b76400b42d2df55ee42f065ed6c015c567c526fca634b29fb98
SHA51241a54772f6fc3054b796104b73618342196b8d3eb0afad007f1915eb69c2a65f1aed8b9a5a80424c2096c4e719c733aeb7bd83f10e9f6e2367a10e7ea8467ccf
-
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\baseimagefam8MD5
22646919b87d1a6dfc371464405b373b
SHA12296c69b12c3e0244fc59586f794457a4735e692
SHA2560a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11
SHA512b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0
-
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exeMD5
2e7543a4deec9620c101771ca9b45d85
SHA1fa33f3098c511a1192111f0b29a09064a7568029
SHA25632a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA5128a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d
-
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exeMD5
2e7543a4deec9620c101771ca9b45d85
SHA1fa33f3098c511a1192111f0b29a09064a7568029
SHA25632a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA5128a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d
-
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\diffMD5
d5b61c2cfe78a2dd2a3504fe50f3a2af
SHA11367bdab2d2d4ca27e5821cb11183f25c091adfa
SHA256547295e7e127d4b8e03dc8531ca96fbff3d4940a08a2e0237be30955c9f42288
SHA512057b2deb59a559ec314d3aba0f3b44f35d6607ab5e9538a00cb58066d34a9ce989dbc0aa26b0ffdd20e3ddf60655086b4d4a879bb1f294f08f482734225b9319
-
C:\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\newimageMD5
26e47c6e1ea3599d0afc66fab66d1832
SHA1cfde5aedc9d5f102a35e8c552fc1f8c1adf403f5
SHA256c998e8ce2e242a54125e408b9d4ea8f9e055e0fe9282a27bb4a521853e140e4d
SHA51293fff745724345809f74cc5373590b7ef3b9d8047d34de4144036f90dc4020a50ca268891d07ebd13fe32f5894128dd0f608d7aa2ef760bdb90b151b242e4cc4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
e19b6efae26c7844dc803e9707b2b1b0
SHA122ee25cd29e6f6cda5e6a67bf25a5105a992a6af
SHA256ef30a12f1f4a2f2fbfe30dcab95e4ee63b14dc4cebb6cc9e35d0ca6a5361f069
SHA512b78ae839111aa7c09ccf555e71075919cee3c1b3f0d0683372f7dc67bef713bf1124a33e4e0f6a2ae48026db991cdf87b0f1d8acccc0fe2ed2304bf64c15cc89
-
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_281_x64\jre1.8.0_28164.msiMD5
7e071988c06dfbe07b08d3101f529514
SHA115253d178036122e31c410a8775ac778d49554cd
SHA256430e639c217fdcb57ba5cd09711a7701d589b313c0874d70dd53248191c2158d
SHA51247d41aab59419874e1e2f8da0fb5f05951aa7901cf70a2dd5239e4ca504d5816caa4e02719ee468afb9438d79f5e2d4f6eae93e7d6fdc6c70f82f3feb5da0e25
-
C:\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exeMD5
fcd2bc341d811dd3ef5f76e88fcb4c23
SHA185738726745d049d85c8683f472ce0b400a37482
SHA256dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773
SHA5123363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce
-
C:\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exeMD5
fcd2bc341d811dd3ef5f76e88fcb4c23
SHA185738726745d049d85c8683f472ce0b400a37482
SHA256dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773
SHA5123363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce
-
C:\Users\Admin\AppData\Local\Temp\jusched.logMD5
e390fe14fddc2fba65fb306d65757725
SHA131414d2d2fdfb487d99a7dda22f9a136fa79e79c
SHA25627ef8690caf3ac7b0095b8559995468a2899602181c5a6b6ece09ea2167b0186
SHA5121ea787c682787b387bec6f2b41522455b14f0201f77aa6e2a56c5678dc121639f702ede51f70b33569c9d8ff9505c205b52103ecbaf1b7b7ecdfb40cd408b9fc
-
C:\Users\Admin\AppData\Local\Temp\jusched.logMD5
eb7f3ed3de97d2bd538f57540dcb858b
SHA11487ae54ae9b9b33f99d51cc2cdc4777fa8448d0
SHA256e2cb951a42248e3edec0dae249f66bc6c73a6eae62f87355cba87047732be870
SHA512659825650eb7e78d6dc019b7bb4f79667abdda85d2df5987809f23e13f5aee9c7ef4a5c1d7182f7d2e03ea7a1bb2716d21e4fb637b7b4947564feb6d0ca064fd
-
C:\Users\Admin\AppData\Local\Temp\jusched.logMD5
6b73128d739a2cd96b5e10bb25c1e7de
SHA1e0164bae6bfc75031b1139ec7208bd50ba325724
SHA2563029aa85bdc6583f69c424721c0dc587645b205958cab204482e167039b17320
SHA5120d1797ca60054310568e4bf94bd91c638f5f1afd4688576ca8b98cedd95028bb97f36be702a58083074eb8dcbcac8b25ca16a832b2711f6b070f0dd6e59b06ec
-
C:\Windows\Installer\MSI9890.tmpMD5
36702dc0af0ebdc03fa68624f4bde4b0
SHA1d25f646db7eccdc1dbe425087131a17c1e6397a4
SHA256c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da
SHA5122fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831
-
C:\Windows\Installer\MSI9D71.tmpMD5
36702dc0af0ebdc03fa68624f4bde4b0
SHA1d25f646db7eccdc1dbe425087131a17c1e6397a4
SHA256c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da
SHA5122fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831
-
C:\Windows\Installer\MSIA002.tmpMD5
36702dc0af0ebdc03fa68624f4bde4b0
SHA1d25f646db7eccdc1dbe425087131a17c1e6397a4
SHA256c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da
SHA5122fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831
-
C:\Windows\Installer\f748c6b.msiMD5
7e071988c06dfbe07b08d3101f529514
SHA115253d178036122e31c410a8775ac778d49554cd
SHA256430e639c217fdcb57ba5cd09711a7701d589b313c0874d70dd53248191c2158d
SHA51247d41aab59419874e1e2f8da0fb5f05951aa7901cf70a2dd5239e4ca504d5816caa4e02719ee468afb9438d79f5e2d4f6eae93e7d6fdc6c70f82f3feb5da0e25
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-file-l1-2-0.dllMD5
35bc1f1c6fbccec7eb8819178ef67664
SHA1bbcad0148ff008e984a75937aaddf1ef6fda5e0c
SHA2567a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7
SHA5129ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-file-l2-1-0.dllMD5
3bf4406de02aa148f460e5d709f4f67d
SHA189b28107c39bb216da00507ffd8adb7838d883f6
SHA256349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e
SHA5125ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-localization-l1-2-0.dllMD5
8acb83d102dabd9a5017a94239a2b0c6
SHA19b43a40a7b498e02f96107e1524fe2f4112d36ae
SHA256059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413
SHA512b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-processthreads-l1-1-1.dllMD5
9c9b50b204fcb84265810ef1f3c5d70a
SHA10913ab720bd692abcdb18a2609df6a7f85d96db3
SHA25625a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40
SHA512ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-synch-l1-2-0.dllMD5
d175430eff058838cee2e334951f6c9c
SHA17f17fbdcef12042d215828c1d6675e483a4c62b1
SHA2561c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a
SHA5126076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-core-timezone-l1-1-0.dllMD5
43e1ae2e432eb99aa4427bb68f8826bb
SHA1eee1747b3ade5a9b985467512215caf7e0d4cb9b
SHA2563d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c
SHA51240ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-convert-l1-1-0.dllMD5
285dcd72d73559678cfd3ed39f81ddad
SHA1df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a
SHA2566c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44
SHA51284ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-environment-l1-1-0.dllMD5
5cce7a5ed4c2ebaf9243b324f6618c0e
SHA1fdb5954ee91583a5a4cbb0054fb8b3bf6235eed3
SHA256aa3e3e99964d7f9b89f288dbe30ff18cbc960ee5add533ec1b8326fe63787aa3
SHA512fc85a3be23621145b8dc067290bd66416b6b1566001a799975bf99f0f526935e41a2c8861625e7cfb8539ca0621ed9f46343c04b6c41db812f58412be9c8a0de
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-filesystem-l1-1-0.dllMD5
41fbbb054af69f0141e8fc7480d7f122
SHA13613a572b462845d6478a92a94769885da0843af
SHA256974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c
SHA51297fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-heap-l1-1-0.dllMD5
212d58cefb2347bd694b214a27828c83
SHA1f0e98e2d594054e8a836bd9c6f68c3fe5048f870
SHA2568166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989
SHA512637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-runtime-l1-1-0.dllMD5
883120f9c25633b6c688577d024efd12
SHA1e4fa6254623a2b4cdea61712cdfa9c91aa905f18
SHA2564390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc
SHA512f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-stdio-l1-1-0.dllMD5
29680d7b1105171116a137450c8bb452
SHA1492bb8c231aae9d5f5af565abb208a706fb2b130
SHA2566f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af
SHA51287dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-string-l1-1-0.dllMD5
f816666e3fc087cd24828943cb15f260
SHA1eae814c9c41e3d333f43890ed7dafa3575e4c50e
SHA25645e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a
SHA5126860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-time-l1-1-0.dllMD5
143a735134cd8c889ec7d7b85298705b
SHA1906ac1f3a933dd57798ae826bbefa3096c20d424
SHA256b48310b0837027f756d62c37ea91af988baa403cbcbd01cb26b6fdae21ea96a2
SHA512c9abe209508afae2d1776391f73b658c9a25628876724344023e0fc8a790ecb7dbce75fddae267158d08a8237f83336b1d2bd5b5ce0a8eed7dd41cbe0c031d48
-
\Program Files\Java\jre1.8.0_281\bin\api-ms-win-crt-utility-l1-1-0.dllMD5
6f1a1dfb2761228ccc7d07b8b190054c
SHA1117d66360c84a0088626e22d8b3b4b685cb70d56
SHA256c81c4bba4e5f205359ad145963f6fbd074879047c66569f52b6d66711108e1ed
SHA512480b4f9179d5da56010fa90e1937fe3a232f2f8682596c16eeaed08f57cf8cffeaa506060429501764f695cb6c5b3e56b0037de948c4d0e3933f022a0b4103d2
-
\Program Files\Java\jre1.8.0_281\bin\ucrtbase.dllMD5
61eb0ad4c285b60732353a0cb5c9b2ab
SHA121a1bea01f6ca7e9828a522c696853706d0a457b
SHA25610521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd
SHA51244cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d
-
\Program Files\Java\jre1.8.0_281\bin\unpack200.exeMD5
9bc8abeedf17b7e6bf826dd8ddeec12b
SHA15bdf9e3f1ccd272c20e85dc3782065ce2cda4285
SHA2563122e3a84aaa39a52962e1f134408ea609ac4916c7461db96c10d7cf0d4d1ef1
SHA512425cef99302f1bdb8359c5f18a3ab74b37432958767677102dbbd5bfe727304605440142163450de59d6297053d67bfe46cdb486b889d8502fcd547b2f3a8d4f
-
\Program Files\Java\jre1.8.0_281\bin\vcruntime140.dllMD5
1453290db80241683288f33e6dd5e80e
SHA129fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA2562b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA5124ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91
-
\Program Files\Java\jre1.8.0_281\installer.exeMD5
fa4ee41538e227270b4c5043c5f01659
SHA1c4f2b6ef6037e5b5b4bc7ac923ceafbd6fa9d34c
SHA256a1444bfdcad52b76400b42d2df55ee42f065ed6c015c567c526fca634b29fb98
SHA51241a54772f6fc3054b796104b73618342196b8d3eb0afad007f1915eb69c2a65f1aed8b9a5a80424c2096c4e719c733aeb7bd83f10e9f6e2367a10e7ea8467ccf
-
\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exeMD5
2e7543a4deec9620c101771ca9b45d85
SHA1fa33f3098c511a1192111f0b29a09064a7568029
SHA25632a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA5128a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d
-
\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exeMD5
2e7543a4deec9620c101771ca9b45d85
SHA1fa33f3098c511a1192111f0b29a09064a7568029
SHA25632a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA5128a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d
-
\ProgramData\Oracle\Java\installcache_x64\259303910.tmp\bspatch.exeMD5
2e7543a4deec9620c101771ca9b45d85
SHA1fa33f3098c511a1192111f0b29a09064a7568029
SHA25632a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA5128a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d
-
\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exeMD5
fcd2bc341d811dd3ef5f76e88fcb4c23
SHA185738726745d049d85c8683f472ce0b400a37482
SHA256dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773
SHA5123363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce
-
\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exeMD5
fcd2bc341d811dd3ef5f76e88fcb4c23
SHA185738726745d049d85c8683f472ce0b400a37482
SHA256dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773
SHA5123363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce
-
\Users\Admin\AppData\Local\Temp\jds259263708.tmp\jre-8u281-windows-x64.exeMD5
fcd2bc341d811dd3ef5f76e88fcb4c23
SHA185738726745d049d85c8683f472ce0b400a37482
SHA256dbb7b2dd49ca9beb6ee0cdaf3fa0ff1d0a500c3c7f9c35ef2e23ababa0225773
SHA5123363c2cc72abfe2369834a1fd647d785cb5c65f78923719849c52b7b2a47ef94936abd4cc6ead903208a44859350e533e4748a067e908948fbb35703a4052cce
-
\Windows\Installer\MSI9890.tmpMD5
36702dc0af0ebdc03fa68624f4bde4b0
SHA1d25f646db7eccdc1dbe425087131a17c1e6397a4
SHA256c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da
SHA5122fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831
-
\Windows\Installer\MSI9D71.tmpMD5
36702dc0af0ebdc03fa68624f4bde4b0
SHA1d25f646db7eccdc1dbe425087131a17c1e6397a4
SHA256c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da
SHA5122fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831
-
\Windows\Installer\MSIA002.tmpMD5
36702dc0af0ebdc03fa68624f4bde4b0
SHA1d25f646db7eccdc1dbe425087131a17c1e6397a4
SHA256c44ae435d3efae2846249c4aa2ef90e9021e9b5754cf8838a06e4720bf4f75da
SHA5122fa51b95a5a0f6bb6c5ecf79c8557e4f514f1ef01e5d99d3fa970fa9651e78a949812daccaf5d7b41a10dfb7dba61deae5d9c4cee4e7f3461420166af4482831
-
memory/304-33-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/304-30-0x0000000000000000-mapping.dmp
-
memory/336-82-0x0000000000000000-mapping.dmp
-
memory/568-127-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-131-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-151-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-120-0x0000000000000000-mapping.dmp
-
memory/568-122-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-123-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-124-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-150-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-149-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-148-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-147-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-125-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-146-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-145-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-126-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-144-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-143-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-128-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-142-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-141-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-140-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-139-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-138-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-136-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-137-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-134-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-135-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-133-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-129-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-132-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-130-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/568-121-0x00000000022D0000-0x00000000022E1000-memory.dmpFilesize
68KB
-
memory/748-116-0x0000000000000000-mapping.dmp
-
memory/792-89-0x0000000002BD0000-0x0000000002BD4000-memory.dmpFilesize
16KB
-
memory/792-85-0x0000000002BD0000-0x0000000002BD4000-memory.dmpFilesize
16KB
-
memory/792-41-0x0000000002BD0000-0x0000000002BD4000-memory.dmpFilesize
16KB
-
memory/792-28-0x0000000002BD0000-0x0000000002BD4000-memory.dmpFilesize
16KB
-
memory/792-115-0x0000000001BD0000-0x0000000001BD4000-memory.dmpFilesize
16KB
-
memory/792-29-0x0000000002BD0000-0x0000000002BD4000-memory.dmpFilesize
16KB
-
memory/792-24-0x0000000000000000-mapping.dmp
-
memory/876-7-0x000007FEF72E0000-0x000007FEF755A000-memory.dmpFilesize
2.5MB
-
memory/892-103-0x0000000000000000-mapping.dmp
-
memory/972-95-0x0000000002370000-0x00000000025E0000-memory.dmpFilesize
2.4MB
-
memory/972-101-0x0000000002630000-0x0000000002640000-memory.dmpFilesize
64KB
-
memory/972-93-0x0000000000000000-mapping.dmp
-
memory/972-98-0x00000000025F0000-0x0000000002600000-memory.dmpFilesize
64KB
-
memory/972-99-0x0000000002600000-0x0000000002610000-memory.dmpFilesize
64KB
-
memory/972-100-0x0000000002610000-0x0000000002620000-memory.dmpFilesize
64KB
-
memory/972-97-0x0000000002620000-0x0000000002630000-memory.dmpFilesize
64KB
-
memory/972-96-0x00000000025E0000-0x00000000025F0000-memory.dmpFilesize
64KB
-
memory/972-102-0x0000000002640000-0x0000000002650000-memory.dmpFilesize
64KB
-
memory/1084-112-0x00000000024A0000-0x00000000024B0000-memory.dmpFilesize
64KB
-
memory/1084-108-0x0000000002470000-0x0000000002480000-memory.dmpFilesize
64KB
-
memory/1084-104-0x0000000000000000-mapping.dmp
-
memory/1084-107-0x0000000002460000-0x0000000002470000-memory.dmpFilesize
64KB
-
memory/1084-113-0x00000000024B0000-0x00000000024C0000-memory.dmpFilesize
64KB
-
memory/1084-111-0x0000000002490000-0x00000000024A0000-memory.dmpFilesize
64KB
-
memory/1084-110-0x0000000002480000-0x0000000002490000-memory.dmpFilesize
64KB
-
memory/1084-109-0x00000000024C0000-0x00000000024D0000-memory.dmpFilesize
64KB
-
memory/1084-106-0x00000000021F0000-0x0000000002460000-memory.dmpFilesize
2.4MB
-
memory/1100-118-0x0000000000000000-mapping.dmp
-
memory/1164-84-0x0000000000000000-mapping.dmp
-
memory/1228-14-0x0000000000000000-mapping.dmp
-
memory/1328-83-0x0000000000000000-mapping.dmp
-
memory/1384-3-0x0000000000000000-mapping.dmp
-
memory/1384-5-0x000007FEFB991000-0x000007FEFB993000-memory.dmpFilesize
8KB
-
memory/1484-81-0x0000000000000000-mapping.dmp
-
memory/1496-88-0x0000000002190000-0x0000000002400000-memory.dmpFilesize
2.4MB
-
memory/1496-86-0x0000000000000000-mapping.dmp
-
memory/1644-92-0x0000000000000000-mapping.dmp
-
memory/1652-152-0x0000000000000000-mapping.dmp
-
memory/1772-80-0x0000000000000000-mapping.dmp
-
memory/1880-79-0x0000000000000000-mapping.dmp
-
memory/1928-42-0x0000000000000000-mapping.dmp