8a516f2df2e8f496a4bf7866036797959e63bbb6658e1f82b671b85227afecb5

Resubmissions

05-06-2021 18:38

210605-hf9v5m752s 4

05-06-2021 18:30

210605-p2t1d7794j 10

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7v20210408
submitted
05-06-2021 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Grossly Minecraft 1..exe
Size

8.4MB
MD5

7c6c6b9e9111447af1236378c02566c2
SHA1

21340606037756badc4332a8217545dd47e9f24b
SHA256

8a516f2df2e8f496a4bf7866036797959e63bbb6658e1f82b671b85227afecb5
SHA512

2a64e4d159cfc1748eb4768d6072df5c6014a01c81681d26aa35ec9ec1e9346fd3961f51d3db5ff424120ee01486b7f92685d0ec8e935488f2b82cd2b40a2745

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

82 1572 msiexec.exe
Downloads MZ/PE file

flow	pid	process
82	1572	msiexec.exe

Executes dropped EXE 19 IoCs

Processes:

JavaSetup8u291.exeJavaSetup8u291.exeLZMA_EXELZMA_EXEinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exessvagent.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exe

pid	process
1720	JavaSetup8u291.exe
940	JavaSetup8u291.exe
1728	LZMA_EXE
652	LZMA_EXE
1152	installer.exe
1708	bspatch.exe
2104	unpack200.exe
2200	unpack200.exe
2224	unpack200.exe
2248	unpack200.exe
2272	unpack200.exe
2296	unpack200.exe
2324	unpack200.exe
2356	javaw.exe
2428	ssvagent.exe
2440	javaws.exe
2460	jp2launcher.exe
2728	javaws.exe
2748	jp2launcher.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe	upx
C:\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe	upx
C:\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe	upx
\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe	upx

Loads dropped DLL 64 IoCs

Processes:

JavaSetup8u291.exeJavaSetup8u291.exeMsiExec.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exe

pid	process
1720	JavaSetup8u291.exe
940	JavaSetup8u291.exe
940	JavaSetup8u291.exe
940	JavaSetup8u291.exe
1432	MsiExec.exe
1432	MsiExec.exe
1432	MsiExec.exe
1152	installer.exe
1708	bspatch.exe
1708	bspatch.exe
1708	bspatch.exe
1152	installer.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2104	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2200	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe
2224	unpack200.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exeunpack200.exejp2launcher.exe

description	ioc	process
File created	C:\Program Files (x86)\Java\jre1.8.0_291\legal\jdk\unicode.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\deploy\messages_fr.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\LICENSE	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-errorhandling-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\lcms.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\prism_sw.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\sunec.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\net.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\legal\javafx\public_suffix.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\legal\jdk\giflib.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\ext\localedata.pack	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\README.txt	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-crt-time-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\dcpr.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\dtplugin\npdeployJava1.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\management.dll	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259381021\java.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-crt-environment-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\jp2launcher.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\splashscreen.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\jce.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-namedpipe-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-string-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\JAWTAccessBridge-32.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\deploy\splash.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\psfont.properties.ja	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\javafx.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\awt.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\jdwp.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\legal\jdk\bcel.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\images\cursors\invalid32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\tnameserv.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\verify.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\legal\jdk\xmlresolver.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\plugin.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\deploy.pack	installer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-profile-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\resource.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\legal\jdk\dom.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\legal\jdk\relaxngdatatype.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\management\management.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\jabswitch.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\klist.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\management\jmxremote.access	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\charsets.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\jfxswt.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\tzdb.dat	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-processthreads-l1-1-1.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\glib-lite.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\jfxwebkit.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\orbd.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\flavormap.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\hs_err_pid2748.log	jp2launcher.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\gstreamer-lite.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\JavaAccessBridge-32.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\w2k_lsa_auth.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\legal\jdk\asm.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\lib\security\policy\limited\US_export_policy.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-interlocked-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-crt-conio-l1-1-0.dll	installer.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f755054.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CA4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40C1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f755059.ipi	msiexec.exe
File created	C:\Windows\Installer\f755052.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D8F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f755052.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BC0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f755054.ipi	msiexec.exe
File created	C:\Windows\Installer\f755057.msi	msiexec.exe
File created	C:\Windows\Installer\f755059.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5404.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI55AB.tmp	msiexec.exe
File created	C:\Windows\Installer\f75505b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI585F.tmp	msiexec.exe
File created	C:\Windows\Installer\f755056.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f755057.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 300edb24495ad701	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEinstaller.exeJavaSetup8u291.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 505fc531495ad701	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\trustarc.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\trustarc.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "329689789"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{587C37A1-C63C-11EB-9E73-C65640CBF56B} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "333"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "209"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Windows\\SysWOW64"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "333"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "333"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	JavaSetup8u291.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0207-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0081-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0137-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0207-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_207"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0208-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0276-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0225-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0091-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_78"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_09"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0122-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_122"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0129-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0299-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0005-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_05"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0276-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0112-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0249-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0264-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0108-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_108"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0199-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0223-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0061-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_74"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0198-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0141-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_13"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0068-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0098-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.1_05"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0030-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_30"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0096-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0217-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0032-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0193-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0062-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0007-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0263-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0054-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0151-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0300-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0103-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0046-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_46"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0166-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe

Modifies registry class 64 IoCs

Processes:

ssvagent.exeinstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0050-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0068-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0247-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0187-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0162-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0235-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0205-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0108-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0140-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0192-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0256-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0094-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0285-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0209-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_29"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0108-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0270-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_270"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0156-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0261-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0100-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_100"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0288-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_56"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0276-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_276"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0283-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0089-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0037-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0259-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0098-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_41"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_59"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0174-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0206-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0238-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_238"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_27"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0236-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0211-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0227-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0260-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0170-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0184-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0120-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0189-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0034-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_34"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0247-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0135-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0133-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0087-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_291\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.1_04"	ssvagent.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

javaws.exejp2launcher.exejavaws.exejp2launcher.exemsiexec.exe

pid process

2440 javaws.exe
2460 jp2launcher.exe
2728 javaws.exe
2748 jp2launcher.exe
1572 msiexec.exe
1572 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1632 IEXPLORE.EXE

pid	process
2440	javaws.exe
2460	jp2launcher.exe
2728	javaws.exe
2748	jp2launcher.exe
1572	msiexec.exe
1572	msiexec.exe

pid	process
1632	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

JavaSetup8u291.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	940	JavaSetup8u291.exe
Token: SeIncreaseQuotaPrivilege	940	JavaSetup8u291.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeSecurityPrivilege	1572	msiexec.exe
Token: SeCreateTokenPrivilege	940	JavaSetup8u291.exe
Token: SeAssignPrimaryTokenPrivilege	940	JavaSetup8u291.exe
Token: SeLockMemoryPrivilege	940	JavaSetup8u291.exe
Token: SeIncreaseQuotaPrivilege	940	JavaSetup8u291.exe
Token: SeMachineAccountPrivilege	940	JavaSetup8u291.exe
Token: SeTcbPrivilege	940	JavaSetup8u291.exe
Token: SeSecurityPrivilege	940	JavaSetup8u291.exe
Token: SeTakeOwnershipPrivilege	940	JavaSetup8u291.exe
Token: SeLoadDriverPrivilege	940	JavaSetup8u291.exe
Token: SeSystemProfilePrivilege	940	JavaSetup8u291.exe
Token: SeSystemtimePrivilege	940	JavaSetup8u291.exe
Token: SeProfSingleProcessPrivilege	940	JavaSetup8u291.exe
Token: SeIncBasePriorityPrivilege	940	JavaSetup8u291.exe
Token: SeCreatePagefilePrivilege	940	JavaSetup8u291.exe
Token: SeCreatePermanentPrivilege	940	JavaSetup8u291.exe
Token: SeBackupPrivilege	940	JavaSetup8u291.exe
Token: SeRestorePrivilege	940	JavaSetup8u291.exe
Token: SeShutdownPrivilege	940	JavaSetup8u291.exe
Token: SeDebugPrivilege	940	JavaSetup8u291.exe
Token: SeAuditPrivilege	940	JavaSetup8u291.exe
Token: SeSystemEnvironmentPrivilege	940	JavaSetup8u291.exe
Token: SeChangeNotifyPrivilege	940	JavaSetup8u291.exe
Token: SeRemoteShutdownPrivilege	940	JavaSetup8u291.exe
Token: SeUndockPrivilege	940	JavaSetup8u291.exe
Token: SeSyncAgentPrivilege	940	JavaSetup8u291.exe
Token: SeEnableDelegationPrivilege	940	JavaSetup8u291.exe
Token: SeManageVolumePrivilege	940	JavaSetup8u291.exe
Token: SeImpersonatePrivilege	940	JavaSetup8u291.exe
Token: SeCreateGlobalPrivilege	940	JavaSetup8u291.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1908 iexplore.exe
1908 iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

iexplore.exeIEXPLORE.EXEJavaSetup8u291.exejp2launcher.exe

pid	process
1908	iexplore.exe
1908	iexplore.exe
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
940	JavaSetup8u291.exe
940	JavaSetup8u291.exe
940	JavaSetup8u291.exe
940	JavaSetup8u291.exe
2460	jp2launcher.exe
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Grossly Minecraft 1..exeiexplore.exeJavaSetup8u291.exeJavaSetup8u291.exemsiexec.exeinstaller.exe

description	pid	process	target process
PID 1776 wrote to memory of 1908	1776	Grossly Minecraft 1..exe	iexplore.exe
PID 1776 wrote to memory of 1908	1776	Grossly Minecraft 1..exe	iexplore.exe
PID 1776 wrote to memory of 1908	1776	Grossly Minecraft 1..exe	iexplore.exe
PID 1776 wrote to memory of 1908	1776	Grossly Minecraft 1..exe	iexplore.exe
PID 1908 wrote to memory of 1632	1908	iexplore.exe	IEXPLORE.EXE
PID 1908 wrote to memory of 1632	1908	iexplore.exe	IEXPLORE.EXE
PID 1908 wrote to memory of 1632	1908	iexplore.exe	IEXPLORE.EXE
PID 1908 wrote to memory of 1632	1908	iexplore.exe	IEXPLORE.EXE
PID 1908 wrote to memory of 1720	1908	iexplore.exe	JavaSetup8u291.exe
PID 1908 wrote to memory of 1720	1908	iexplore.exe	JavaSetup8u291.exe
PID 1908 wrote to memory of 1720	1908	iexplore.exe	JavaSetup8u291.exe
PID 1908 wrote to memory of 1720	1908	iexplore.exe	JavaSetup8u291.exe
PID 1908 wrote to memory of 1720	1908	iexplore.exe	JavaSetup8u291.exe
PID 1908 wrote to memory of 1720	1908	iexplore.exe	JavaSetup8u291.exe
PID 1908 wrote to memory of 1720	1908	iexplore.exe	JavaSetup8u291.exe
PID 1720 wrote to memory of 940	1720	JavaSetup8u291.exe	JavaSetup8u291.exe
PID 1720 wrote to memory of 940	1720	JavaSetup8u291.exe	JavaSetup8u291.exe
PID 1720 wrote to memory of 940	1720	JavaSetup8u291.exe	JavaSetup8u291.exe
PID 1720 wrote to memory of 940	1720	JavaSetup8u291.exe	JavaSetup8u291.exe
PID 1720 wrote to memory of 940	1720	JavaSetup8u291.exe	JavaSetup8u291.exe
PID 1720 wrote to memory of 940	1720	JavaSetup8u291.exe	JavaSetup8u291.exe
PID 1720 wrote to memory of 940	1720	JavaSetup8u291.exe	JavaSetup8u291.exe
PID 940 wrote to memory of 1728	940	JavaSetup8u291.exe	LZMA_EXE
PID 940 wrote to memory of 1728	940	JavaSetup8u291.exe	LZMA_EXE
PID 940 wrote to memory of 1728	940	JavaSetup8u291.exe	LZMA_EXE
PID 940 wrote to memory of 1728	940	JavaSetup8u291.exe	LZMA_EXE
PID 940 wrote to memory of 652	940	JavaSetup8u291.exe	LZMA_EXE
PID 940 wrote to memory of 652	940	JavaSetup8u291.exe	LZMA_EXE
PID 940 wrote to memory of 652	940	JavaSetup8u291.exe	LZMA_EXE
PID 940 wrote to memory of 652	940	JavaSetup8u291.exe	LZMA_EXE
PID 1572 wrote to memory of 1432	1572	msiexec.exe	MsiExec.exe
PID 1572 wrote to memory of 1432	1572	msiexec.exe	MsiExec.exe
PID 1572 wrote to memory of 1432	1572	msiexec.exe	MsiExec.exe
PID 1572 wrote to memory of 1432	1572	msiexec.exe	MsiExec.exe
PID 1572 wrote to memory of 1432	1572	msiexec.exe	MsiExec.exe
PID 1572 wrote to memory of 1432	1572	msiexec.exe	MsiExec.exe
PID 1572 wrote to memory of 1432	1572	msiexec.exe	MsiExec.exe
PID 1572 wrote to memory of 1152	1572	msiexec.exe	installer.exe
PID 1572 wrote to memory of 1152	1572	msiexec.exe	installer.exe
PID 1572 wrote to memory of 1152	1572	msiexec.exe	installer.exe
PID 1572 wrote to memory of 1152	1572	msiexec.exe	installer.exe
PID 1572 wrote to memory of 1152	1572	msiexec.exe	installer.exe
PID 1572 wrote to memory of 1152	1572	msiexec.exe	installer.exe
PID 1572 wrote to memory of 1152	1572	msiexec.exe	installer.exe
PID 1152 wrote to memory of 1708	1152	installer.exe	bspatch.exe
PID 1152 wrote to memory of 1708	1152	installer.exe	bspatch.exe
PID 1152 wrote to memory of 1708	1152	installer.exe	bspatch.exe
PID 1152 wrote to memory of 1708	1152	installer.exe	bspatch.exe
PID 1152 wrote to memory of 1708	1152	installer.exe	bspatch.exe
PID 1152 wrote to memory of 1708	1152	installer.exe	bspatch.exe
PID 1152 wrote to memory of 1708	1152	installer.exe	bspatch.exe
PID 1152 wrote to memory of 2104	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2104	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2104	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2104	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2200	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2200	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2200	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2200	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2224	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2224	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2224	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2224	1152	installer.exe	unpack200.exe
PID 1152 wrote to memory of 2248	1152	installer.exe	unpack200.exe

C:\Users\Admin\AppData\Local\Temp\Grossly Minecraft 1..exe
"C:\Users\Admin\AppData\Local\Temp\Grossly Minecraft 1..exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TBG33QM0\JavaSetup8u291.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TBG33QM0\JavaSetup8u291.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\jds259324658.tmp\JavaSetup8u291.exe
"C:\Users\Admin\AppData\Local\Temp\jds259324658.tmp\JavaSetup8u291.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\msi.tmp"
5⤵
- Executes dropped EXE
PID:1728

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\jre1.8.0_291full.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\msi.tmp"
5⤵
- Executes dropped EXE
PID:652

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DB03C9638E81D7814EAD47DCEFA1C2CF
2⤵
- Loads dropped DLL
PID:1432

C:\Program Files (x86)\Java\jre1.8.0_291\installer.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_291\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180291F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1152

C:\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708

C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_291\lib/plugin.pack" "C:\Program Files (x86)\Java\jre1.8.0_291\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2104

C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_291\lib/javaws.pack" "C:\Program Files (x86)\Java\jre1.8.0_291\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200

C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_291\lib/deploy.pack" "C:\Program Files (x86)\Java\jre1.8.0_291\lib/deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224

C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_291\lib/rt.pack" "C:\Program Files (x86)\Java\jre1.8.0_291\lib/rt.jar"
3⤵
- Executes dropped EXE
PID:2248

C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_291\lib/jsse.pack" "C:\Program Files (x86)\Java\jre1.8.0_291\lib/jsse.jar"
3⤵
- Executes dropped EXE
PID:2272

C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_291\lib/charsets.pack" "C:\Program Files (x86)\Java\jre1.8.0_291\lib/charsets.jar"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2296

C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_291\lib/ext/localedata.pack" "C:\Program Files (x86)\Java\jre1.8.0_291\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
PID:2324

C:\Program Files (x86)\Java\jre1.8.0_291\bin\javaw.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
PID:2356

C:\Program Files (x86)\Java\jre1.8.0_291\bin\ssvagent.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Modifies registry class
PID:2428

C:\Program Files (x86)\Java\jre1.8.0_291\bin\javaws.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Program Files (x86)\Java\jre1.8.0_291\bin\jp2launcher.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_291" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjkxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjkxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI5MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8yOTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI5MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjkxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjkxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Program Files (x86)\Java\jre1.8.0_291\bin\javaws.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Program Files (x86)\Java\jre1.8.0_291\bin\jp2launcher.exe
"C:\Program Files (x86)\Java\jre1.8.0_291\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_291" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjkxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjkxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI5MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8yOTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzI5MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjkxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMjkxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding ADE117B1F327745285B27669D012DE3C M Global\MSI0000
2⤵
PID:2868

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1A9F5924C45700038C5433A4293A43A4
2⤵
PID:2948

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F7AAA5E9F1C09622DF9ED4FCB26B6518 M Global\MSI0000
2⤵
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre1.8.0_291\bin\VCRUNTIME140.dll
MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-file-l1-2-0.dll
MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-file-l2-1-0.dll
MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-localization-l1-2-0.dll
MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-processthreads-l1-1-1.dll
MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-timezone-l1-1-0.dll
MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-crt-runtime-l1-1-0.dll
MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_291\bin\ucrtbase.DLL
MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe
MD5
60dc95ac4239957e5bf3597d884cf71c

SHA1
fcf71776c2e2b299983ea57107835dec1d9446c5

SHA256
6a5e2b1c18e1b6208b961df7fe0a2677f825895d14812c05e03b257199f77eed

SHA512
858ee562164526485dcce4d30f833e1da8e4d9bf2f630b56a0e21135885d5f2079813815d00e5fc65ac38d5a413ebe155c599c2d09896656279aed5d312a53f5

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_291\installer.exe
MD5
169f36c4503a69602d367ab88b9605ae

SHA1
6f5fb6d97c21bccb8bb796ed4b7b2ce793ac414f

SHA256
2c081a20f5e8c9c8380d2d2760a42d41f506c248d3bb7b2fb4a2a3201939038b

SHA512
00828ab00b387bdc49f05aeed331445832a8d8e73178aaa0055391cc9927e931cba12072765dc3ee147cf8f6afee3d63c1faa3397ca5cd9cf3161e9702c86cc8

Download Submit
C:\ProgramData\Oracle\Java\installcache\259351880.tmp\baseimagefam8
MD5
c68f61bae0654148ae82c9ac18c771f9

SHA1
fde79f7eebe45a096e7af4d7463294551dead994

SHA256
fe7870985a9af11cff29ed00c1a8042d5e1f3194b465146ddcaa9612a51a3195

SHA512
f08e5bbbd74c322a079618aee7da064f510bac05f1b0066da11d9829f8ad8e9ca03ad0e20116d64173e2b5a9a0e12c1ac95b2880805c6a4de2828839506f7107

Download Submit
C:\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\259351880.tmp\diff
MD5
c78aa986ddd82bcd08982f04ff978afa

SHA1
9486ce62ee93c5ea8eeaff18e3d79a20146bf41f

SHA256
7b423374c2f320035c7fe93403f3042c20e9047e2570783b378773fda74e8423

SHA512
0b6cf358c50ef504c0efd8821b7ade7cfa6a12a9c97eb1b1d54434f55129be89061446996c61ae49fbd17d5d10912cee3bab17a3768a151e5efd43ee22dcb608

Download Submit
C:\ProgramData\Oracle\Java\installcache\259351880.tmp\newimage
MD5
9bcebcc53c7b19bdb9725b4193568eee

SHA1
8fddc4cee23851e22a5704175911c62f8157b163

SHA256
6aa8db9fabe0178f5efb03f210e28e7d4605bff704aec56fa2f46933c7d16ef1

SHA512
484c14ef1d7ff838c5a7fa84bedd6cf4f190ea41be56967bd36ff0141ad9a147cdb74cf1a58d26c94574d151293570b13499f2705433c743fd87172e45fd9bf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
5782baba9cf48035b5d64845b48e624f

SHA1
b06d3800fa04f807f21b84508e6303c46537cee3

SHA256
1e9b5ffad03b9d40eab6fc19521cff948ce85941d33277b915487fefe4d75aec

SHA512
e4a6925257c2e38230c345ae5ca58f1e2c2d1fbac8a19837d708e1d77cf78b4839d3c299527e0ffa47e1ea0d12304364dbf9dcd67fbad67cd49108f2da6d7b53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937
MD5
8978814f8366ffa35753214f06f79209

SHA1
e87771011bfc52bc0558aebdb81a2f0774c3dcff

SHA256
afc13e016fdca6b91aff72f6dbbce5b34d24fff79baea4bdf939cceac4e056aa

SHA512
5b18e14a20a395295d92b0a286a5d9252cee55854639c57e72e75b3c65dc917a51cc8e034f401788089f7021aa1a3346a648d24a37b291b5f1b06a6ba4e095f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_B514E3306E9B5CC22C1D3DB90570477A
MD5
369cc52d7c921fdeaf2052090989993d

SHA1
84cae496e5e38e2eca5f646ed0edab9793610359

SHA256
c191ffcfc22a24e53739a17bbfe970ddccfdb55374a0e32447cc82c40038078d

SHA512
001d6a6e89dee7bf32b4a92b4ca016e4f89b264eb2a7b69ac0e219db6fb4466d92310e01c8955293afc2d1a45f0d7d523027abc701a2f4e54c3172aa6dd35762

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
c471ce744e086479f62d1c9bfe1e56fb

SHA1
e9a5e22a7f5cf510141f73852eabcf360f912f0f

SHA256
faa0943700ba49e38a48657bf53e5d74e1776433315787e33c18b9a160db97fa

SHA512
8b59560e208a7ca5a504f5b09ccefc59ec53abda6fba7f0c55f9a9e9a2f5d5282aef11149eaab096af715d7e10bf305296d7ef57c6cd524fffe69e0d2596d072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
6045baccf49e1eba0e674945311a06e6

SHA1
379c6234849eecede26fad192c2ee59e0f0221cb

SHA256
65830a65cb913bee83258e4ac3e140faf131e7eb084d39f7020c7acc825b0a58

SHA512
da32af6a730884e73956e4eb6bff61a1326b3ef8ba0a213b5b4aad6de4fbd471b3550b6ac2110f1d0b2091e33c70d44e498f897376f8e1998b1d2afac789abeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
ccb08c1c49237204689b5e4a1f32d2f4

SHA1
232c13abb38639a6b909b1d7ff31e01547cd3934

SHA256
e43f3acc0e30e36335b19e6d6d4297385c011f9880b575502e38494bc7501734

SHA512
4a19591467c160f22efdc49293d38379103af877a315642b417335b2350c524f1339259afcb65b6721e6b2820eee6431bd3db622284fc7537feeb04381a4ecfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937
MD5
4eb03e127b5ef2fa5affb9f8c4f58f2f

SHA1
75fce492d83bdd00c58fbcb325684d5ff16bab26

SHA256
a655f5b42f557757a6f40cb9b134008d6520b5ed3b48817be66807ba122fbc2e

SHA512
35c35d05f4c5e70a674796f5c8266e9e2fb5f91375c23e44c04cb74a217b5b5b1232032fb0aa925c63620fdbef1d08026aa6f6fbf194da886eb519266ab7e353

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_B514E3306E9B5CC22C1D3DB90570477A
MD5
373b07d5eeeab9329a09a67f0fcb3e8c

SHA1
922cfdf9495c0427e3055e698c9955485f5960a5

SHA256
562ff3e267c66485e176bd0104c2784d2135ac05deaaf76783238c98591fce01

SHA512
a6a70a938b6c8c863b1d17350495e830780bc25e472371464ee11cccb19603acbef5a281a721a1e94d6372190f87c0e27d9cd29689a11bada93479a01e502149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
c34ad37327d7a7a5ac72343fb166f7a7

SHA1
676c24647e36de7864207c12cc569c8b1c2af2e2

SHA256
4c684c5821f690c8c16bf50d51ad55a2f8b00b721a804caa936e3679d069398e

SHA512
071e08625739ffb0a1476cf6245568fdc11e649d0443432b6f2bd9dd2f47a656bb359634a7a1077f10035ddfb6d7d87f27830fd321f7eacdb07ef664402cae26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
28a858e5ac1af397e9c342642865be7e

SHA1
686e89ef49f630cce5e6c5c434dc9898b54f9b5b

SHA256
fbd765bdc6d5fecb9d5b1d399df06acea902ff4de77e9eb550287b184a27bfeb

SHA512
35cd7f5e3c5a8e47f4880b861a20c85cdaaf4ae4ef325dec35b008ebeadf660212af578c49327bce39991e4e3e5cc8980398056289c2e22e1d251c8ee2e6f40b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
171e58f1f6e01ca7cea7636fe6da0ba9

SHA1
bf42c4c645d7aabf2e75b6125f8509f3ee4338fb

SHA256
17e008edc89fe272055926cd979ad6764794f4fba350c240550ce203e48c3914

SHA512
0b7e849224c584c101aa36610fa6127e7e92b1b4236d4890a9d972abb185c15c350b225f3ab2d0c411623edf3cc6c519d41b0cf6354d74a1254b21d0868e436f

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\au.msi
MD5
1f522cf557efd57a613ebcea4cde7f8c

SHA1
34cb8cbb006d6f7b8f538b0248ba0c6a6cba9200

SHA256
0eb0133988cfd54ad5714baa625d2aae785ca2bc7a43a12ca2d192ca56d4e855

SHA512
348608eec5d2f897adb25f0b74f24b5696c2a548f864a240cc4001e604da46c476efafdcfabfd5e3e44e8421c809cd8f2ab0c970f04443bd1757bf733cbe7b1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\jre1.8.0_291full.msi
MD5
9c666bb7b85bcb7ffbc6c18cb7c2c7ef

SHA1
c86ef5efe858e2be11bd8f74d803499b6f46034b

SHA256
7aee142f44240edb7acced87f1eadf58d1ac4566f43189e64c8d0c8df8f7cc06

SHA512
03f4f6c486fdf7b4fc7f92d534d9c8b8cc020cd3660c6ad873020b222f427da755a3875a57bce128a320584013cb0d8e9ef6d382166979a489d3107905531dab

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\msi.tmp
MD5
e8885dcd325cef5cae89e18a011e47bf

SHA1
8941edce5e9e46970e8139465f6835266316b268

SHA256
ff8c1e111fa28742b31a9dca06e17357b5281476868062519f44e65352ff5e8f

SHA512
07ebe3ca6e28fc389171f5456d0bb6f5488652ed0d3f8979d010a080de60377f34fc2e2016d3de4ec5711e4fc40212ecae4d24bb0be64e38818b6b2a17a4a246

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\msi.tmp
MD5
77a289366e6d4c6083bac3a1fdf8265a

SHA1
4dc070c4f34e97e53be764f5c081e437a33f9695

SHA256
1684b67d1debc39dab2b38faabc86b40082f913f719766c6170da12173e76123

SHA512
737111621c67529fc4283df5da20b53511e7f9bea4f8f6039e1388b6d01b36b7b737ee2345af7f2aa03f2d7ba258625e1b74c6d6e192886f4d21684f75e1df13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bq3gxmw\imagestore.dat
MD5
b425447dd921badea1e01de2bf9526ac

SHA1
75b007ce60727e859badd4a369c1ad7ee5705827

SHA256
8dc78a96d029bdbc6606030ff9cc0a4334e723dd63bb7212d5d2bc8098c1c4ea

SHA512
82130cfc6ebead5f2fd76243c69128b5cce369a95a04ce717dcb5d1ce5d148466416695802931336c35642f3aa67047a286326324685cb8b9397f6fe1ec77718

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TBG33QM0\JavaSetup8u291.exe
MD5
b6c487f8fc0ee3258fc1862a5fd25598

SHA1
2a84cd28e1907133cfe446157b329bf9c81a47eb

SHA256
cd3686f33fe916a7c4fcd4022fdbd1cfa5e1942d7222fa62606a853f37bf62c8

SHA512
6d0f59a1be2ccf12cc21046bb79744aeae08497511843361a38e6925e02c43ae8ac6de12740ce4889254d221f0ed4fdb6bf3c2141c12e765d1aadcbe88cfce85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TBG33QM0\JavaSetup8u291.exe.c4rmurd.partial
MD5
b6c487f8fc0ee3258fc1862a5fd25598

SHA1
2a84cd28e1907133cfe446157b329bf9c81a47eb

SHA256
cd3686f33fe916a7c4fcd4022fdbd1cfa5e1942d7222fa62606a853f37bf62c8

SHA512
6d0f59a1be2ccf12cc21046bb79744aeae08497511843361a38e6925e02c43ae8ac6de12740ce4889254d221f0ed4fdb6bf3c2141c12e765d1aadcbe88cfce85

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259324658.tmp\JavaSetup8u291.exe
MD5
0a28e2bada42a676aa35731bcb7c17c5

SHA1
c6ef0a72166203aab83a0ac6d2df5e5508eedece

SHA256
640a5460cb22a894868dffd9861ddbe336470437fcc88cbf561af737024616f6

SHA512
f4da929dbce99b6f09cd79c5d48d08e98611e3b5e6654de4432421f2f5d4a2255b931cbdc50a739c634adbed5b499f9499c9ec74fa81288da47af951db303579

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259324658.tmp\JavaSetup8u291.exe
MD5
0a28e2bada42a676aa35731bcb7c17c5

SHA1
c6ef0a72166203aab83a0ac6d2df5e5508eedece

SHA256
640a5460cb22a894868dffd9861ddbe336470437fcc88cbf561af737024616f6

SHA512
f4da929dbce99b6f09cd79c5d48d08e98611e3b5e6654de4432421f2f5d4a2255b931cbdc50a739c634adbed5b499f9499c9ec74fa81288da47af951db303579

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
dc2b5a2e5c3596ff73f3259b1e707cc7

SHA1
8bd520d35cff0b09647931498a6dd49959564e32

SHA256
57f0e2f65f6a2f1986a97c86a20904c7e8e9b87b103a94716cbb2cdb4c6e3270

SHA512
b3fa972da254e1f25ff96c5c994417bb16cb4489143ed0b8e233dfe45293ecbd80863d6260ad683ed8cefda97404627a1dfc44fa7e2ccbf2f754603c941e8402

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
2c9fbc3082eb2152e8e0f5f8456dcfaa

SHA1
c064bf71d2d09a91a4bcf02a8a55a739725ac7e9

SHA256
9a3055882ea7ff9457869c318ce178f45af2dc4a7d61928af0a30eec50eb2575

SHA512
67aa78ec1cabbab42bc3593ca8fbccb36d46dbfa9d12db560ce693a66a8d840c41489406bc549d1643d79cdf50a67bd7265c79124f842800e7041bd072fd886b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
MD5
aa1cec435217d8e14d2da713eb0bf2f4

SHA1
65f1389f7645c9984a976398bdde9c98766a44c0

SHA256
d5aa80d0145c8754a678868576663a4759b7871f6a4e57f07d7b9c65f4df6b24

SHA512
cfb70bf859d67f68dbed8419047787f9814930e809d5b9f23ec6202e19aa9c0417e3b17245fc12cc4fb9f80d2dffb9cdf40bbbf01ba9244463fb2fe2f5a15c88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G7IMQYTR.txt
MD5
bf7b79e6dfcad499b80f9f24cb848728

SHA1
01b400a92a2118820cc83ebf8558f7d7aec83efa

SHA256
d2c284f3669eccf2c5bd7de826882be7df9fd34fac59dc7c6a155cd015b2405c

SHA512
f100dda916debdcc9bb87216bdccdc52c64cdce8a619e959703cd3892fe4c05f757458c24fd96529fd2c43942a2fe8c1b081a4deb2f4ff874e55f4a516169198

Download Submit
C:\Windows\Installer\MSI585F.tmp
MD5
67809c5906382f8610dffe10bfa615d5

SHA1
8861e4d656fab0d7525ee0954cba0e008f328ef3

SHA256
54b3eb1d723255e0bb90888fe0bb75a6a587e921c686f0b1822c0d7d2b7222b1

SHA512
fc92c7fb40382fc95cd8e043727615a93a8ec54100985d3cd4ddff0cb830a1a2046d70085e8e4343b1c2595c349821fc6c50d72180621cc824a01e72a4055e5e

Download Submit
C:\Windows\Installer\MSI5CA4.tmp
MD5
67809c5906382f8610dffe10bfa615d5

SHA1
8861e4d656fab0d7525ee0954cba0e008f328ef3

SHA256
54b3eb1d723255e0bb90888fe0bb75a6a587e921c686f0b1822c0d7d2b7222b1

SHA512
fc92c7fb40382fc95cd8e043727615a93a8ec54100985d3cd4ddff0cb830a1a2046d70085e8e4343b1c2595c349821fc6c50d72180621cc824a01e72a4055e5e

Download Submit
C:\Windows\Installer\MSI5DDE.tmp
MD5
67809c5906382f8610dffe10bfa615d5

SHA1
8861e4d656fab0d7525ee0954cba0e008f328ef3

SHA256
54b3eb1d723255e0bb90888fe0bb75a6a587e921c686f0b1822c0d7d2b7222b1

SHA512
fc92c7fb40382fc95cd8e043727615a93a8ec54100985d3cd4ddff0cb830a1a2046d70085e8e4343b1c2595c349821fc6c50d72180621cc824a01e72a4055e5e

Download Submit
C:\Windows\Installer\f755056.msi
MD5
77a289366e6d4c6083bac3a1fdf8265a

SHA1
4dc070c4f34e97e53be764f5c081e437a33f9695

SHA256
1684b67d1debc39dab2b38faabc86b40082f913f719766c6170da12173e76123

SHA512
737111621c67529fc4283df5da20b53511e7f9bea4f8f6039e1388b6d01b36b7b737ee2345af7f2aa03f2d7ba258625e1b74c6d6e192886f4d21684f75e1df13

Download Submit
\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-file-l1-2-0.dll
MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-localization-l1-2-0.dll
MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-processthreads-l1-1-1.dll
MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-core-timezone-l1-1-0.dll
MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
\Program Files (x86)\Java\jre1.8.0_291\bin\api-ms-win-crt-runtime-l1-1-0.dll
MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Program Files (x86)\Java\jre1.8.0_291\bin\ucrtbase.dll
MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Program Files (x86)\Java\jre1.8.0_291\bin\unpack200.exe
MD5
60dc95ac4239957e5bf3597d884cf71c

SHA1
fcf71776c2e2b299983ea57107835dec1d9446c5

SHA256
6a5e2b1c18e1b6208b961df7fe0a2677f825895d14812c05e03b257199f77eed

SHA512
858ee562164526485dcce4d30f833e1da8e4d9bf2f630b56a0e21135885d5f2079813815d00e5fc65ac38d5a413ebe155c599c2d09896656279aed5d312a53f5

Download Submit
\Program Files (x86)\Java\jre1.8.0_291\bin\vcruntime140.dll
MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\259351880.tmp\bspatch.exe
MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_291\LZMA_EXE
MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\Local\Temp\jds259324658.tmp\JavaSetup8u291.exe
MD5
0a28e2bada42a676aa35731bcb7c17c5

SHA1
c6ef0a72166203aab83a0ac6d2df5e5508eedece

SHA256
640a5460cb22a894868dffd9861ddbe336470437fcc88cbf561af737024616f6

SHA512
f4da929dbce99b6f09cd79c5d48d08e98611e3b5e6654de4432421f2f5d4a2255b931cbdc50a739c634adbed5b499f9499c9ec74fa81288da47af951db303579

Download Submit
\Windows\Installer\MSI585F.tmp
MD5
67809c5906382f8610dffe10bfa615d5

SHA1
8861e4d656fab0d7525ee0954cba0e008f328ef3

SHA256
54b3eb1d723255e0bb90888fe0bb75a6a587e921c686f0b1822c0d7d2b7222b1

SHA512
fc92c7fb40382fc95cd8e043727615a93a8ec54100985d3cd4ddff0cb830a1a2046d70085e8e4343b1c2595c349821fc6c50d72180621cc824a01e72a4055e5e

Download Submit
\Windows\Installer\MSI5CA4.tmp
MD5
67809c5906382f8610dffe10bfa615d5

SHA1
8861e4d656fab0d7525ee0954cba0e008f328ef3

SHA256
54b3eb1d723255e0bb90888fe0bb75a6a587e921c686f0b1822c0d7d2b7222b1

SHA512
fc92c7fb40382fc95cd8e043727615a93a8ec54100985d3cd4ddff0cb830a1a2046d70085e8e4343b1c2595c349821fc6c50d72180621cc824a01e72a4055e5e

Download Submit
\Windows\Installer\MSI5DDE.tmp
MD5
67809c5906382f8610dffe10bfa615d5

SHA1
8861e4d656fab0d7525ee0954cba0e008f328ef3

SHA256
54b3eb1d723255e0bb90888fe0bb75a6a587e921c686f0b1822c0d7d2b7222b1

SHA512
fc92c7fb40382fc95cd8e043727615a93a8ec54100985d3cd4ddff0cb830a1a2046d70085e8e4343b1c2595c349821fc6c50d72180621cc824a01e72a4055e5e

Download Submit
memory/652-89-0x0000000000000000-mapping.dmp

Download
memory/940-70-0x0000000000000000-mapping.dmp

Download
memory/940-81-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1152-107-0x0000000000000000-mapping.dmp

Download
memory/1432-98-0x0000000000000000-mapping.dmp

Download
memory/1572-97-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/1632-61-0x0000000000000000-mapping.dmp

Download
memory/1708-113-0x0000000000000000-mapping.dmp

Download
memory/1720-67-0x0000000000000000-mapping.dmp

Download
memory/1728-84-0x0000000000000000-mapping.dmp

Download
memory/1776-59-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1908-63-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/1908-60-0x0000000000000000-mapping.dmp

Download
memory/2104-124-0x0000000000000000-mapping.dmp

Download
memory/2200-141-0x0000000000000000-mapping.dmp

Download
memory/2224-142-0x0000000000000000-mapping.dmp

Download
memory/2248-143-0x0000000000000000-mapping.dmp

Download
memory/2272-144-0x0000000000000000-mapping.dmp

Download
memory/2296-145-0x0000000000000000-mapping.dmp

Download
memory/2324-146-0x0000000000000000-mapping.dmp

Download
memory/2356-147-0x0000000000000000-mapping.dmp

Download
memory/2356-148-0x00000000026C0000-0x00000000026E8000-memory.dmp

Filesize
160KB

Download
memory/2356-149-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2440-150-0x0000000000000000-mapping.dmp

Download
memory/2460-166-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2460-176-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2460-156-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2460-161-0x00000000026D8000-0x00000000026E0000-memory.dmp

Filesize
32KB

Download
memory/2460-164-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2460-165-0x00000000026F8000-0x0000000002700000-memory.dmp

Filesize
32KB

Download
memory/2460-163-0x00000000026E8000-0x00000000026F0000-memory.dmp

Filesize
32KB

Download
memory/2460-162-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2460-160-0x00000000026C8000-0x00000000026D0000-memory.dmp

Filesize
32KB

Download
memory/2460-159-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2460-158-0x00000000026D0000-0x00000000026D8000-memory.dmp

Filesize
32KB

Download
memory/2460-155-0x0000000002678000-0x0000000002680000-memory.dmp

Filesize
32KB

Download
memory/2460-154-0x0000000002630000-0x0000000002658000-memory.dmp

Filesize
160KB

Download
memory/2460-152-0x0000000000000000-mapping.dmp

Download
memory/2460-167-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2460-168-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2460-170-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/2460-171-0x0000000002708000-0x0000000002710000-memory.dmp

Filesize
32KB

Download
memory/2460-172-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2460-173-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2460-175-0x0000000002718000-0x0000000002720000-memory.dmp

Filesize
32KB

Download
memory/2460-157-0x0000000002668000-0x0000000002670000-memory.dmp

Filesize
32KB

Download
memory/2460-178-0x0000000002728000-0x0000000002730000-memory.dmp

Filesize
32KB

Download
memory/2460-180-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/2460-177-0x0000000002738000-0x0000000002740000-memory.dmp

Filesize
32KB

Download
memory/2460-182-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2460-183-0x0000000002740000-0x0000000002748000-memory.dmp

Filesize
32KB

Download
memory/2728-184-0x0000000000000000-mapping.dmp

Download
memory/2748-196-0x0000000002738000-0x0000000002740000-memory.dmp

Filesize
32KB

Download
memory/2748-197-0x0000000002740000-0x0000000002748000-memory.dmp

Filesize
32KB

Download
memory/2748-190-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2748-188-0x0000000002690000-0x00000000026B8000-memory.dmp

Filesize
160KB

Download
memory/2748-195-0x0000000002728000-0x0000000002730000-memory.dmp

Filesize
32KB

Download
memory/2748-198-0x0000000002748000-0x0000000002750000-memory.dmp

Filesize
32KB

Download
memory/2748-189-0x00000000026D8000-0x00000000026E0000-memory.dmp

Filesize
32KB

Download
memory/2748-186-0x0000000000000000-mapping.dmp

Download
memory/2748-191-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2748-194-0x00000000026D0000-0x00000000026D8000-memory.dmp

Filesize
32KB

Download
memory/2748-193-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/2748-192-0x00000000026C8000-0x00000000026D0000-memory.dmp

Filesize
32KB

Download
memory/2748-199-0x0000000002750000-0x0000000002758000-memory.dmp

Filesize
32KB

Download
memory/2868-200-0x0000000000000000-mapping.dmp

Download
memory/2948-202-0x0000000000000000-mapping.dmp

Download
memory/2996-204-0x0000000000000000-mapping.dmp

Download