bazarbackdoor | 8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9

Resubmissions

01-04-2022 12:57

220401-p7a1eabdg5 10

01-04-2022 12:56

220401-p6ra1affgl 4

01-04-2022 12:54

220401-p47vzafffk 4

Analysis

max time kernel
674s
max time network
840s
platform
windows7_x64
resource
win7-20220331-en
submitted
01-04-2022 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CristalixLauncher-3.0.145.exe
Size

4.3MB
MD5

25b608146d97e46e5cb8d5d4a77440c5
SHA1

ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab
SHA256

8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9
SHA512

3ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9

Score

10^/10

bazarbackdoor adware backdoor discovery persistence stealer

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Bazar/Team9 Backdoor payload 15 IoCs

Processes:

resource	yara_rule
\Users\Admin\Downloads\jre-8u321-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\Downloads\jre-8u321-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\Downloads\jre-8u321-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\Downloads\jre-8u321-windows-x64.exe	BazarBackdoorVar3
C:\Users\Admin\Downloads\jre-8u321-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\Downloads\jre-8u321-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\Downloads\jre-8u321-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\Downloads\jre-8u321-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\Downloads\jre-8u321-windows-x64.exe	BazarBackdoorVar3
\Users\Admin\Downloads\jre-8u321-windows-x64.exe	BazarBackdoorVar3

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

8249 2312 msiexec.exe
8250 2312 msiexec.exe
Downloads MZ/PE file

flow	pid	process
8249	2312	msiexec.exe
8250	2312	msiexec.exe

Executes dropped EXE 15 IoCs

Processes:

jre-8u321-windows-x64.exejre-8u321-windows-x64.exejre-8u321-windows-x64.exejre-8u321-windows-x64.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exessvagent.exe

pid	process
1156	jre-8u321-windows-x64.exe
2740	jre-8u321-windows-x64.exe
2924	jre-8u321-windows-x64.exe
3056	jre-8u321-windows-x64.exe
2128	installer.exe
1460	bspatch.exe
3044	unpack200.exe
2948	unpack200.exe
2296	unpack200.exe
1300	unpack200.exe
556	unpack200.exe
2856	unpack200.exe
2060	unpack200.exe
1420	javaw.exe
1800	ssvagent.exe

Loads dropped DLL 64 IoCs

Processes:

chrome.exechrome.exechrome.exejre-8u321-windows-x64.exejre-8u321-windows-x64.exeMsiExec.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exe

pid	process
1820	chrome.exe
896	chrome.exe
896	chrome.exe
1300	chrome.exe
1300	chrome.exe
1156	jre-8u321-windows-x64.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
2924	jre-8u321-windows-x64.exe
1216
1216
2056	MsiExec.exe
2056	MsiExec.exe
2056	MsiExec.exe
2312	msiexec.exe
1460	bspatch.exe
1460	bspatch.exe
1460	bspatch.exe
2128	installer.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
3044	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe
2948	unpack200.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176
Drops file in System32 directory 1 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_321\bin\tnameserv.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\legal\jdk\unicode.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\jabswitch.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\ext\jaccess.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\Welcome.html	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\jsound.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\plugin2\npjp2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\sound.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-heap-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-multibyte-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\javaws.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\unpack.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\legal\jdk\mesa3d.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\legal\jdk\thaidict.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\calendars.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-datetime-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-processenvironment-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\deploy.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\rmid.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\servertool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\legal\jdk\dynalink.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-string-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\decora_sse.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\jawt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\jp2iexp.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\legal\jdk\jopt-simple.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\rmiregistry.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\hijrah-config-umalqura.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\javaws.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\glib-lite.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\currency.data	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\legal\jdk\relaxngcc.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\deploy\splash_11@2x-lic.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\jfr.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\jfxswt.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\deploy.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\JavaAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\ktab.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\resource.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\legal\jdk\relaxngom.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-file-l2-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-interlocked-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\jaas_nt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\security\java.security	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\release	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-heap-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-private-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\dt_shmem.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\legal\jdk\lcms.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\legal\jdk\xmlresolver.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-synch-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-time-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\jfr.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\server\jvm.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\legal\javafx\gstreamer.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\charsets.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\lib\security\policy\limited\US_export_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_321\bin\mlib_image.dll	installer.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI668D.tmp	msiexec.exe
File created	C:\Windows\Installer\736220.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB04.tmp	msiexec.exe
File created	C:\Windows\Installer\73621e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\73621e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB82.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBD1.tmp	msiexec.exe
File created	C:\Windows\Installer\736222.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEinstaller.exejre-8u321-windows-x64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_321\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3A51D141-B1CC-11EC-B272-728954ED7CC0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	jre-8u321-windows-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0268-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0272-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0064-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0180-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_180"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0201-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_201"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0116-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0290-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0007-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0240-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0193-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0288-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_288"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0285-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_73"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_28"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0140-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0197-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0039-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_39"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0288-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_288"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0047-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0032-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0185-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0023-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0112-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0120-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0159-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0204-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0311-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0098-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0124-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0238-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_238"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0012-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_12"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0266-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0092-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0106-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0116-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0120-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0227-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0038-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_36"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0031-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0168-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_168"	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exessvagent.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0190-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_57"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_43"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_02"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0121-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0286-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0080-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0272-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0134-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0098-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0134-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0095-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0236-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_57"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_05"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_44"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0093-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0235-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0069-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0042-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_42"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0202-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_26"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0029-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_73"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0156-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0131-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0157-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0230-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0215-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBC}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0183-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_183"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0129-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0208-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0171-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0221-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0111-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_111"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0141-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_141"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0089-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0141-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0307-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll"	installer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
1340	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
3020	chrome.exe
2332	chrome.exe
2764	chrome.exe
1460	chrome.exe
2080	chrome.exe
2600	chrome.exe
2432	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

jre-8u321-windows-x64.exe

pid process

2740 jre-8u321-windows-x64.exe

pid	process
2740	jre-8u321-windows-x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEjre-8u321-windows-x64.exemsiexec.exe

description	pid	process
Token: 33	2748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2748	AUDIODG.EXE
Token: 33	2748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2748	AUDIODG.EXE
Token: SeShutdownPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeSecurityPrivilege	2312	msiexec.exe
Token: SeCreateTokenPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeLockMemoryPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeMachineAccountPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeTcbPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeSecurityPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeTakeOwnershipPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeLoadDriverPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeSystemProfilePrivilege	2740	jre-8u321-windows-x64.exe
Token: SeSystemtimePrivilege	2740	jre-8u321-windows-x64.exe
Token: SeProfSingleProcessPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeIncBasePriorityPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeCreatePagefilePrivilege	2740	jre-8u321-windows-x64.exe
Token: SeCreatePermanentPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeBackupPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeRestorePrivilege	2740	jre-8u321-windows-x64.exe
Token: SeShutdownPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeDebugPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeAuditPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeChangeNotifyPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeRemoteShutdownPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeUndockPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeSyncAgentPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeEnableDelegationPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeManageVolumePrivilege	2740	jre-8u321-windows-x64.exe
Token: SeImpersonatePrivilege	2740	jre-8u321-windows-x64.exe
Token: SeCreateGlobalPrivilege	2740	jre-8u321-windows-x64.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exechrome.exe

pid	process
316	iexplore.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

chrome.exe

pid	process
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEjre-8u321-windows-x64.exe

pid	process
316	iexplore.exe
316	iexplore.exe
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
2740	jre-8u321-windows-x64.exe
2740	jre-8u321-windows-x64.exe
2740	jre-8u321-windows-x64.exe
2740	jre-8u321-windows-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CristalixLauncher-3.0.145.exeiexplore.exechrome.exe

description	pid	process	target process
PID 1048 wrote to memory of 316	1048	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 1048 wrote to memory of 316	1048	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 1048 wrote to memory of 316	1048	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 1048 wrote to memory of 316	1048	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 316 wrote to memory of 1080	316	iexplore.exe	IEXPLORE.EXE
PID 316 wrote to memory of 1080	316	iexplore.exe	IEXPLORE.EXE
PID 316 wrote to memory of 1080	316	iexplore.exe	IEXPLORE.EXE
PID 316 wrote to memory of 1080	316	iexplore.exe	IEXPLORE.EXE
PID 316 wrote to memory of 1080	316	iexplore.exe	IEXPLORE.EXE
PID 316 wrote to memory of 1080	316	iexplore.exe	IEXPLORE.EXE
PID 316 wrote to memory of 1080	316	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 1948	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1948	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1948	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1344	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1340	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1340	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 1340	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 800	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 800	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 800	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 800	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 800	1820	chrome.exe	chrome.exe
PID 1820 wrote to memory of 800	1820	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe
"C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://java.com/download
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:316 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6db4f50,0x7fef6db4f60,0x7fef6db4f70
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1144 /prefetch:2
2⤵
PID:1344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1376 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1700 /prefetch:8
2⤵
PID:800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
2⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
2⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3340 /prefetch:2
2⤵
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
2⤵
PID:888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3788 /prefetch:8
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1684 /prefetch:8
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3768 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3772 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:8
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
2⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:1
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=536 /prefetch:8
2⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
2⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
2⤵
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:8
2⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3772 /prefetch:8
2⤵
- Loads dropped DLL
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4468 /prefetch:8
2⤵
- Loads dropped DLL
PID:1300

C:\Users\Admin\Downloads\jre-8u321-windows-x64.exe
"C:\Users\Admin\Downloads\jre-8u321-windows-x64.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156

C:\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe"
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
2⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
2⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
2⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 /prefetch:8
2⤵
PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3468 /prefetch:8
2⤵
PID:564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4872 /prefetch:8
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3268 /prefetch:8
2⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
2⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
2⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
2⤵
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3424 /prefetch:8
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1928 /prefetch:8
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2716 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4368 /prefetch:8
2⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5264 /prefetch:8
2⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3068 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2844 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 /prefetch:8
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:8
2⤵
PID:1804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1976 /prefetch:8
2⤵
PID:1344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=996 /prefetch:8
2⤵
PID:3012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,12727070436885040985,7943205022497270573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:8
2⤵
PID:1988

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2912

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Users\Admin\Downloads\jre-8u321-windows-x64.exe
"C:\Users\Admin\Downloads\jre-8u321-windows-x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924

C:\Users\Admin\AppData\Local\Temp\jds7529372.tmp\jre-8u321-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds7529372.tmp\jre-8u321-windows-x64.exe"
2⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 03DCDCDED985A7B6E1DB8CC127312438
2⤵
- Loads dropped DLL
PID:2056

C:\Program Files\Java\jre1.8.0_321\installer.exe
"C:\Program Files\Java\jre1.8.0_321\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_321\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180321F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2128

C:\ProgramData\Oracle\Java\installcache_x64\7586781.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_321\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_321\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2948

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_321\lib/deploy.jar"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2296

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_321\lib/rt.jar"
3⤵
- Executes dropped EXE
PID:1300

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_321\lib/jsse.jar"
3⤵
- Executes dropped EXE
PID:556

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_321\lib/charsets.jar"
3⤵
- Executes dropped EXE
PID:2856

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_321\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
PID:2060

C:\Program Files\Java\jre1.8.0_321\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_321\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
PID:1420

C:\Program Files\Java\jre1.8.0_321\bin\ssvagent.exe
"C:\Program Files\Java\jre1.8.0_321\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Modifies registry class
PID:1800

C:\Program Files\Java\jre1.8.0_321\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_321\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
PID:1832

C:\Program Files\Java\jre1.8.0_321\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_321\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_321" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzMyMVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zMjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzMyMVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Scanning

T1046

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
990f402b6fbe231552f0f2ee8bc12dd9

SHA1
e47848a9da8d5706bedf4d77245a317ddbf21241

SHA256
49e28b6e8bd3b87a692d97518dbdfd7743cdbfd312ecfcf5a814ece2392caab1

SHA512
6556ce3decf713d8b1a377ce32d1610f6fe577701e85f25ece942b108de6b6fdef7c35ada461c27a5816abb46cf1e581067a8c2a18886c6ec5533e1f6d94200d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
990f402b6fbe231552f0f2ee8bc12dd9

SHA1
e47848a9da8d5706bedf4d77245a317ddbf21241

SHA256
49e28b6e8bd3b87a692d97518dbdfd7743cdbfd312ecfcf5a814ece2392caab1

SHA512
6556ce3decf713d8b1a377ce32d1610f6fe577701e85f25ece942b108de6b6fdef7c35ada461c27a5816abb46cf1e581067a8c2a18886c6ec5533e1f6d94200d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe
Filesize
81.6MB

MD5
80afab5be48bacf44155212c817f4e31

SHA1
5a8b12509bdecdb2024a8d00395ca5f24dec63dc

SHA256
fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657

SHA512
a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe
Filesize
81.6MB

MD5
80afab5be48bacf44155212c817f4e31

SHA1
5a8b12509bdecdb2024a8d00395ca5f24dec63dc

SHA256
fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657

SHA512
a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
3KB

MD5
47aed4eb7330662abd2c0c395bb11ca7

SHA1
6c69818c27fd02b830c036281b0cdb6a92870610

SHA256
5a0a06656c9bf2e5fd8fe99fa8beb1da03866b39ccdd0fb5a4334894b17a29e4

SHA512
12ae8ec96aee6f88fb877769706453ff72225ea975ce7ed7f01f732ac5e435b2881fb42fb2825bb8c5f6e59d5a267497e12f4aa92eca59829d38039ce3ac364e

Download Submit
C:\Users\Admin\Downloads\jre-8u321-windows-x64.exe
Filesize
82.0MB

MD5
5c4de2813b42c80a2d77983624512e7a

SHA1
0e645b1e56de38a5859d187d71c792ea7cb5735a

SHA256
273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

SHA512
263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

Download Submit
\??\pipe\crashpad_1820_GYTHCOHEFXRXDAJS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe
Filesize
81.6MB

MD5
80afab5be48bacf44155212c817f4e31

SHA1
5a8b12509bdecdb2024a8d00395ca5f24dec63dc

SHA256
fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657

SHA512
a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

Download Submit
\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe
Filesize
81.6MB

MD5
80afab5be48bacf44155212c817f4e31

SHA1
5a8b12509bdecdb2024a8d00395ca5f24dec63dc

SHA256
fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657

SHA512
a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

Download Submit
\Users\Admin\AppData\Local\Temp\jds7358130.tmp\jre-8u321-windows-x64.exe
Filesize
81.6MB

MD5
80afab5be48bacf44155212c817f4e31

SHA1
5a8b12509bdecdb2024a8d00395ca5f24dec63dc

SHA256
fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657

SHA512
a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

Download Submit
\Users\Admin\Downloads\jre-8u321-windows-x64.exe
Filesize
82.0MB

MD5
5c4de2813b42c80a2d77983624512e7a

SHA1
0e645b1e56de38a5859d187d71c792ea7cb5735a

SHA256
273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

SHA512
263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

Download Submit
\Users\Admin\Downloads\jre-8u321-windows-x64.exe
Filesize
82.0MB

MD5
5c4de2813b42c80a2d77983624512e7a

SHA1
0e645b1e56de38a5859d187d71c792ea7cb5735a

SHA256
273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

SHA512
263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

Download Submit
\Users\Admin\Downloads\jre-8u321-windows-x64.exe
Filesize
82.0MB

MD5
5c4de2813b42c80a2d77983624512e7a

SHA1
0e645b1e56de38a5859d187d71c792ea7cb5735a

SHA256
273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

SHA512
263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

Download Submit
\Users\Admin\Downloads\jre-8u321-windows-x64.exe
Filesize
82.0MB

MD5
5c4de2813b42c80a2d77983624512e7a

SHA1
0e645b1e56de38a5859d187d71c792ea7cb5735a

SHA256
273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

SHA512
263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

Download Submit
\Users\Admin\Downloads\jre-8u321-windows-x64.exe
Filesize
82.0MB

MD5
5c4de2813b42c80a2d77983624512e7a

SHA1
0e645b1e56de38a5859d187d71c792ea7cb5735a

SHA256
273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

SHA512
263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

Download Submit
\Users\Admin\Downloads\jre-8u321-windows-x64.exe
Filesize
82.0MB

MD5
5c4de2813b42c80a2d77983624512e7a

SHA1
0e645b1e56de38a5859d187d71c792ea7cb5735a

SHA256
273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

SHA512
263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

Download Submit
\Users\Admin\Downloads\jre-8u321-windows-x64.exe
Filesize
82.0MB

MD5
5c4de2813b42c80a2d77983624512e7a

SHA1
0e645b1e56de38a5859d187d71c792ea7cb5735a

SHA256
273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

SHA512
263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

Download Submit
\Users\Admin\Downloads\jre-8u321-windows-x64.exe
Filesize
82.0MB

MD5
5c4de2813b42c80a2d77983624512e7a

SHA1
0e645b1e56de38a5859d187d71c792ea7cb5735a

SHA256
273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

SHA512
263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

Download Submit
\Users\Admin\Downloads\jre-8u321-windows-x64.exe
Filesize
82.0MB

MD5
5c4de2813b42c80a2d77983624512e7a

SHA1
0e645b1e56de38a5859d187d71c792ea7cb5735a

SHA256
273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

SHA512
263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

Download Submit
memory/556-90-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x0000000076291000-0x0000000076293000-memory.dmp

Filesize
8KB

Download
memory/1156-57-0x0000000000000000-mapping.dmp

Download
memory/1300-89-0x0000000000000000-mapping.dmp

Download
memory/1420-93-0x0000000000000000-mapping.dmp

Download
memory/1420-98-0x0000000002060000-0x0000000011060000-memory.dmp

Filesize
240.0MB

Download
memory/1420-97-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1460-84-0x0000000000000000-mapping.dmp

Download
memory/1832-100-0x0000000000000000-mapping.dmp

Download
memory/2056-81-0x0000000000000000-mapping.dmp

Download
memory/2060-92-0x0000000000000000-mapping.dmp

Download
memory/2096-105-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2096-113-0x0000000002220000-0x0000000011220000-memory.dmp

Filesize
240.0MB

Download
memory/2096-153-0x0000000002220000-0x0000000011220000-memory.dmp

Filesize
240.0MB

Download
memory/2096-121-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2096-117-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2096-116-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2096-114-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2096-112-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2096-101-0x0000000000000000-mapping.dmp

Download
memory/2096-111-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2096-106-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2096-107-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2096-108-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2096-110-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2128-83-0x0000000000000000-mapping.dmp

Download
memory/2296-88-0x0000000000000000-mapping.dmp

Download
memory/2740-64-0x0000000000000000-mapping.dmp

Download
memory/2740-66-0x000007FEFBEC1000-0x000007FEFBEC3000-memory.dmp

Filesize
8KB

Download
memory/2856-91-0x0000000000000000-mapping.dmp

Download
memory/2948-87-0x0000000000000000-mapping.dmp

Download
memory/3044-86-0x0000000000000000-mapping.dmp

Download
memory/3056-78-0x0000000000000000-mapping.dmp

Download