cobaltstrike | 3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3

Analysis

max time kernel
92s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Size

3.5MB
MD5

5868d5f4553d09e0cec3ac99e5627a02
SHA1

8d770dc0933e355b02aace86e7231b4bf437af1a
SHA256

3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3
SHA512

92769d31ef11c83c0e87307dca29d38a41a521dfb89e3ef521c7c34c78fc14b718a787417fee463bb68a10f249af5fb043a7596cb451e26d3b9b6ae81a4cfbe5

Score

10^/10

cobaltstrike metasploit adware backdoor discovery stealer trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 13 IoCs

Processes:

3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exeLZMA_EXELZMA_EXEinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exe

pid	process
4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
4524	LZMA_EXE
2124	LZMA_EXE
4752	installer.exe
5096	bspatch.exe
4568	unpack200.exe
3456	unpack200.exe
3508	unpack200.exe
1880	unpack200.exe
2004	unpack200.exe
4880	unpack200.exe
2768	unpack200.exe
4996	javaw.exe

Loads dropped DLL 18 IoCs

Processes:

MsiExec.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exeinstaller.exe

pid	process
1760	MsiExec.exe
1760	MsiExec.exe
4568	unpack200.exe
3456	unpack200.exe
3508	unpack200.exe
1880	unpack200.exe
2004	unpack200.exe
4880	unpack200.exe
2768	unpack200.exe
4996	javaw.exe
4996	javaw.exe
4996	javaw.exe
4996	javaw.exe
4996	javaw.exe
4752	installer.exe
4752	installer.exe
4752	installer.exe
4752	installer.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

556 icacls.exe
4856 icacls.exe

pid	process
556	icacls.exe
4856	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exeunpack200.exeunpack200.exe

description	ioc	process
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\fonts\LucidaTypewriterBold.ttf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\deploy.pack	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\api-ms-win-crt-math-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\bci.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\currency.data	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\fxplugins.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\deploy\splash_11@2x-lic.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\resources.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\tzmappings	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\javaws.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\ktab.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssv.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\ext\nashorn.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\management\jmxremote.password.template	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\management-agent.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\zip.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\javafx.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\rt.pack	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\api-ms-win-core-synch-l1-2-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\java-rmi.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\deploy\splash.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\ext\access-bridge-32.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\fonts\LucidaBrightItalic.ttf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\api-ms-win-core-handle-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\fonts\LucidaBrightRegular.ttf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\classlist	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\release	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\jsse.pack	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\plugin.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\deploy.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\api-ms-win-core-file-l1-2-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\net.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\deploy\messages_ko.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\THIRDPARTYLICENSEREADME.txt	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\api-ms-win-crt-environment-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\api-ms-win-core-timezone-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\api-ms-win-crt-private-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\jpeg.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\java.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\plugin2\msvcr100.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\api-ms-win-crt-utility-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\management.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\Welcome.html	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\concrt140.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\dtplugin\npdeployJava1.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\jjs.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\klist.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\policytool.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\verify.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssvagent.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\api-ms-win-core-console-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\api-ms-win-core-libraryloader-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\decora_sse.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\eula.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\lib\jvm.hprof.txt	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_151\bin\api-ms-win-core-string-l1-1-0.dll	installer.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e5718c8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI21D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5718c8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F32180151F0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI253C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2637.tmp	msiexec.exe
File created	C:\Windows\Installer\e5718cb.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0067-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0097-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0139-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0127-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_93"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_54"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_03"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0064-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0096-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0105-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_93"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_11"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0122-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_122"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_58"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0091-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_91"	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0107-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0140-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\VersionIndependentProgID	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0159-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_43"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_27"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_70"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_10"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_74"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0137-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_137"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.1_01"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_32"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_06"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_44"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0086-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_86"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0154-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0096-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0053-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_53"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0074-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_151\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBC}	installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeIncreaseQuotaPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeSecurityPrivilege	4768	msiexec.exe
Token: SeCreateTokenPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeAssignPrimaryTokenPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeLockMemoryPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeIncreaseQuotaPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeMachineAccountPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeTcbPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeSecurityPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeTakeOwnershipPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeLoadDriverPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeSystemProfilePrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeSystemtimePrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeProfSingleProcessPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeIncBasePriorityPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeCreatePagefilePrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeCreatePermanentPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeBackupPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeRestorePrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeShutdownPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeDebugPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeAuditPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeSystemEnvironmentPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeChangeNotifyPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeRemoteShutdownPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeUndockPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeSyncAgentPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeEnableDelegationPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeManageVolumePrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeImpersonatePrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeCreateGlobalPrivilege	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exemsiexec.exeinstaller.exe

description	pid	process	target process
PID 4532 wrote to memory of 4168	4532	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
PID 4532 wrote to memory of 4168	4532	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
PID 4532 wrote to memory of 4168	4532	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
PID 4168 wrote to memory of 4524	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe	LZMA_EXE
PID 4168 wrote to memory of 4524	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe	LZMA_EXE
PID 4168 wrote to memory of 4524	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe	LZMA_EXE
PID 4168 wrote to memory of 2124	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe	LZMA_EXE
PID 4168 wrote to memory of 2124	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe	LZMA_EXE
PID 4168 wrote to memory of 2124	4168	3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe	LZMA_EXE
PID 4768 wrote to memory of 1760	4768	msiexec.exe	MsiExec.exe
PID 4768 wrote to memory of 1760	4768	msiexec.exe	MsiExec.exe
PID 4768 wrote to memory of 1760	4768	msiexec.exe	MsiExec.exe
PID 4768 wrote to memory of 4752	4768	msiexec.exe	installer.exe
PID 4768 wrote to memory of 4752	4768	msiexec.exe	installer.exe
PID 4768 wrote to memory of 4752	4768	msiexec.exe	installer.exe
PID 4752 wrote to memory of 5096	4752	installer.exe	bspatch.exe
PID 4752 wrote to memory of 5096	4752	installer.exe	bspatch.exe
PID 4752 wrote to memory of 5096	4752	installer.exe	bspatch.exe
PID 4752 wrote to memory of 4568	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 4568	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 4568	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 3456	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 3456	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 3456	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 3508	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 3508	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 3508	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 1880	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 1880	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 1880	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 2004	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 2004	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 2004	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 4880	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 4880	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 4880	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 2768	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 2768	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 2768	4752	installer.exe	unpack200.exe
PID 4752 wrote to memory of 4996	4752	installer.exe	javaw.exe
PID 4752 wrote to memory of 4996	4752	installer.exe	javaw.exe
PID 4752 wrote to memory of 4996	4752	installer.exe	javaw.exe

C:\Users\Admin\AppData\Local\Temp\3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
"C:\Users\Admin\AppData\Local\Temp\3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\jds240560968.tmp\3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
"C:\Users\Admin\AppData\Local\Temp\jds240560968.tmp\3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\\msi.tmp"
3⤵
- Executes dropped EXE
PID:4524

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\jre1.8.0_151full.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\\msi.tmp"
3⤵
- Executes dropped EXE
PID:2124

C:\Program Files (x86)\Java\jre1.8.0_151\bin\javaw.exe
-cp "C:\Program Files (x86)\Java\jre1.8.0_151\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -systemConfig deployment.expiration.check.enabled false
3⤵
PID:2488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9D317C6491700D0B6A24612D4590E9DA
2⤵
- Loads dropped DLL
PID:1760

C:\Program Files (x86)\Java\jre1.8.0_151\installer.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_151\\" WEB_ANALYTICS=Disable EULA=Disable INSTALL_SILENT=Enable AUTO_UPDATE=Disable SPONSORS=Disable REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180151F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752

C:\ProgramData\Oracle\Java\installcache\240597812.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
PID:5096

C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_151\lib/plugin.pack" "C:\Program Files (x86)\Java\jre1.8.0_151\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:4568

C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_151\lib/javaws.pack" "C:\Program Files (x86)\Java\jre1.8.0_151\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3456

C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_151\lib/deploy.pack" "C:\Program Files (x86)\Java\jre1.8.0_151\lib/deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3508

C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_151\lib/rt.pack" "C:\Program Files (x86)\Java\jre1.8.0_151\lib/rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880

C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_151\lib/jsse.pack" "C:\Program Files (x86)\Java\jre1.8.0_151\lib/jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004

C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_151\lib/charsets.pack" "C:\Program Files (x86)\Java\jre1.8.0_151\lib/charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4880

C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_151\lib/ext/localedata.pack" "C:\Program Files (x86)\Java\jre1.8.0_151\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768

C:\Program Files (x86)\Java\jre1.8.0_151\bin\javaw.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\javaw.exe" -Xshare:dump
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4996

C:\Program Files (x86)\Java\jre1.8.0_151\bin\javaws.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
PID:4596

C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2launcher.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_151" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMTUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMTUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzE1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8xNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzE1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMTUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMTUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
PID:1528

C:\Windows\SysWOW64\icacls.exe
"icacls.exe" C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
5⤵
- Modifies file permissions
PID:556

C:\Windows\SysWOW64\icacls.exe
"icacls.exe" C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d809d.timestamp /grant "everyone":(OI)(CI)M
5⤵
- Modifies file permissions
PID:4856

C:\Program Files (x86)\Java\jre1.8.0_151\bin\javaws.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
PID:1704

C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2launcher.exe
"C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_151" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMTUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMTUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzE1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8xNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzE1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMTUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMTUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
PID:4292

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C18D0C61411C4F26C3C95EAC6DCC1A56 E Global\MSI0000
2⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /c del "C:\Program Files (x86)\Java\jre1.8.0_151\installer.exe"
3⤵
PID:3972

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8A2F9591BEAB299032E1BBC88DC6E2BE
2⤵
PID:3276

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A7C6D970B75B9A52C80B5A73D589A67B E Global\MSI0000
2⤵
PID:4884

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E92C35916DB06061CD8C9C2C4221E421
2⤵
PID:3060

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AE7BDDFE201090E132700A92321AC2FC E Global\MSI0000
2⤵
PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre1.8.0_151\bin\MSVCR100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\client\jvm.dll
Filesize
3.7MB

MD5
0e34e836876c4cd6d778a83b22816d5a

SHA1
e2a69c8fa91b7bb9f9e09b5323039a5e6684a13e

SHA256
22ddf52f959f1cd73497ecdfeb3a536319c35210debfdfda6d76bb6174345c42

SHA512
e7b0e12e8600467c972332e04d301e069029f44b25546f8323b8ceffb533433424e8767513de7d610ffe30c182e9ad242950f896c368fe492631918dc82e7a78

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\client\jvm.dll
Filesize
3.7MB

MD5
0e34e836876c4cd6d778a83b22816d5a

SHA1
e2a69c8fa91b7bb9f9e09b5323039a5e6684a13e

SHA256
22ddf52f959f1cd73497ecdfeb3a536319c35210debfdfda6d76bb6174345c42

SHA512
e7b0e12e8600467c972332e04d301e069029f44b25546f8323b8ceffb533433424e8767513de7d610ffe30c182e9ad242950f896c368fe492631918dc82e7a78

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\java.dll
Filesize
124KB

MD5
1f63aae5169408f1263d96f683c98d24

SHA1
d64412ddc7100c208d13dcb022433e8ee40b2943

SHA256
11fa12317e933045e9a37ecc05a1a8eb75daa239610e512c3dd9d0dba92d032a

SHA512
0607b4b4f7bf68d6bfb582a2ac5c94666efe31e2fd8a88fc514f9f4ebf8124279a148ac0cae05688188b98af4d0b4ed3657aaec3e0677fe09ae8cdda0530575b

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\java.dll
Filesize
124KB

MD5
1f63aae5169408f1263d96f683c98d24

SHA1
d64412ddc7100c208d13dcb022433e8ee40b2943

SHA256
11fa12317e933045e9a37ecc05a1a8eb75daa239610e512c3dd9d0dba92d032a

SHA512
0607b4b4f7bf68d6bfb582a2ac5c94666efe31e2fd8a88fc514f9f4ebf8124279a148ac0cae05688188b98af4d0b4ed3657aaec3e0677fe09ae8cdda0530575b

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\javaw.exe
Filesize
187KB

MD5
9334873b8e03987869c2fbf0999c3173

SHA1
d611051524021c340909d583871eb3ffa16566f7

SHA256
ff53529712d6043961f53c4c7aaf224bcd3e2be9305752b2dd896baf9beda990

SHA512
8fed407231eb43fd466c956439e15e830b259d850e2ac865e12ec171cf78c1022926c46bf99e7c6537450cd3df2135b2b66ef2737f81ca029e3a8a3ada52e22b

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\msvcr100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\msvcr100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\msvcr100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\msvcr100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\msvcr100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\msvcr100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\msvcr100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\msvcr100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
Filesize
156KB

MD5
c6ab4fc23c074ece18f81541d964985e

SHA1
ad1bd0c150989fbb59cdd088dda53013c4563529

SHA256
e98b41d0e8d98ec2fe6bc70e96a52dd97fbbaf36b136a2a3215ed93f0123bbc8

SHA512
a6dc061c92edc93cbc73eb8b34b05d81339fae42488d5f58f6a20cd25fa875791ee68b335de8da79a80d04f1c2e416c5f778e160a8f9b86094f56aa03240b8b1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
Filesize
156KB

MD5
c6ab4fc23c074ece18f81541d964985e

SHA1
ad1bd0c150989fbb59cdd088dda53013c4563529

SHA256
e98b41d0e8d98ec2fe6bc70e96a52dd97fbbaf36b136a2a3215ed93f0123bbc8

SHA512
a6dc061c92edc93cbc73eb8b34b05d81339fae42488d5f58f6a20cd25fa875791ee68b335de8da79a80d04f1c2e416c5f778e160a8f9b86094f56aa03240b8b1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
Filesize
156KB

MD5
c6ab4fc23c074ece18f81541d964985e

SHA1
ad1bd0c150989fbb59cdd088dda53013c4563529

SHA256
e98b41d0e8d98ec2fe6bc70e96a52dd97fbbaf36b136a2a3215ed93f0123bbc8

SHA512
a6dc061c92edc93cbc73eb8b34b05d81339fae42488d5f58f6a20cd25fa875791ee68b335de8da79a80d04f1c2e416c5f778e160a8f9b86094f56aa03240b8b1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
Filesize
156KB

MD5
c6ab4fc23c074ece18f81541d964985e

SHA1
ad1bd0c150989fbb59cdd088dda53013c4563529

SHA256
e98b41d0e8d98ec2fe6bc70e96a52dd97fbbaf36b136a2a3215ed93f0123bbc8

SHA512
a6dc061c92edc93cbc73eb8b34b05d81339fae42488d5f58f6a20cd25fa875791ee68b335de8da79a80d04f1c2e416c5f778e160a8f9b86094f56aa03240b8b1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
Filesize
156KB

MD5
c6ab4fc23c074ece18f81541d964985e

SHA1
ad1bd0c150989fbb59cdd088dda53013c4563529

SHA256
e98b41d0e8d98ec2fe6bc70e96a52dd97fbbaf36b136a2a3215ed93f0123bbc8

SHA512
a6dc061c92edc93cbc73eb8b34b05d81339fae42488d5f58f6a20cd25fa875791ee68b335de8da79a80d04f1c2e416c5f778e160a8f9b86094f56aa03240b8b1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
Filesize
156KB

MD5
c6ab4fc23c074ece18f81541d964985e

SHA1
ad1bd0c150989fbb59cdd088dda53013c4563529

SHA256
e98b41d0e8d98ec2fe6bc70e96a52dd97fbbaf36b136a2a3215ed93f0123bbc8

SHA512
a6dc061c92edc93cbc73eb8b34b05d81339fae42488d5f58f6a20cd25fa875791ee68b335de8da79a80d04f1c2e416c5f778e160a8f9b86094f56aa03240b8b1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
Filesize
156KB

MD5
c6ab4fc23c074ece18f81541d964985e

SHA1
ad1bd0c150989fbb59cdd088dda53013c4563529

SHA256
e98b41d0e8d98ec2fe6bc70e96a52dd97fbbaf36b136a2a3215ed93f0123bbc8

SHA512
a6dc061c92edc93cbc73eb8b34b05d81339fae42488d5f58f6a20cd25fa875791ee68b335de8da79a80d04f1c2e416c5f778e160a8f9b86094f56aa03240b8b1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\unpack200.exe
Filesize
156KB

MD5
c6ab4fc23c074ece18f81541d964985e

SHA1
ad1bd0c150989fbb59cdd088dda53013c4563529

SHA256
e98b41d0e8d98ec2fe6bc70e96a52dd97fbbaf36b136a2a3215ed93f0123bbc8

SHA512
a6dc061c92edc93cbc73eb8b34b05d81339fae42488d5f58f6a20cd25fa875791ee68b335de8da79a80d04f1c2e416c5f778e160a8f9b86094f56aa03240b8b1

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\verify.dll
Filesize
38KB

MD5
ecb3a286322d71394b2545f46367f50e

SHA1
338dbbb53b3247d2fa176db0f20332f05bf6ca96

SHA256
81f16c1d1f4c4f53be6ac0f6ae18e8b75b9cb0539b90c524992f4c65186636bc

SHA512
06178edb48d9ef34245f7ac5014b7b33c6d4aa57f9af108f5eab836e755fcbd4945d61676adb641b5edd99de74fdb6c2305602c6cea21d8bac48ce224894a1c8

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\verify.dll
Filesize
38KB

MD5
ecb3a286322d71394b2545f46367f50e

SHA1
338dbbb53b3247d2fa176db0f20332f05bf6ca96

SHA256
81f16c1d1f4c4f53be6ac0f6ae18e8b75b9cb0539b90c524992f4c65186636bc

SHA512
06178edb48d9ef34245f7ac5014b7b33c6d4aa57f9af108f5eab836e755fcbd4945d61676adb641b5edd99de74fdb6c2305602c6cea21d8bac48ce224894a1c8

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\zip.dll
Filesize
69KB

MD5
2ff63cf7faf85d59e896c8e31f2630ac

SHA1
68883b37b49b59258f14e0a65d0ebeddd7a5a4b5

SHA256
b4925af3a393ab5207a8b4f780b187be470365c8e24ba716595574f5f035e81c

SHA512
543125b58e1f4a6c1b7d36a15ec6c0f3aff1f8d16c2852ce0b90e517e57541b4b9f771602de38a82e7886c1063a8b8652912f9e5ab4f04f5b1406c35931c7e8a

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\bin\zip.dll
Filesize
69KB

MD5
2ff63cf7faf85d59e896c8e31f2630ac

SHA1
68883b37b49b59258f14e0a65d0ebeddd7a5a4b5

SHA256
b4925af3a393ab5207a8b4f780b187be470365c8e24ba716595574f5f035e81c

SHA512
543125b58e1f4a6c1b7d36a15ec6c0f3aff1f8d16c2852ce0b90e517e57541b4b9f771602de38a82e7886c1063a8b8652912f9e5ab4f04f5b1406c35931c7e8a

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\installer.exe
Filesize
99.8MB

MD5
8674418c4e998d00078343d5b9cdcd95

SHA1
b835c24228f43ceea6dc10b8ee9724717df6226e

SHA256
2e4c111b24510b4edbb49d1c898039173844e3483cf0eaf3b7d655bd0360b69a

SHA512
571752d7e13f4468e0ce0b2c2642a49ff746dbadd72093ed070cec53552c38a605d3062198dabbfff724ac290bf2da85d90f50bcfe3172631c1bb0e43291282c

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\installer.exe
Filesize
99.8MB

MD5
8674418c4e998d00078343d5b9cdcd95

SHA1
b835c24228f43ceea6dc10b8ee9724717df6226e

SHA256
2e4c111b24510b4edbb49d1c898039173844e3483cf0eaf3b7d655bd0360b69a

SHA512
571752d7e13f4468e0ce0b2c2642a49ff746dbadd72093ed070cec53552c38a605d3062198dabbfff724ac290bf2da85d90f50bcfe3172631c1bb0e43291282c

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\lib\charsets.pack
Filesize
1.0MB

MD5
b3c85c17eef31b250236e55cf4a8d4b7

SHA1
c299562de98e9f82ae27432a029009451b782f41

SHA256
80e6cd59b3df2c32f1a4098e72aaef373fd10ebef533c99f1ebdb96491a852b8

SHA512
d0c91f016999cf943f7bcda1a394bcf06f5d9e8408a92f8860d26f73f11fef071896497ab3e8275daecd0b54e8c0f56fd356e3ea3cd210023b66b4ee9d9f7002

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\lib\deploy.pack
Filesize
1.8MB

MD5
a6ca146d146052f61c77644d3a5bb5ad

SHA1
61d1ed47d24f3188b9cfea99c93778681be50188

SHA256
cdce48ee53e3ba63bc805b48a53f371ffb386da5c412bce56f0c43af137ababc

SHA512
27dd31a5d1ed963c2cd76d9ac8c1b717ebbddfb5802bf53dcf7a2cbbb50ec4ac9c4fbd00cbe5e8c538b6b3252af9c6380e6cd8fedf464c28f8a3344e2cac5906

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\lib\ext\localedata.pack
Filesize
1.3MB

MD5
34cc586402ee9ab0455ba31751772f60

SHA1
360fd97c92369f9de11e6cbb1de72ef171f775ca

SHA256
bf913b48a7280a5223700ebf85a0d070df9d812574a5b149a5821430944b95cf

SHA512
d5f56f59b9d7a8a64f2c286a8bac413b3153c9a17c0c6232fa2a9c0f6e0d58cc8aba3686658a8cdc68219dc0d828371825b905c68fa15ac2bcdb4a800bbb8fdd

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\lib\i386\jvm.cfg
Filesize
623B

MD5
9aef14a90600cd453c4e472ba83c441f

SHA1
10c53c9fe9970d41a84cb45c883ea6c386482199

SHA256
9e86b24ff2b19d814bbaedd92df9f0e1ae86bf11a86a92989c9f91f959b736e1

SHA512
481562547bf9e37d270d9a2881ac9c86fc8f928b5c176e9baf6b8f7b72fb9827c84ef0c84b60894656a6e82dd141779b8d283c6e7a0e85d2829ea071c6db7d14

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\lib\javaws.pack
Filesize
206KB

MD5
bb01bfc9d21f14390ca1681a7f8b44d7

SHA1
39e8cd45da0efd9b6cff99ebc050dce7ac74ddc2

SHA256
9295e34c42aecc27b6d20e584df1d02d48860a7d725422e41d7fbe6d75b961cf

SHA512
78ce8b6b76dcdc7fe53ceb99e359c00a480fc6c493717c564cc45c4b1cccfcea34ce5d4455dda760612e5608062b47f2fadbcb362810a5a97bd65a5b59030a8b

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\lib\jsse.pack
Filesize
157KB

MD5
42f63e52f0cf5cbdb8a27abfa1f7e8f8

SHA1
69be1c34974fa59cd82900667a50ac378659cb6c

SHA256
6f04f2cd9f2b3af59b5bca7778ddcd6b3bc414c16e415b6d9f4fc2f00b5b19b5

SHA512
f88e46a56779821d4fc366a7efdd3f495f2fa7cb79d614053b4a452adaa1cc918fb8eab45491dd30cc75be685374cd6972868b967505d14ff5988b9d84c946e9

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\lib\meta-index
Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\lib\plugin.pack
Filesize
480KB

MD5
bb56267e39d2a70460465c2378e2a3fd

SHA1
d4348ad9f0451c490fc9aa3c16918b10fbea6e56

SHA256
fa5c7366b88f9975da1be6b59185ca4c8fa4442702bbfcf83e666504e92601af

SHA512
10c75f43c0fcbb12caefb8576aa3a3b78cdf8d0c3ed63936921706439ae6375579f98d4d013e972b2c178b2cb715c54454392990bf619c1cdc65f5e8cd5dcada

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\lib\resources.jar
Filesize
3.3MB

MD5
79b42b74a02c99a4fe199cc4996d5248

SHA1
4264efb3899d86feeeddac4630fdfcf7e3aeb744

SHA256
fe904d5fec215a2827970125ffc600de9980ef9bbc5d8d0069b62c36f4a20c29

SHA512
3ca608cbbd23317e6257604e8cd2d268c0159dc0b623296f50828b11e62e2f30df9d3b6e87c9d71d3e4c7d057db93819bd8234a15fc78366230e3d56056c2ef3

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_151\lib\rt.pack
Filesize
13.2MB

MD5
63c402e011cc83315dc0fc79b731517f

SHA1
75d60ea10a8297411162f552adf274e73c5a15d6

SHA256
42e5ef8c2bd583d62a6b7a438df750ff7e6bd6ce2ea95d722f06a4c1c0b05372

SHA512
cbce0174dcb48593102424987420dfeb752798e57dc18e027f1054d0e115259dcaf35db2840c0d6cf629bec782e37d4ed9aa7f102d7455bf77ef29d5633dd084

Download Submit
C:\ProgramData\Oracle\Java\installcache\240597812.tmp\baseimagefam8
Filesize
67.7MB

MD5
c68f61bae0654148ae82c9ac18c771f9

SHA1
fde79f7eebe45a096e7af4d7463294551dead994

SHA256
fe7870985a9af11cff29ed00c1a8042d5e1f3194b465146ddcaa9612a51a3195

SHA512
f08e5bbbd74c322a079618aee7da064f510bac05f1b0066da11d9829f8ad8e9ca03ad0e20116d64173e2b5a9a0e12c1ac95b2880805c6a4de2828839506f7107

Download Submit
C:\ProgramData\Oracle\Java\installcache\240597812.tmp\bspatch.exe
Filesize
76KB

MD5
e76d957ac6885bf081878194f44db859

SHA1
1ac280ccb177c9179c9af048c40870bbd66545af

SHA256
6e660254360d0dcdc3909797b2106b212a54f8ab0cdbf62799010cff3956b054

SHA512
4d1c6900073e9893d9762f19f87db475b9e790807042f42bd0c34a81e8868ebb4444a297a7858ff1a86e4539c6f32e3788a9f92721c7e88a51061a3a34878693

Download Submit
C:\ProgramData\Oracle\Java\installcache\240597812.tmp\bspatch.exe
Filesize
76KB

MD5
e76d957ac6885bf081878194f44db859

SHA1
1ac280ccb177c9179c9af048c40870bbd66545af

SHA256
6e660254360d0dcdc3909797b2106b212a54f8ab0cdbf62799010cff3956b054

SHA512
4d1c6900073e9893d9762f19f87db475b9e790807042f42bd0c34a81e8868ebb4444a297a7858ff1a86e4539c6f32e3788a9f92721c7e88a51061a3a34878693

Download Submit
C:\ProgramData\Oracle\Java\installcache\240597812.tmp\diff
Filesize
31.0MB

MD5
3cd4cd8f88a125218202a9aa9d0de67f

SHA1
0ca06e263738500c84e5bbf9ea1b06b148fec5fa

SHA256
199a555b310fc45acee90305a36e4f90c32d228e6c851b75fb492671b6f97587

SHA512
4bf7453f611a3f0d072ae669fde2c8219d759cd7d6644b5395daf2f731c63dc1b18c2501a6ad3197005d4f4143d419cda47277da51410c060f362ecc7ebecc57

Download Submit
C:\ProgramData\Oracle\Java\installcache\240597812.tmp\newimage
Filesize
111.2MB

MD5
a87f113d96744818886ec6ae24b35e71

SHA1
882d72d18962379602c666d47a70da3228fe283a

SHA256
739d0122ebc1cab6aca5cdba13ee623110a61441103a5e5339a69951ec9307db

SHA512
5dc5b4d0b03209b2dfed24c5167e7fc875b0892b14538b4a0cb71672ae3bc9cef54024d706edbe85fc539dc4d861af401db86dabab4ac5584a86b78e86941afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
1KB

MD5
b8f67703c2dc97db76d998887b10246d

SHA1
da135f9417f7b388a24aa3e9f2e3039f79e41608

SHA256
31bc35bc15411aa14e9837fea704f2a647df36a0e8346b90796b70cc60526970

SHA512
0de04676073897a8e772c03c4d34fa943de61b736b9907ead1a96f10f2c61120a44448129243fd329652846ea5fc8040f64f8834d3b691ac46a461bb8b37e3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
1KB

MD5
d554fd37dbda5dd61a5df2278de1de85

SHA1
fb2466bde478baf5767fe6db39a41db8d511bc1e

SHA256
54dcd67e8bc423dc96012b494579b3e1066ede850f698be2abfab35f3ad275ce

SHA512
5679779d1bc5507553754ff7abdd2590a1ed102ed47e92e530d728e445c052d7badcdbb5f13c9890d11938ee28023efddfd756d408dec6705d6680b9872ddc66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize
398B

MD5
898f4d8e66a370e07afa50365681b752

SHA1
1740ed31f40d6a89a6834956f18247f6884acda9

SHA256
270c195b94d0ecdcd8b365aad0f55596d04d8f061dc05081e9a1b72fa4cead08

SHA512
590bc2b85f6f5c05d69ecc90a55deed81aec18ba8690257b509a67749c69c476689b6b22d3c53f4f5abf4acf3be16d8c6f87110dc5ff7b7b481f121416b9a0b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1E65FD33F74047223AF4D58CBFD34BCE
Filesize
402B

MD5
de08354ba848ce52cfe2b9ecb967a4b6

SHA1
30df8f838908fc0aef9c675fe99a52ba1829ba48

SHA256
ceb226d46ad0fce7296404c99f899f2fdf71ec7330a1d95ef2df501ee65f009c

SHA512
8d0f1e3a8da08c8a66ed9cd561227efcd6516de05630fe7300b2d08ad7bf0ef939bc829321a08b88ee641bd1425f81934db1212d27815dc560fb47dc93e9af59

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\LZMA_EXE
Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\LZMA_EXE
Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\LZMA_EXE
Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\au.msi
Filesize
598KB

MD5
32d153e8092d61f7d2a9d2f85b5499a8

SHA1
7e5086362c3df562bffa58204266e9bfd1e832d9

SHA256
dc26128df77b9b9302fc416e861cf96da5ace0d6728bf53b6ceaa86f04bd0432

SHA512
0abf4488807452ff23109d39d37e6651fbb18da58f16b928515c5c4c94faf73917b0c45417ed92920f4d8ce219ab0a6900d65527905d80fa887856da642c7d45

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\jre1.8.0_151full.msi
Filesize
57.8MB

MD5
9f18fc6af3c46d1fffc67257aae15008

SHA1
a895f9bd62d47b0696b3556240500b5f2036cbe9

SHA256
ea229a54ebf38ab483ff5fcf7ba4b3af4678df2db35d1d0f95e905c4cf05e011

SHA512
2e83153dbf1edaeb620e0530dcdd7a914cb3646678213d5b824d8e9694eed51458b162e94fa5042dff5719b692288a7dfb571b3e2541011dc6e4345bb0e6c55a

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\msi.tmp
Filesize
744KB

MD5
d181c3ec418b36fd41f61937e31c66a1

SHA1
2ba54477b9909165397836c6d09305aa0f9af047

SHA256
460f3f85ab1d2ed3670ab89ddcbd4a101a38e2d474705061cba1fdb3f03c7f2d

SHA512
ca6675de2111ec4016ca5ea4bf147cab09c1cbfb21481837e4c4230adab2fc8acbfa345be30a20fbefe1dda6f7888b56a11226f109e0d60f5efca2ad72a3b34b

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_151\msi.tmp
Filesize
58.2MB

MD5
9a863e7d1620af0930b7aaf7ce76d753

SHA1
20cfb2cd24d1b476ed54cbb2fd7ebf9c0bcf4ed3

SHA256
44dc4f7ca7ce3ca239de44e13189524e923ffef7439a33db2d1fe1d20d3340fe

SHA512
7d0709c8c120b2d8a2a35257b88ff32e86a9f84ee624cc05da0fd31104e1e6c3aeabbba3a40ac5481cee8f3a3a9105c2cb7d8e634756510a22b1f63d11c7c93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240560968.tmp\3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Filesize
1.5MB

MD5
736e3f5f865d0ae2deabd5f57c4a67b9

SHA1
9da9afd4df6db19f8539f96749cf3b9d4ab02f44

SHA256
3d6b1f366b653c83213528c9d120cb0bcf736cb2f0fa92622995fce93ae18921

SHA512
79139528ef892979398080844c86ebf43a10ad60c70461149659a139cd1140e061ed26de9606de0e54362761363de93fa74b6c1f1867dbf8adeab3e32348f433

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240560968.tmp\3b664ef693e3a2ba0d802e3533665deeb5b6564b60b9df77ddf7b5238c5433b3.exe
Filesize
1.5MB

MD5
736e3f5f865d0ae2deabd5f57c4a67b9

SHA1
9da9afd4df6db19f8539f96749cf3b9d4ab02f44

SHA256
3d6b1f366b653c83213528c9d120cb0bcf736cb2f0fa92622995fce93ae18921

SHA512
79139528ef892979398080844c86ebf43a10ad60c70461149659a139cd1140e061ed26de9606de0e54362761363de93fa74b6c1f1867dbf8adeab3e32348f433

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
268KB

MD5
265d0d0605b02e4b02bb7a7b8219bed0

SHA1
16f24af70d149de3834bb292435182b0e86a2332

SHA256
ae142c3caf658310405d7b117e6f85055518db85ec343e56d8ea5140d90f7375

SHA512
3c12e55812d801ab4dee1da52c87aa555dcb129382753eb34c55d3ba202ca8a0d8272b579484459a08bd849a396e4b33d1244552bf76495acc2b7c0675dcebff

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
295KB

MD5
7f3374af785cd7f3b9dc45bbd4c776e6

SHA1
90b2bb814a1d0eb0842d6815d8ca26ca9c32d1b9

SHA256
cf082389fa97dc66821ce52ff38c6cc2cb33f840b3932e9cba8b0cd684e31229

SHA512
72ab1f17b3f7dce4c1d2c0464e4677d944b4cbd581c0a4208f285cfd7ca124fc51bd773d2282b7dcbdbd8b44ec79bf8ca508552f87bc807510548582e78dbec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
306KB

MD5
486cc25318a6fa739484c9eecb5cb493

SHA1
3a3829283566c63a140783edd1b6e392bd848f23

SHA256
b9a1dfcd01e6dddbd507cf7b3e54a613849390d902b88177f0296b2ef3aae001

SHA512
22595152ae6d26eca9c1adeeb3cea05f88140befb57647af5f2f8b833e7388c0582dcf467b7a2ce31cf7b1c2cba631bd6188541ec90e6f6d117c2443406edb73

Download Submit
C:\Windows\Installer\MSI21D0.tmp
Filesize
180KB

MD5
8916a5ab8092ea95610ff18f929ace43

SHA1
9cd64bd7821e054c7b631fcc93569d6b5c11d047

SHA256
3ad56d01e9484ba2846bf1f99a2aaf671e389c2a414560ca1652e0f22e4baf47

SHA512
e2a6f04b3c482fa0e3bcc6647233e2876f86836709e996f828a2d09e458e6eba41d821765f66f538328586d246ce1823a9a0daf741e6c52bdfe5101bd9a765b1

Download Submit
C:\Windows\Installer\MSI21D0.tmp
Filesize
180KB

MD5
8916a5ab8092ea95610ff18f929ace43

SHA1
9cd64bd7821e054c7b631fcc93569d6b5c11d047

SHA256
3ad56d01e9484ba2846bf1f99a2aaf671e389c2a414560ca1652e0f22e4baf47

SHA512
e2a6f04b3c482fa0e3bcc6647233e2876f86836709e996f828a2d09e458e6eba41d821765f66f538328586d246ce1823a9a0daf741e6c52bdfe5101bd9a765b1

Download Submit
C:\Windows\Installer\MSI2637.tmp
Filesize
180KB

MD5
8916a5ab8092ea95610ff18f929ace43

SHA1
9cd64bd7821e054c7b631fcc93569d6b5c11d047

SHA256
3ad56d01e9484ba2846bf1f99a2aaf671e389c2a414560ca1652e0f22e4baf47

SHA512
e2a6f04b3c482fa0e3bcc6647233e2876f86836709e996f828a2d09e458e6eba41d821765f66f538328586d246ce1823a9a0daf741e6c52bdfe5101bd9a765b1

Download Submit
C:\Windows\Installer\MSI2637.tmp
Filesize
180KB

MD5
8916a5ab8092ea95610ff18f929ace43

SHA1
9cd64bd7821e054c7b631fcc93569d6b5c11d047

SHA256
3ad56d01e9484ba2846bf1f99a2aaf671e389c2a414560ca1652e0f22e4baf47

SHA512
e2a6f04b3c482fa0e3bcc6647233e2876f86836709e996f828a2d09e458e6eba41d821765f66f538328586d246ce1823a9a0daf741e6c52bdfe5101bd9a765b1

Download Submit
C:\Windows\Installer\e5718cb.msi
Filesize
58.2MB

MD5
9a863e7d1620af0930b7aaf7ce76d753

SHA1
20cfb2cd24d1b476ed54cbb2fd7ebf9c0bcf4ed3

SHA256
44dc4f7ca7ce3ca239de44e13189524e923ffef7439a33db2d1fe1d20d3340fe

SHA512
7d0709c8c120b2d8a2a35257b88ff32e86a9f84ee624cc05da0fd31104e1e6c3aeabbba3a40ac5481cee8f3a3a9105c2cb7d8e634756510a22b1f63d11c7c93d

Download Submit
memory/556-243-0x0000000000000000-mapping.dmp

Download
memory/1528-230-0x0000000000FF6000-0x0000000000FFB000-memory.dmp

Filesize
20KB

Download
memory/1528-227-0x0000000000FF6000-0x0000000000FFB000-memory.dmp

Filesize
20KB

Download
memory/1528-220-0x0000000000000000-mapping.dmp

Download
memory/1528-262-0x0000000003500000-0x0000000005500000-memory.dmp

Filesize
32.0MB

Download
memory/1528-260-0x0000000003500000-0x0000000005500000-memory.dmp

Filesize
32.0MB

Download
memory/1528-235-0x0000000003500000-0x0000000005500000-memory.dmp

Filesize
32.0MB

Download
memory/1528-231-0x0000000000FF6000-0x0000000000FFB000-memory.dmp

Filesize
20KB

Download
memory/1528-261-0x0000000003500000-0x0000000005500000-memory.dmp

Filesize
32.0MB

Download
memory/1528-225-0x0000000000FF6000-0x0000000000FFB000-memory.dmp

Filesize
20KB

Download
memory/1528-329-0x0000000003500000-0x0000000005500000-memory.dmp

Filesize
32.0MB

Download
memory/1704-263-0x0000000000000000-mapping.dmp

Download
memory/1760-149-0x0000000000000000-mapping.dmp

Download
memory/1880-180-0x0000000000000000-mapping.dmp

Download
memory/2004-184-0x0000000000000000-mapping.dmp

Download
memory/2124-141-0x0000000000000000-mapping.dmp

Download
memory/2488-310-0x0000000000000000-mapping.dmp

Download
memory/2488-337-0x0000000002FD0000-0x0000000004FD0000-memory.dmp

Filesize
32.0MB

Download
memory/2488-341-0x0000000002FD0000-0x0000000004FD0000-memory.dmp

Filesize
32.0MB

Download
memory/2488-345-0x0000000002FD0000-0x0000000004FD0000-memory.dmp

Filesize
32.0MB

Download
memory/2768-192-0x0000000000000000-mapping.dmp

Download
memory/3060-308-0x0000000000000000-mapping.dmp

Download
memory/3276-306-0x0000000000000000-mapping.dmp

Download
memory/3456-172-0x0000000000000000-mapping.dmp

Download
memory/3508-176-0x0000000000000000-mapping.dmp

Download
memory/3972-305-0x0000000000000000-mapping.dmp

Download
memory/4168-130-0x0000000000000000-mapping.dmp

Download
memory/4292-304-0x00000000037E0000-0x00000000057E0000-memory.dmp

Filesize
32.0MB

Download
memory/4292-346-0x00000000037E0000-0x00000000057E0000-memory.dmp

Filesize
32.0MB

Download
memory/4292-302-0x00000000037E0000-0x00000000057E0000-memory.dmp

Filesize
32.0MB

Download
memory/4292-264-0x0000000000000000-mapping.dmp

Download
memory/4292-281-0x00000000037E0000-0x00000000057E0000-memory.dmp

Filesize
32.0MB

Download
memory/4292-289-0x00000000037E0000-0x00000000057E0000-memory.dmp

Filesize
32.0MB

Download
memory/4292-297-0x00000000037E0000-0x00000000057E0000-memory.dmp

Filesize
32.0MB

Download
memory/4292-300-0x00000000037E0000-0x00000000057E0000-memory.dmp

Filesize
32.0MB

Download
memory/4292-301-0x00000000037E0000-0x00000000057E0000-memory.dmp

Filesize
32.0MB

Download
memory/4524-136-0x0000000000000000-mapping.dmp

Download
memory/4532-133-0x0000000000400000-0x000000000078AF18-memory.dmp

Filesize
3.5MB

Download
memory/4532-135-0x0000000000DC0000-0x0000000000DF1000-memory.dmp

Filesize
196KB

Download
memory/4532-344-0x0000000000400000-0x000000000078AF18-memory.dmp

Filesize
3.5MB

Download
memory/4568-166-0x0000000000000000-mapping.dmp

Download
memory/4596-219-0x0000000000000000-mapping.dmp

Download
memory/4752-155-0x0000000000000000-mapping.dmp

Download
memory/4760-303-0x0000000000000000-mapping.dmp

Download
memory/4856-247-0x0000000000000000-mapping.dmp

Download
memory/4880-188-0x0000000000000000-mapping.dmp

Download
memory/4884-307-0x0000000000000000-mapping.dmp

Download
memory/4996-196-0x0000000000000000-mapping.dmp

Download
memory/4996-218-0x0000000002300000-0x0000000004300000-memory.dmp

Filesize
32.0MB

Download
memory/5032-309-0x0000000000000000-mapping.dmp

Download
memory/5096-160-0x0000000000000000-mapping.dmp

Download