fde56957b6193bd19e08e9aa3b584f591600e8f382d3a35147a30bf2dcadd9eb

Analysis

max time kernel
147s
max time network
144s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NFe35130560519634000187550010005208041116.dll
Size

541KB
MD5

c12eff8d72d6a7d0bccd4c3947ba1271
SHA1

351fee49a5207d1f16ddc036294b74cc98f06690
SHA256

7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736
SHA512

314402d330f0c01b131fcc78287472ee496120c9ba526b87438908fd85000a771ebb11386392bf6ff2fba8c3a08179e6cf9c8a7b50b10dd4d7cb07dc1de81c37
SSDEEP

12288:gKXAyRw6k2wnnA9UhcOsyj/kidgR6ncbGUTLyEud6p2Qh5zb:6yRw6k20WU6yAp6cV3txh5zb

Score

8^/10

adware persistence stealer vmprotect

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

90 1920 msiexec.exe
92 1920 msiexec.exe
94 1920 msiexec.exe
Downloads MZ/PE file

flow	pid	process
90	1920	msiexec.exe
92	1920	msiexec.exe
94	1920	msiexec.exe

Executes dropped EXE 10 IoCs

Processes:

java_setup.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejaureg.exe

pid	process
976	java_setup.exe
836	unpack200.exe
2008	unpack200.exe
1172	unpack200.exe
1944	unpack200.exe
620	unpack200.exe
856	unpack200.exe
1992	unpack200.exe
1956	javaw.exe
992	jaureg.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

MsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl	vmprotect
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl	vmprotect
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl	vmprotect
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl	vmprotect
behavioral1/memory/1044-86-0x000000005FF40000-0x00000000601FD000-memory.dmp	vmprotect
behavioral1/memory/1044-88-0x000000005FF40000-0x00000000601FD000-memory.dmp	vmprotect
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl	vmprotect
behavioral1/memory/584-93-0x000000005FF40000-0x00000000601FD000-memory.dmp	vmprotect

Drops startup file 1 IoCs

Processes:

iexplore.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.LNK iexplore.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.LNK	iexplore.exe

Loads dropped DLL 38 IoCs

Processes:

rundll32.exerundll32.execmd.exeMsiExec.exeMsiExec.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exeMsiExec.exejava_setup.exe

pid	process
1044	rundll32.exe
1044	rundll32.exe
1044	rundll32.exe
584	rundll32.exe
1120	cmd.exe
1112	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
836	unpack200.exe
2008	unpack200.exe
1172	unpack200.exe
1944	unpack200.exe
620	unpack200.exe
856	unpack200.exe
1992	unpack200.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1956	javaw.exe
1956	javaw.exe
1956	javaw.exe
1956	javaw.exe
1956	javaw.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1948	MsiExec.exe
1948	MsiExec.exe
976	java_setup.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Firewall Cpl = "C:\\Users\\Admin\\Microsoft\\WindowsUpdate\\rundll32.cpl"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

MsiExec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MsiExec.exe

Drops file in System32 directory 7 IoCs

Processes:

MsiExec.exe

description	ioc	process
File created	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\javaw.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	MsiExec.exe
File created	C:\Windows\SysWOW64\javaws.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\npDeployJava1.dll	MsiExec.exe
File created	C:\Windows\SysWOW64\deployJava1.dll	MsiExec.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

rundll32.exerundll32.exeiexplore.exe

description	pid	process	target process
PID 1928 set thread context of 2012	1928	rundll32.exe	svchost.exe
PID 1044 set thread context of 832	1044	rundll32.exe	iexplore.exe
PID 832 set thread context of 1620	832	iexplore.exe	iexplore.exe
PID 832 set thread context of 1184	832	iexplore.exe	iexplore.exe
PID 832 set thread context of 1388	832	iexplore.exe	iexplore.exe
PID 832 set thread context of 2016	832	iexplore.exe	iexplore.exe

Drops file in Program Files directory 64 IoCs

Processes:

MsiExec.exe

description	ioc	process
File created	C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Rangoon	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-6	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\ext\jaccess.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Belem	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Copenhagen	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Cocos	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\St_Helena	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-13	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\npt.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Chagos	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Monrovia	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Sao_Tome	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\README.txt	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\deploy.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\npoji610.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\sunec.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\plugin.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Addis_Ababa	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\New_York	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Whitehorse	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Colombo	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Istanbul	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\COPYRIGHT	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\jqs.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Gaborone	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Guayaquil	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\St_Johns	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Sofia	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\client\jvm.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Niamey	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Paris	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Maldives	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\verify.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\rt.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Lusaka	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Regina	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+4	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Andorra	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\libxslt.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\flavormap.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\EST	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Kerguelen	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Galapagos	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\ext\access-bridge.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Thule	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Norfolk	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\accessibility.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Bujumbura	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Nassau	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Hong_Kong	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Urumqi	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Zurich	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-14	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Etc\UTC	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\java_crw_demo.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\msvcr100.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\America\Maceio	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Madrid	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Wake	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\bin\plugin2\msvcr100.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jre7\lib\jfr.jar	MsiExec.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIE732.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2753.tmp	msiexec.exe
File created	C:\Windows\Installer\6cc602.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cc600.ipi	msiexec.exe
File created	C:\Windows\Installer\6cc603.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cc603.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI22AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6cc5fe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA44.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE00F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6cc605.ipi	msiexec.exe
File created	C:\Windows\Installer\6cc5fe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2657.tmp	msiexec.exe
File created	C:\Windows\Installer\6cc600.ipi	msiexec.exe
File created	C:\Windows\Installer\6cc605.ipi	msiexec.exe
File created	C:\Windows\Installer\6cc607.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

268 taskkill.exe

pid	process
268	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEMsiExec.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC8FDE61-6D7D-11ED-B559-F63187E7FFAB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Windows\\SysWOW64"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000025009f01fa979f804cae22428a02c8675b193508e7e729c067be129b79baa51e000000000e800000000200002000000003878f59b28c0d8edfebcf58f47a2144701ff772d8ac4f41a9f8eebcdee1c3eb200100000c778df3deee2f0d31ee07709b62e3194945148e13ffe75ed6ca0bf0a3f88f75a9dfd0403d45c4d1bc8e43200abe234a9a7bfa12609d4ff47e71bbadd44365ff0475d9a5e694fc51bf9d248b93c9f051727a408f4468066d24f92db825d3c896c6b993a540919c14c863d2e90f9f8792821fe1497f1a4954c104510bd64faa80be2c57fa9f48af03171567379cd8505e20efc723e395ef8c72885944f78b1316bd2ef1c81158db136b9b524e29f8c2c1489ecd51e8cfbc1c53f85a81937929496c6ef5255645e3141896fcd58dafca2f58cab285b808049e47f27a755bdd450a6bab4d0417fe7217eb918c7f7b9c78eabe4ea920d7170c6f5aba4d8de62ae9b7dd27dc923c4fa71fa58e6e64117835c58a13cb290e65c7104d1ed936e0ca5fca40000000e8201cc2b0e2fc7cbea4670b8542873ed848e5196b25ee1e965496551383cbdf5a6dfdd920e1239d7894cb0ce74ab5b5b56691ddc93e3a3b39ea04a5d902b91a	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000ceae7504c20a6d4dadf6905647d9b2cb2d64394c42672241f9ef68acd394fd43000000000e80000000020000200000004e1e26cabfdceb2b4e0398648ba0e79b88d6bbc596bf78573c323c3cc9ae9e9f2000000063986f54c1ddc8eea29bc9efc87b21c9dbb16753a1d7c4f208787493e516aed9400000009238d584414c2ffd20d5908aba731bb9c8ad3a8810f5ece22718c58357bc621eb98346afc09e27a3a29dfd869d645a5cab08141c453d7cd81d430edfea1fcd4a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d607d78a01d901	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "3"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe

Modifies registry class 64 IoCs

Processes:

MsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_03"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_18"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_26"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_14"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.1_03"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\ProgID\ = "JavaWebStart.isInstalled.1.7.0.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_27"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_41"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBA}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_26"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_51"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_38"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBB}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBC}	MsiExec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.1"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_40"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_38"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBA}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBB}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.0"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_21"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBB}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_16"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBA}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll"	MsiExec.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 77 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

iexplore.exemsiexec.exe

pid process

1620 iexplore.exe
1920 msiexec.exe
1920 msiexec.exe

description	flow	ioc
HTTP User-Agent header	77	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1620	iexplore.exe
1920	msiexec.exe
1920	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeShutdownPrivilege	1060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeSecurityPrivilege	1920	msiexec.exe
Token: SeCreateTokenPrivilege	1060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1060	msiexec.exe
Token: SeLockMemoryPrivilege	1060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1060	msiexec.exe
Token: SeMachineAccountPrivilege	1060	msiexec.exe
Token: SeTcbPrivilege	1060	msiexec.exe
Token: SeSecurityPrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeLoadDriverPrivilege	1060	msiexec.exe
Token: SeSystemProfilePrivilege	1060	msiexec.exe
Token: SeSystemtimePrivilege	1060	msiexec.exe
Token: SeProfSingleProcessPrivilege	1060	msiexec.exe
Token: SeIncBasePriorityPrivilege	1060	msiexec.exe
Token: SeCreatePagefilePrivilege	1060	msiexec.exe
Token: SeCreatePermanentPrivilege	1060	msiexec.exe
Token: SeBackupPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeShutdownPrivilege	1060	msiexec.exe
Token: SeDebugPrivilege	1060	msiexec.exe
Token: SeAuditPrivilege	1060	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1060	msiexec.exe
Token: SeChangeNotifyPrivilege	1060	msiexec.exe
Token: SeRemoteShutdownPrivilege	1060	msiexec.exe
Token: SeUndockPrivilege	1060	msiexec.exe
Token: SeSyncAgentPrivilege	1060	msiexec.exe
Token: SeEnableDelegationPrivilege	1060	msiexec.exe
Token: SeManageVolumePrivilege	1060	msiexec.exe
Token: SeImpersonatePrivilege	1060	msiexec.exe
Token: SeCreateGlobalPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

860 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

860 iexplore.exe
860 iexplore.exe
1816 IEXPLORE.EXE
1816 IEXPLORE.EXE
1816 IEXPLORE.EXE
1816 IEXPLORE.EXE

pid	process
860	iexplore.exe

pid	process
860	iexplore.exe
860	iexplore.exe
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exesvchost.exeiexplore.execmd.execontrol.exerundll32.exeRunDll32.exeiexplore.exe

description	pid	process	target process
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1928	1048	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 2012	1928	rundll32.exe	svchost.exe
PID 1928 wrote to memory of 2012	1928	rundll32.exe	svchost.exe
PID 1928 wrote to memory of 2012	1928	rundll32.exe	svchost.exe
PID 1928 wrote to memory of 2012	1928	rundll32.exe	svchost.exe
PID 1928 wrote to memory of 2012	1928	rundll32.exe	svchost.exe
PID 1928 wrote to memory of 2012	1928	rundll32.exe	svchost.exe
PID 2012 wrote to memory of 860	2012	svchost.exe	iexplore.exe
PID 2012 wrote to memory of 860	2012	svchost.exe	iexplore.exe
PID 2012 wrote to memory of 860	2012	svchost.exe	iexplore.exe
PID 2012 wrote to memory of 860	2012	svchost.exe	iexplore.exe
PID 860 wrote to memory of 1816	860	iexplore.exe	IEXPLORE.EXE
PID 860 wrote to memory of 1816	860	iexplore.exe	IEXPLORE.EXE
PID 860 wrote to memory of 1816	860	iexplore.exe	IEXPLORE.EXE
PID 860 wrote to memory of 1816	860	iexplore.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 948	2012	svchost.exe	cmd.exe
PID 2012 wrote to memory of 948	2012	svchost.exe	cmd.exe
PID 2012 wrote to memory of 948	2012	svchost.exe	cmd.exe
PID 2012 wrote to memory of 948	2012	svchost.exe	cmd.exe
PID 948 wrote to memory of 452	948	cmd.exe	control.exe
PID 948 wrote to memory of 452	948	cmd.exe	control.exe
PID 948 wrote to memory of 452	948	cmd.exe	control.exe
PID 948 wrote to memory of 452	948	cmd.exe	control.exe
PID 452 wrote to memory of 1044	452	control.exe	rundll32.exe
PID 452 wrote to memory of 1044	452	control.exe	rundll32.exe
PID 452 wrote to memory of 1044	452	control.exe	rundll32.exe
PID 452 wrote to memory of 1044	452	control.exe	rundll32.exe
PID 452 wrote to memory of 1044	452	control.exe	rundll32.exe
PID 452 wrote to memory of 1044	452	control.exe	rundll32.exe
PID 452 wrote to memory of 1044	452	control.exe	rundll32.exe
PID 1044 wrote to memory of 832	1044	rundll32.exe	iexplore.exe
PID 1044 wrote to memory of 832	1044	rundll32.exe	iexplore.exe
PID 1044 wrote to memory of 832	1044	rundll32.exe	iexplore.exe
PID 1044 wrote to memory of 832	1044	rundll32.exe	iexplore.exe
PID 1044 wrote to memory of 832	1044	rundll32.exe	iexplore.exe
PID 1044 wrote to memory of 832	1044	rundll32.exe	iexplore.exe
PID 1044 wrote to memory of 388	1044	rundll32.exe	RunDll32.exe
PID 1044 wrote to memory of 388	1044	rundll32.exe	RunDll32.exe
PID 1044 wrote to memory of 388	1044	rundll32.exe	RunDll32.exe
PID 1044 wrote to memory of 388	1044	rundll32.exe	RunDll32.exe
PID 388 wrote to memory of 584	388	RunDll32.exe	rundll32.exe
PID 388 wrote to memory of 584	388	RunDll32.exe	rundll32.exe
PID 388 wrote to memory of 584	388	RunDll32.exe	rundll32.exe
PID 388 wrote to memory of 584	388	RunDll32.exe	rundll32.exe
PID 388 wrote to memory of 584	388	RunDll32.exe	rundll32.exe
PID 388 wrote to memory of 584	388	RunDll32.exe	rundll32.exe
PID 388 wrote to memory of 584	388	RunDll32.exe	rundll32.exe
PID 832 wrote to memory of 1620	832	iexplore.exe	iexplore.exe
PID 832 wrote to memory of 1620	832	iexplore.exe	iexplore.exe
PID 832 wrote to memory of 1620	832	iexplore.exe	iexplore.exe
PID 832 wrote to memory of 1620	832	iexplore.exe	iexplore.exe
PID 832 wrote to memory of 1620	832	iexplore.exe	iexplore.exe
PID 832 wrote to memory of 1620	832	iexplore.exe	iexplore.exe
PID 832 wrote to memory of 1184	832	iexplore.exe	iexplore.exe
PID 832 wrote to memory of 1184	832	iexplore.exe	iexplore.exe
PID 832 wrote to memory of 1184	832	iexplore.exe	iexplore.exe
PID 832 wrote to memory of 1184	832	iexplore.exe	iexplore.exe
PID 832 wrote to memory of 1184	832	iexplore.exe	iexplore.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NFe35130560519634000187550010005208041116.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NFe35130560519634000187550010005208041116.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.java.com/pt_BR/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:860 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c call C:\Users\Admin\AppData\Local\Temp\YYYY.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
5⤵
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1044

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -embedding
7⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding
8⤵
PID:1184

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding
8⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
9⤵
- Loads dropped DLL
PID:1120

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM iexplore.exe
10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Users\Admin\AppData\Local\Temp\java_setup.exe
C:\Users\Admin\AppData\Local\Temp\java_setup.exe /s /v"AgreeToLicense=YES IEXPLORER=1 MOZILLA=1 REBOOT=SUPRESS JAVAUPDATE=0 SYSTRAY=0"
10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_25\jre1.7.0_25.msi" AgreeToLicense=YES IEXPLORER=1 MOZILLA=1 REBOOT=SUPRESS JAVAUPDATE=0 SYSTRAY=0 /qn METHOD=joff
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\AU\au.msi" ALLUSERS=1 /qn
11⤵
PID:2044

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -r jre 1.7.0_25-b17
11⤵
- Executes dropped EXE
PID:992

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SunJavaUpdateSched /f
10⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Update\Policy" /v EnableJavaUpdate /t REG_DWORD /d 0 /f
10⤵
PID:1992

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding
8⤵
PID:2016

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
7⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",
8⤵
- Loads dropped DLL
PID:584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4E710343A0C0C122D959AE422771FC8C
2⤵
- Loads dropped DLL
PID:1112

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5F5E0F34FCD93824944332B6B6279DF5 M Global\MSI0000
2⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1528

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856

C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992

C:\Program Files (x86)\Java\jre7\bin\javaw.exe
"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 46F13164DAE729BF5317A5002419ADDE
2⤵
- Loads dropped DLL
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre7\bin\MSVCR100.dll
Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
Filesize
142KB

MD5
482ef84844a4c13712fb8ad193c32062

SHA1
b176255162beb952fe084a9abb0241fbe4dab7f5

SHA256
3a88f2235cace058d2e161ff628bc1d05534dc34fd0ce49991792f5e388122d0

SHA512
229ad3a1363401353eb94ff22bf0fff2866bd8d0940377b35fb8eff03ec49ca09412542c6d7a74cec47e78647143842cb7433d7045a30dba453bed95a2a03e32

Download Submit
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
Filesize
142KB

MD5
482ef84844a4c13712fb8ad193c32062

SHA1
b176255162beb952fe084a9abb0241fbe4dab7f5

SHA256
3a88f2235cace058d2e161ff628bc1d05534dc34fd0ce49991792f5e388122d0

SHA512
229ad3a1363401353eb94ff22bf0fff2866bd8d0940377b35fb8eff03ec49ca09412542c6d7a74cec47e78647143842cb7433d7045a30dba453bed95a2a03e32

Download Submit
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
Filesize
142KB

MD5
482ef84844a4c13712fb8ad193c32062

SHA1
b176255162beb952fe084a9abb0241fbe4dab7f5

SHA256
3a88f2235cace058d2e161ff628bc1d05534dc34fd0ce49991792f5e388122d0

SHA512
229ad3a1363401353eb94ff22bf0fff2866bd8d0940377b35fb8eff03ec49ca09412542c6d7a74cec47e78647143842cb7433d7045a30dba453bed95a2a03e32

Download Submit
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
Filesize
142KB

MD5
482ef84844a4c13712fb8ad193c32062

SHA1
b176255162beb952fe084a9abb0241fbe4dab7f5

SHA256
3a88f2235cace058d2e161ff628bc1d05534dc34fd0ce49991792f5e388122d0

SHA512
229ad3a1363401353eb94ff22bf0fff2866bd8d0940377b35fb8eff03ec49ca09412542c6d7a74cec47e78647143842cb7433d7045a30dba453bed95a2a03e32

Download Submit
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
Filesize
142KB

MD5
482ef84844a4c13712fb8ad193c32062

SHA1
b176255162beb952fe084a9abb0241fbe4dab7f5

SHA256
3a88f2235cace058d2e161ff628bc1d05534dc34fd0ce49991792f5e388122d0

SHA512
229ad3a1363401353eb94ff22bf0fff2866bd8d0940377b35fb8eff03ec49ca09412542c6d7a74cec47e78647143842cb7433d7045a30dba453bed95a2a03e32

Download Submit
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe
Filesize
142KB

MD5
482ef84844a4c13712fb8ad193c32062

SHA1
b176255162beb952fe084a9abb0241fbe4dab7f5

SHA256
3a88f2235cace058d2e161ff628bc1d05534dc34fd0ce49991792f5e388122d0

SHA512
229ad3a1363401353eb94ff22bf0fff2866bd8d0940377b35fb8eff03ec49ca09412542c6d7a74cec47e78647143842cb7433d7045a30dba453bed95a2a03e32

Download Submit
C:\Program Files (x86)\Java\jre7\core.zip
Filesize
67.8MB

MD5
d78e367329073224e8191726414d22f4

SHA1
736c239c5ebc3b717ecfd0677d7316a45cd324f3

SHA256
b401d0cda4533e5fff3966458c4d5757ef2e11e1270bd346d771ac7c81031665

SHA512
7eacb67f0a323a225be368b4143075f7a43c8c10f5787507b5d0e0c2ab3c104503acc6af4f27b4adc8365f20ad467fa9d7b08a9aedc4c255a7bd931f907bc3a5

Download Submit
C:\Program Files (x86)\Java\jre7\lib\charsets.pack
Filesize
1.3MB

MD5
8105f16c4344a761c91400225dd2f407

SHA1
4318729372886731e59c56eb0c0ff842788045a4

SHA256
066cc3378d6d4bbc927ae13e2d0edfeded39498993ccff612c90e8957fe37f7c

SHA512
a07812a0b97f72b8edbd9b685f2a5fac74d49b7cd2db4cc59aada34e9aae498e7fe3dfcad3b423362aa499a01bb85f89768232bb999d164cdd4ccfb939ad8308

Download Submit
C:\Program Files (x86)\Java\jre7\lib\deploy.pack
Filesize
1.6MB

MD5
6817be4ba9534ece650cb8f2613a1f8d

SHA1
bec9ced4daa0409e9c1de804a861aaa10ec76eeb

SHA256
42a15bf606fcaeeb24e66178720ed6cdf84f5286729767494237c227e13cf165

SHA512
0a195f69f307b7cf1b1aa09f4937940c576c2fd178eda595534ee501f04160b10f77fa2a130fa318502352a33ef2fc4dd0244fa578eb4667c5dc66c43f9604d6

Download Submit
C:\Program Files (x86)\Java\jre7\lib\javaws.pack
Filesize
200KB

MD5
5441d87177a259990f5cfb2286eb8431

SHA1
53aeff0e2186031f5eee219a353d064ce62dee07

SHA256
c4c69a1acccd498a81d84efe76f36b441fe59359f4eb2d74abd53e1f3840e82c

SHA512
2c3848f00a956242e645a750584dcffc90fd94db0a7d5f478f28c5111b952ea2212b0343692f389e4b4c41b21a3a8128447d5c09787d92ec2617c4fb98c69a25

Download Submit
C:\Program Files (x86)\Java\jre7\lib\plugin.pack
Filesize
483KB

MD5
09a4a2b67c1d3a8e47a1ecbc3aa2b185

SHA1
72cf27003bbc38744ed85c2194838fb32303dd31

SHA256
9263a4fcdf9390c9c8927730f49096ee1c91ab043ee7aa796c1a4774130ade69

SHA512
ed090804525758c52f6899040328fb7c8b483001a54e42e837a420b4c7b45ba5afab648e937aad436b73182c3f938d677b53bfe08530abf6e8b96264d9251a6b

Download Submit
C:\Program Files (x86)\Java\jre7\lib\rt.pack
Filesize
13.1MB

MD5
202b09af9c138c9f8dc153ae0383db24

SHA1
21d2d4a506548c70d5390d267932a05e3309525f

SHA256
adbdba864b92f77cb72ccf328722fdee9844d2ab8a8e6a9f16da43bc49a1aa61

SHA512
f35b20a1ac91c91c5dcfaa0bc5ae81de9182ffff3a33f296c6a8c52277c108a771353df039a0112db26f932d853f53e000bb2c59b42fcf6015e6ede3020b1898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
471B

MD5
493cfd2b25fa952f8e65a2deb2db0e16

SHA1
ad14ecb4f1f8904c261a92ab22123caea2acdae4

SHA256
4adc092040553cd7e9cac96e35178ffca21be9e5773b35382a7111150070476b

SHA512
120504c92be7481b19d1c5e16ea1e105d47a25b3d983573a1de5277ccc5140c2d8bf8b9ee8caa0822dd1a9b87d077537da6df4b852c1a9ede61962e7233a219a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
d189c52da58b10be1f0521df06df9a94

SHA1
542322c8899fd650e504b1694165ae7ba864809a

SHA256
879db4ebbf542a65884e88b1f4d7931076b32ce756af8734862c18071ce09f21

SHA512
392075862f033b61a9b6a3abcfc504abb5e40774840f582517905aa4f6b0879b4d129248323f7a023d3084082335a8ea1cfc4fc1a8bd648562415f75d1b988d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
404B

MD5
0b1b6b2b3f0a5b15c8ce1525a9639031

SHA1
9253732f44d08828acad964d43a9602715780540

SHA256
9ab93f1978034f1f7a9c07afd999ae4ff075fcca3be9075a409dd03d5e5303b2

SHA512
4440ddb0f4bb36c9a682bf065d8744375bec8c021dc25f33aea680372fe5792253731c46ea2cc6100bf268cb020701ed6952f576e4ca7c7b93a3ba93a10d7cd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a229713dbe4ac5729eab24d5e78e3c59

SHA1
fe53311bd69bd9dd58c1b7e1aba3e10fe901fbc6

SHA256
dc6a96aa706caf8349f85dd064f26d704084f80dd773ace84b9722933e3e07a9

SHA512
867e6d742db7d74ae4b3c94fbb14d82299c198aacdb47fb2e4ea3fa13076525f193b8bb5965fb070104b7efd15cc4a95b07f18683f55833f848bc07242ea1936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4b567beb1f45035c68d89a5c24ddfe84

SHA1
9ba8cb8ae88da280ecc3c10c8b6f6527b9fb6da6

SHA256
f6cb41e2ee8692866e4dc51577ace59925b2dac966b31c41234fd8467a3f1ca3

SHA512
1437ffaad20cee3c0c0565657c770323ad8cf88fec59f85be83e081172819e760045e012923fbca7bd485ffd9202205e6c3f205fcb342a2eb7584100615e6f5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f02cc00f76678f63b04d065e60c595d7

SHA1
31b62434261786898c7712e499f9345b9b6d6746

SHA256
15016d4b0781f63a13cf9bb810b5cd4ae80aea44d01c70d780fed31ec925650f

SHA512
12ace9cc10cf3995050d0e739a395550f77cb32402897525e4152640f463f6c099f2391343d29f296e84c044a41e1f0586c7034af94838bceb2ccf8b361f8df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
15989d02a0f1ac5b57a01858f8331b74

SHA1
96309d44cb638171d0012f2d986f147bbc800b6f

SHA256
91f55b067dda5e3d8a401087ac45cc6af946ebe8eedbaf135b3eb215c1ad078e

SHA512
735d7176d75eef0a5c70b24b466097b173d61d1440a18db2d44372932c6750fe5ea814d62bafda58518debad45a6bf974a425bcb3955df53ea1975bcf85842fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c6e4282e539ee1151478b2e5f492f961

SHA1
7747ed1335a40a27365a4669a901ae9df3ec227d

SHA256
6a75490cdf635399eb68d9f61efaf0636043e28e7676cabe1ae248831cc0a7bf

SHA512
0a8690dace5c5344b0f6272627759021cc1b7f29ae4849d692508058bcad03ca59798a64fb4b8d5ede62a43ac5d4f0fa0156023bf8a89957ab6937d5fa1e1de6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c6e4282e539ee1151478b2e5f492f961

SHA1
7747ed1335a40a27365a4669a901ae9df3ec227d

SHA256
6a75490cdf635399eb68d9f61efaf0636043e28e7676cabe1ae248831cc0a7bf

SHA512
0a8690dace5c5344b0f6272627759021cc1b7f29ae4849d692508058bcad03ca59798a64fb4b8d5ede62a43ac5d4f0fa0156023bf8a89957ab6937d5fa1e1de6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
beaff7df67832c06c7ba425bb629173b

SHA1
c11aa4697a045474338ed71fc1a3790774a5642e

SHA256
fe4ebe5acb7bb727812ce95c5a170de58cc03e4db8117d848b947efdb30b96f1

SHA512
e1b74c644bd9381688f976fb23a3ba7d805aee693a455cf41f97c63e361b06d6d00c5fb7f8eb728fbc5d6e7335190af44ae53fd4f1e899eee42a9401b82a98fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
430B

MD5
4242be0da83ada509a7c326deafc92aa

SHA1
61a3b3efbde8f98c8abfc07011e7178b4f88649a

SHA256
47fd620db6514c1faaf12c1eed225428c1929ded3ea75d1cb0ba0fb929c4d1c2

SHA512
c75bfbe69767e129e949bb44627081670d2915ac5e28347a56484397ed6de5397575534282dcc0a9e00edbd9b30c9fd74d310db789bbe2f4328dcb3cd166b2d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
cf96f7ac3229ef2348c49e8c805e8cc5

SHA1
f86f110ba39ea0780e50ab9ed8f1c3357acab33d

SHA256
16290cf64163c7925bdd30874d344d083febccd4bfcfea1189515f1c576c76fe

SHA512
1f73ea84f2551b152f649501801199d7e2d74680e885fe1ebc4493436f6e14a94f3fadc1b640609dfb40e6a0fcd81138b3fc766cfaed7aadddba685178cd3c8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_25\Data1.cab
Filesize
26.8MB

MD5
e0c56be7c85fb1521bb10cabdf0d2afc

SHA1
cd0c5fc3b04cd53a40511cf779db1a5cd70d913a

SHA256
4fae60f82261871366d9ddfb404f0da38cb6bb8b30bd853526f4c23b0835cf36

SHA512
a6cc19417274eb21534101bd1490b3547bdeb29c7e3c5ceb886548a3231cc1ea22ca44bbb7edcce91109ef2dc823821cd9dbebd2f0066c121c3ff9bc5b7f76f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_25\jre1.7.0_25.msi
Filesize
867KB

MD5
c6bc5b82f4e43477313cd719a474f780

SHA1
2022996e7001794c62a5d85dfab2d4edc4ca48cf

SHA256
cf008dcfdbb5fef8f3c5d8da412ede4f7113d46a24fcf4b3bffe62cca07ea26e

SHA512
5ed3f90ac588b8d4b7eb45958ffaa6d632bcaa6f6122bbdbf57265640927bc7b7d70b1371970a876d8c0ee493151ff1aa0e3287b0089627301429225da1303bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
Filesize
5KB

MD5
8c9d9bf2180e7976fe576810c7eb725b

SHA1
07dc256e1452c375025fe324402cd4c40315a48e

SHA256
ad6705010d0b989db46e65f5ac1b0239eba0b681f6bf39f99aef6d494fc0d6e4

SHA512
df173644cf845c647033ebb0a2d3c25875299c5d8a3935df2537bd6a66fe23aadbee5e77c61a116e8105413e612b954fa0c719e274d6abb0b29779c9fee10fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYYY.bat
Filesize
186B

MD5
ed5d0dd1e636b46c029431fe1b22c177

SHA1
8730dbda5b02b208025efc9729078fd922916244

SHA256
19aa3105126cc8c82f49a43b611d43ca5c86e2a23cbd924cf43f0b58f6786eba

SHA512
ac5a61fed23e6c7455059ff959e32f9d648fd830fc5d1febdbc8b4907db7e1bb8bb73013ec1fd71dc3ca506598b9a591342e27f6d8e1884af414d3efda256526

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.gif
Filesize
1KB

MD5
efed2d96aa5344910603f3538edbea7e

SHA1
c1988553afe101e4d6cbdb2901439ad01ddf4640

SHA256
7c4ccaca19175775f6fbeac19e6d6bb0497c40e76a774e5dfa481e3ccc66aed5

SHA512
b324b4e62b7f6f4334c06d40d9855bb602812be14fe41040572addbcf9a51a4a227bd63ef614242ecb15ebe89aa9304146710e4bc129b46e4a453b2b794e42ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
426B

MD5
df135bddca3cf82a413137fd7407a2e4

SHA1
d9b0f2f738ee7f4e62c8816ec0560b8dd3d5809c

SHA256
846cdb44651885c925c39c9e2009fdbde80ed71769351753137746c4b8a49c6c

SHA512
113e9d3684f470624a8a560a0b81ea924c30b359801cc4c3ee5c54dd6e286d188ef549673ea32a588bcea6a8b1b7c01ce1e0fbf4e7f2a70c594552a980b019f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
195KB

MD5
2b23aa63bf07beff360dba62adbeeb5a

SHA1
c8517db6c0adee8045d48ba50d35869d86f06595

SHA256
d820d969d44a6ddf09965335ea724a2030d98770d0c0bf14a19afd992cdc597f

SHA512
1f659d6c1467724996817d24d06d9f341f642bacadfcac033bfcd870fe719b0afc2894d1ce9a06e3a7a88779e278e570d5af9178bd8859d0517833d970f9478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
196KB

MD5
3cbdb66335695e9332f80c4627017867

SHA1
8e620dcfc824c49776c46362de95b23cbbdb3937

SHA256
7f08d7c17ad7ff65c3ff4e3d780abfc00fe579df874ba50528e48f9795af054d

SHA512
738995fbc4ff820d7ea59f201b3c9ecc9ac09d4735544627be3c0f631aac628cde24d28981dbcbe2296430343f04566bc31cd2880e6870dbc1483c9b4cc8194b

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
196KB

MD5
6734a1054b1d4cab2e10cc51a27d936d

SHA1
e79d0a5e2b7e9e7c325c13b813b4ac3dd178863d

SHA256
26414cf8d52e6be3da664a77a869f4f51232004af618dab71220ec7e80347eae

SHA512
16c984ec8b3a9ead9ce8839d539cf9f8480b4027749d5d28af7d45ae74fd9504db01e4468d9dd0ba5250ea9a2ce23857af21a4a665659845590a415096031ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
197KB

MD5
4000839cb773d6fdf73be3c77e09325e

SHA1
b68201567c050ecd5f0b6e1d735e28650fe7dee8

SHA256
7f925ba47d268dee956c7bb48544839d711fb58da44348ab5eb5768d0d51f063

SHA512
618efbbad66efe602f0b6aa64ab34373398a61ac3fc2c8c32c950ba2797aa1f97cda273160e58147b44fe613136d6ec833b1c23ac7bc5c492ad2ab5ed07a48b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
197KB

MD5
7a8cf1eae49eb47b497b33cca888d0a3

SHA1
9fefc5f9752477e2d73cffc53eb2d1025df36a65

SHA256
af717f8b38d229bf90df123d025315f605cfd2f919dc0d506457fa5a745f3757

SHA512
6ef09b075e33b7c213c6f77f5090fe9cd26afe7a03054e3a8d008799407b72cd2652254f2c60bda677c530655bee09d0252dbc204d6c5ac2d7a327bf3bb87246

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
198KB

MD5
b7eccd4c3c48abcf68f01621352f37a7

SHA1
cf8b7192d2f3f13763143622bac4bdf095ef59d2

SHA256
04adc26287abb8436e51ec1cf1e781e930282d68a406d2b0f00a0f3771d17ee2

SHA512
23ae49b4ae0765fa16bf1d9a8dbed5af6e4d04c774de3f78c3795393ae8a46023cbe943c0e132ba5b59903ad5cdb1f4f418ecb3d3ebc9d56a53d97fcf499238f

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_setup.exe
Filesize
30.2MB

MD5
507c7f50a1d3b50ab9c015180b626d33

SHA1
0adf48a414d81d2c7fafe93298644d9e26a5706a

SHA256
a560161dd12503f444e1aa87b48e83dbef1ad8d01be5d9b0612ebc79b69f00ce

SHA512
09fa6f5f99efc68a50a4d92235370819ce81e7ead54d52bd6f22073fa303299fb08fc893a2d852e30b47e144121a66821d3575d59f2796cf844a478cce47a294

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_setup.exe
Filesize
30.2MB

MD5
507c7f50a1d3b50ab9c015180b626d33

SHA1
0adf48a414d81d2c7fafe93298644d9e26a5706a

SHA256
a560161dd12503f444e1aa87b48e83dbef1ad8d01be5d9b0612ebc79b69f00ce

SHA512
09fa6f5f99efc68a50a4d92235370819ce81e7ead54d52bd6f22073fa303299fb08fc893a2d852e30b47e144121a66821d3575d59f2796cf844a478cce47a294

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
602B

MD5
f3986e8a256c7cd310b1af4c44b188d5

SHA1
dd5d05204fff04b893f0b92890eb17c87d912301

SHA256
ebe3ef8a4a7962cd37a4ba2ddfb0a32b2161f96aac548e6fd3c0f20881f051ea

SHA512
09b7c77e7893293f169daad1a7cbf96ff1fe3ee1a2b9a39e50680ee2797f729abc7ac76938102bdbd6d1a12a4765a1d7da82e2ad51c2f1d8173808118122b6f7

Download Submit
C:\Users\Admin\Microsoft\WindowsUpdate\em4.jmp
Filesize
8.2MB

MD5
066c74a4c54e35a80beaf295cf8d460b

SHA1
46545679ad7e5acdc573d23fe3bcfea93bbbb2c3

SHA256
5ef54ab34b9140e528e64babe53d7b0938440a8c9bba619e9802b5e50d724898

SHA512
2bc7e62a21b91cc8ed7f6a3d91dad20bae9f1f45e0b9af0931fe538e4a232bc14225164b13fa67f4f8bfede907067d2f7c772baec8722826a0382ccbe8b40c3b

Download Submit
C:\Users\Admin\Microsoft\WindowsUpdate\em5.jmp
Filesize
1.1MB

MD5
0a9e1f77c45cca70272b33865de7936e

SHA1
a5795ef4bc0b83571b7a5b5ddc5d7255451b8948

SHA256
7eb2b0e0e856828b2b2253377d87b03657492e4cfab23450f9aaa078c743da5c

SHA512
3e3eaf7708c1d8b511d86c8081baec275d3aa90ee0e34c4addf5fe1447642371910805fca9dd9245e89bb717d7f61a0b2b9c8c6d365e24281963d51ca63db371

Download Submit
C:\Users\Admin\Microsoft\WindowsUpdate\em6.jmp
Filesize
1.1MB

MD5
779e78cf8089787cf3c61503af0866ac

SHA1
76c2388422b9c6bcc362de42c3f6f034d8311588

SHA256
330d13511cd53832f279e101d8aa86537915852cebff8ec700f26ec019372568

SHA512
dad0d36e27251f0ecffda4343eef6e4db778635b05777d72207716d8b8f652281c876236065dca370a5b60dea7368d1cb681826abc28afd1c4bc412f299cd7b6

Download Submit
C:\Users\Admin\Microsoft\WindowsUpdate\em7.jmp
Filesize
784KB

MD5
8a4c09849291a01329f02f9f21e615b5

SHA1
41e5a8d2e2a9fca4b2707fba4ad5dd9714829766

SHA256
558626ea14fdad17fabe84d3cb0c03cfc82f1ffc3e47c6ec6372ec2f15122110

SHA512
dd5a4dcd9506df344c877d602c867b04738c61c24ab93d5c10c9d9f3ccf1174a8c312f517f43769a241fca6eeaf409bd919349fe793b6490877b691fd8264a93

Download Submit
C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl
Filesize
1.2MB

MD5
9386510028d854a5241c293a16cbaf90

SHA1
7671438b4a84e99efc0b80a036ebef834318d575

SHA256
bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

SHA512
af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

Download Submit
C:\Windows\Installer\MSIDA44.tmp
Filesize
184KB

MD5
8881aea9b0d54135ac6a865edc295875

SHA1
1796864f30298f5a715e1b60e7956d4011586ad1

SHA256
2d4b3090293f52c2a0391275d1e0761b8cbac7cca2a73752c04ea56822552f86

SHA512
ca25a0fb1f6879deb5f6caa2396754aa7c5eb84f2d543f6bbdbb0e985318b87feae3e23d69c90fedcd0f3ff9045bcbdbfe7506a0ad1b35e72f472aab25c7c64c

Download Submit
C:\Windows\Installer\MSIE732.tmp
Filesize
184KB

MD5
8881aea9b0d54135ac6a865edc295875

SHA1
1796864f30298f5a715e1b60e7956d4011586ad1

SHA256
2d4b3090293f52c2a0391275d1e0761b8cbac7cca2a73752c04ea56822552f86

SHA512
ca25a0fb1f6879deb5f6caa2396754aa7c5eb84f2d543f6bbdbb0e985318b87feae3e23d69c90fedcd0f3ff9045bcbdbfe7506a0ad1b35e72f472aab25c7c64c

Download Submit
\Program Files (x86)\Java\jre7\bin\msvcr100.dll
Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
\Program Files (x86)\Java\jre7\bin\msvcr100.dll
Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
\Program Files (x86)\Java\jre7\bin\msvcr100.dll
Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
\Program Files (x86)\Java\jre7\bin\msvcr100.dll
Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
\Program Files (x86)\Java\jre7\bin\msvcr100.dll
Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
\Program Files (x86)\Java\jre7\bin\msvcr100.dll
Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
\Program Files (x86)\Java\jre7\bin\unpack200.exe
Filesize
142KB

MD5
482ef84844a4c13712fb8ad193c32062

SHA1
b176255162beb952fe084a9abb0241fbe4dab7f5

SHA256
3a88f2235cace058d2e161ff628bc1d05534dc34fd0ce49991792f5e388122d0

SHA512
229ad3a1363401353eb94ff22bf0fff2866bd8d0940377b35fb8eff03ec49ca09412542c6d7a74cec47e78647143842cb7433d7045a30dba453bed95a2a03e32

Download Submit
\Users\Admin\AppData\Local\Temp\java_setup.exe
Filesize
30.2MB

MD5
507c7f50a1d3b50ab9c015180b626d33

SHA1
0adf48a414d81d2c7fafe93298644d9e26a5706a

SHA256
a560161dd12503f444e1aa87b48e83dbef1ad8d01be5d9b0612ebc79b69f00ce

SHA512
09fa6f5f99efc68a50a4d92235370819ce81e7ead54d52bd6f22073fa303299fb08fc893a2d852e30b47e144121a66821d3575d59f2796cf844a478cce47a294

Download Submit
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl
Filesize
1.2MB

MD5
9386510028d854a5241c293a16cbaf90

SHA1
7671438b4a84e99efc0b80a036ebef834318d575

SHA256
bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

SHA512
af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

Download Submit
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl
Filesize
1.2MB

MD5
9386510028d854a5241c293a16cbaf90

SHA1
7671438b4a84e99efc0b80a036ebef834318d575

SHA256
bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

SHA512
af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

Download Submit
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl
Filesize
1.2MB

MD5
9386510028d854a5241c293a16cbaf90

SHA1
7671438b4a84e99efc0b80a036ebef834318d575

SHA256
bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

SHA512
af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

Download Submit
\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl
Filesize
1.2MB

MD5
9386510028d854a5241c293a16cbaf90

SHA1
7671438b4a84e99efc0b80a036ebef834318d575

SHA256
bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7

SHA512
af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588

Download Submit
\Windows\Installer\MSIDA44.tmp
Filesize
184KB

MD5
8881aea9b0d54135ac6a865edc295875

SHA1
1796864f30298f5a715e1b60e7956d4011586ad1

SHA256
2d4b3090293f52c2a0391275d1e0761b8cbac7cca2a73752c04ea56822552f86

SHA512
ca25a0fb1f6879deb5f6caa2396754aa7c5eb84f2d543f6bbdbb0e985318b87feae3e23d69c90fedcd0f3ff9045bcbdbfe7506a0ad1b35e72f472aab25c7c64c

Download Submit
\Windows\Installer\MSIE732.tmp
Filesize
184KB

MD5
8881aea9b0d54135ac6a865edc295875

SHA1
1796864f30298f5a715e1b60e7956d4011586ad1

SHA256
2d4b3090293f52c2a0391275d1e0761b8cbac7cca2a73752c04ea56822552f86

SHA512
ca25a0fb1f6879deb5f6caa2396754aa7c5eb84f2d543f6bbdbb0e985318b87feae3e23d69c90fedcd0f3ff9045bcbdbfe7506a0ad1b35e72f472aab25c7c64c

Download Submit
memory/268-105-0x0000000000000000-mapping.dmp

Download
memory/388-89-0x0000000000000000-mapping.dmp

Download
memory/452-79-0x0000000000000000-mapping.dmp

Download
memory/584-93-0x000000005FF40000-0x00000000601FD000-memory.dmp

Filesize
2.7MB

Download
memory/584-90-0x0000000000000000-mapping.dmp

Download
memory/620-153-0x0000000000000000-mapping.dmp

Download
memory/836-131-0x0000000000000000-mapping.dmp

Download
memory/856-158-0x0000000000000000-mapping.dmp

Download
memory/860-175-0x0000000000000000-mapping.dmp

Download
memory/948-75-0x0000000000000000-mapping.dmp

Download
memory/976-108-0x0000000000000000-mapping.dmp

Download
memory/992-173-0x0000000000000000-mapping.dmp

Download
memory/1044-81-0x0000000000000000-mapping.dmp

Download
memory/1044-86-0x000000005FF40000-0x00000000601FD000-memory.dmp

Filesize
2.7MB

Download
memory/1044-88-0x000000005FF40000-0x00000000601FD000-memory.dmp

Filesize
2.7MB

Download
memory/1060-113-0x0000000000000000-mapping.dmp

Download
memory/1112-119-0x0000000000000000-mapping.dmp

Download
memory/1120-103-0x0000000000000000-mapping.dmp

Download
memory/1172-143-0x0000000000000000-mapping.dmp

Download
memory/1528-125-0x0000000000000000-mapping.dmp

Download
memory/1920-116-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1928-54-0x0000000000000000-mapping.dmp

Download
memory/1928-64-0x0000000005F20000-0x000000000602D000-memory.dmp

Filesize
1.1MB

Download
memory/1928-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1944-148-0x0000000000000000-mapping.dmp

Download
memory/1948-171-0x0000000000000000-mapping.dmp

Download
memory/1956-162-0x0000000000000000-mapping.dmp

Download
memory/1992-176-0x0000000000000000-mapping.dmp

Download
memory/1992-161-0x0000000000000000-mapping.dmp

Download
memory/2008-138-0x0000000000000000-mapping.dmp

Download
memory/2012-65-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/2012-95-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/2012-56-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/2012-58-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/2012-59-0x0000000008CA2744-mapping.dmp

Download
memory/2012-60-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/2012-62-0x0000000008C60000-0x0000000008CBF000-memory.dmp

Filesize
380KB

Download
memory/2044-169-0x0000000000000000-mapping.dmp

Download