eb8b2c7d51ca85de8962a91626b2bfdf3900185810ab80ff789b217471532728

Analysis

max time kernel
311s
max time network
178s
platform
windows7_x64
resource
win7-20221111-es
resource tags

arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
submitted
28/12/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcherfull-shiginima-v4300.exe
Size

5.4MB
MD5

3e1ad25616e2d1435fc938fc4fb0cf79
SHA1

48baffa8089e4b29fa9acacde0ef4e82a6f28771
SHA256

952a0c261f263416f2dde7896b526539bbad9fa81ba382f7fbd0628b9a18c3a2
SHA512

f165a25062fcc5e8f5b69fd7db2f97668d88ff236a509120a8cfd78befc45e3777f27030654bfc624a4b54da12152225f61c05ac945ef37cbf0451751f0b995d
SSDEEP

98304:Y2LidbOU72RGEaRja98Xq1N/dIFbpeK0TLzE9XuS5tSXylo/LHz0k:HSbOU72naja9HYFlz0TLzE9Xgym/LHQk

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 17 IoCs

pid	Process
896	JavaSetup8u351.exe
1708	JavaSetup8u351.exe
756	LZMA_EXE
1576	LZMA_EXE
856	installer.exe
820	bspatch.exe
1592	unpack200.exe
1076	unpack200.exe
304	unpack200.exe
968	unpack200.exe
1572	unpack200.exe
656	unpack200.exe
1056	unpack200.exe
1764	javaw.exe
1420	ssvagent.exe
2012	javaws.exe
1592	jp2launcher.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0094-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0178-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0179-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0273-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0350-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0060-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0296-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0330-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0109-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0124-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0227-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0082-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0226-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0230-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0174-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0226-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0040-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0302-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0164-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0188-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0072-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0144-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0179-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0219-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0233-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0095-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0351-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0207-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0098-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0275-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0099-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0220-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0108-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0298-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0334-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0048-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0090-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0188-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0328-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0191-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0198-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018bcb-120.dat	upx
behavioral1/files/0x0006000000018bcb-122.dat	upx
behavioral1/memory/856-123-0x00000000001A0000-0x00000000001B7000-memory.dmp	upx
behavioral1/memory/820-124-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x0006000000018bcb-125.dat	upx
behavioral1/files/0x0006000000018bcb-129.dat	upx
behavioral1/files/0x0006000000018bcb-128.dat	upx
behavioral1/files/0x0006000000018bcb-127.dat	upx
behavioral1/memory/820-132-0x0000000000230000-0x0000000000247000-memory.dmp	upx
behavioral1/memory/820-134-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
896	JavaSetup8u351.exe
1708	JavaSetup8u351.exe
1708	JavaSetup8u351.exe
1708	JavaSetup8u351.exe
1708	JavaSetup8u351.exe
964	MsiExec.exe
964	MsiExec.exe
964	MsiExec.exe
856	installer.exe
820	bspatch.exe
820	bspatch.exe
820	bspatch.exe
856	installer.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1592	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
1076	unpack200.exe
304	unpack200.exe
304	unpack200.exe
304	unpack200.exe
304	unpack200.exe
304	unpack200.exe
304	unpack200.exe
304	unpack200.exe
304	unpack200.exe
304	unpack200.exe
304	unpack200.exe
304	unpack200.exe
304	unpack200.exe
304	unpack200.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\prism_d3d.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\[email protected]	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\net.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-private-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\w2k_lsa_auth.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\management\jmxremote.access	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\management\jmxremote.password.template	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-localization-l1-2-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-profile-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\javacpl.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\rt.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\images\cursors\win32_MoveNoDrop32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-util-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\jaccess.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\blacklist	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-file-l1-2-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\jpeg.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\meta-index	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\Welcome.html	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-multibyte-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\nio.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\libpng.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\relaxngom.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\fxplugins.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\cmm\PYCC.pf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\messages_ko.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\javaws.pack	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\README.txt	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\sunpkcs11.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\images\cursors\invalid32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\policy\unlimited\US_export_policy.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-heap-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-locale-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\eula.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\lcms.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\localedata.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-synch-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\cldr.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\relaxngcc.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jfr.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\relaxngdatatype.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\cmm\LINEAR_RGB.pf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\sunjce_provider.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-conio-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-time-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\jsse.pack	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaw.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\flavormap.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\management-agent.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\j2pcsc.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jabswitch.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\javafx\jpeg_fx.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\pkcs11wrapper.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-datetime-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-process-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\jfr.jar	installer.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6d5cc1.msi	msiexec.exe
File created	C:\Windows\Installer\6d5cc3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\6d5cc5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6712.tmp	msiexec.exe
File created	C:\Windows\Installer\6d5cc1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6184.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6626.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6695.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 802d31dc121bd901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb8000000000200000000001066000000010000200000004e31fd9bb3dadb0ccd75300d619b2f3d4c29b097478b15abce1801c0d9862d14000000000e8000000002000020000000a08d68c6089f0a749c99b102a068925abf5e28ad410128c9e6ada4b607a88314200000005d95ed517011ee66de035c00e1c0833bf7a9358e2609deb1054d4e4c1e1e9d2c40000000265436eba8f5703a6424f0ed6a5b1e16be2632c43f07fddabdd9b09cc5e520f1c3f6905ece0574738b33e94423288611d17e0fdb5aa883bbca9b5cb5d25f509c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb8000000000200000000001066000000010000200000001e08f5aed0aa0c18d330e28ec660d21ba0582a10b2e4a1e66d752462f250fb45000000000e80000000020000200000005a360b81600eb09c38082272ff52e1e8708637c3452fd01ff4402d44eafcf34b400100009f5435db61120c0f083bfd45c178a35c46e7076ed1fd52011fc0b1c4cf14baf3440a4f35d2fe20c686638233d5b6b290ad16b18cd0f8b9a5342d303211fe6942c2a65a5ddf65688caa3335a0ab8d17ccad4470d39b09c9d8d947343d5674b061655a1ea656b4e2e08d0108989240f7df0730e9d30fa852f9dc54f8b34cdd57eb9bbc3cc4d162f10b477ceb27aa58260cd39f138a358f543a625811e3085db60570e750f35179e6350e21c87e359bb3cc424447201d17652da60f7a123674f180d67e74a5d3d3f44c0dbf8b80f1dc3cc138519c3cc82ceee4fd7866cffdb4803b02235f85187a4343e3c8dd5bb2d24747b5c48f611fcec7af2253a1f152dd255bf2f352844d7db9a7351bdf3093face14cae72820c0c8761486b5606fb8b98770428ff8d57b243f0604dba2983fad1350b0b3efcc050979cd30143fce189e1a504000000075b223c0de60d615ee555d213bfe4347f25c83ad0d64b47ff5d117cbc4c24547835d59eaf3daf8559b5644ace78da16cf94a53f5baae0e41f6f9fe58b3b42d3e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "379034528"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "222"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "227"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "227"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0A5FCEF1-8706-11ED-BFE3-62623DBA50AE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "222"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	JavaSetup8u351.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 107233e7121bd901	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "227"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0233-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0270-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0315-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0338-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_338"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_92"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0289-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_289"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0322-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0096-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0156-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0285-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_285"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0250-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0231-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0351-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0139-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_43"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_31"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0115-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0248-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_248"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0046-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0117-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0139-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_139"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0328-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0099-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_99"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0351-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0054-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0066-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0158-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0165-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0123-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0169-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0080-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_80"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0176-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_176"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0274-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0290-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0091-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0153-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0089-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0289-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_289"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0084-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0238-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0251-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0299-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0112-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_112"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0129-ABCDEFFEDCBA}\InprocServer32	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0123-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0317-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0291-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_291"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0141-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0217-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0182-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0286-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_27"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0110-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0112-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0207-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_207"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0189-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0278-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0067-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0268-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0233-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0220-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0149-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_09"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0047-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0319-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0089-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0225-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0133-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0138-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_138"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_45"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0262-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0296-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0093-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0261-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_80"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0162-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0360-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0040-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_29"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0128-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0007-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0220-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0151-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0109-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0226-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0350-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_84"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0196-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0323-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_323"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0048-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0220-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0094-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0098-ABCDEFFEDCBC}	installer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2012	javaws.exe
1592	jp2launcher.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1708	JavaSetup8u351.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1708	JavaSetup8u351.exe
Token: SeIncreaseQuotaPrivilege	1708	JavaSetup8u351.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeSecurityPrivilege	1260	msiexec.exe
Token: SeCreateTokenPrivilege	1708	JavaSetup8u351.exe
Token: SeAssignPrimaryTokenPrivilege	1708	JavaSetup8u351.exe
Token: SeLockMemoryPrivilege	1708	JavaSetup8u351.exe
Token: SeIncreaseQuotaPrivilege	1708	JavaSetup8u351.exe
Token: SeMachineAccountPrivilege	1708	JavaSetup8u351.exe
Token: SeTcbPrivilege	1708	JavaSetup8u351.exe
Token: SeSecurityPrivilege	1708	JavaSetup8u351.exe
Token: SeTakeOwnershipPrivilege	1708	JavaSetup8u351.exe
Token: SeLoadDriverPrivilege	1708	JavaSetup8u351.exe
Token: SeSystemProfilePrivilege	1708	JavaSetup8u351.exe
Token: SeSystemtimePrivilege	1708	JavaSetup8u351.exe
Token: SeProfSingleProcessPrivilege	1708	JavaSetup8u351.exe
Token: SeIncBasePriorityPrivilege	1708	JavaSetup8u351.exe
Token: SeCreatePagefilePrivilege	1708	JavaSetup8u351.exe
Token: SeCreatePermanentPrivilege	1708	JavaSetup8u351.exe
Token: SeBackupPrivilege	1708	JavaSetup8u351.exe
Token: SeRestorePrivilege	1708	JavaSetup8u351.exe
Token: SeShutdownPrivilege	1708	JavaSetup8u351.exe
Token: SeDebugPrivilege	1708	JavaSetup8u351.exe
Token: SeAuditPrivilege	1708	JavaSetup8u351.exe
Token: SeSystemEnvironmentPrivilege	1708	JavaSetup8u351.exe
Token: SeChangeNotifyPrivilege	1708	JavaSetup8u351.exe
Token: SeRemoteShutdownPrivilege	1708	JavaSetup8u351.exe
Token: SeUndockPrivilege	1708	JavaSetup8u351.exe
Token: SeSyncAgentPrivilege	1708	JavaSetup8u351.exe
Token: SeEnableDelegationPrivilege	1708	JavaSetup8u351.exe
Token: SeManageVolumePrivilege	1708	JavaSetup8u351.exe
Token: SeImpersonatePrivilege	1708	JavaSetup8u351.exe
Token: SeCreateGlobalPrivilege	1708	JavaSetup8u351.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe
Token: SeRestorePrivilege	1260	msiexec.exe
Token: SeTakeOwnershipPrivilege	1260	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1860	iexplore.exe
1860	iexplore.exe
1708	JavaSetup8u351.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1860	iexplore.exe
1860	iexplore.exe
888	IEXPLORE.EXE
888	IEXPLORE.EXE
888	IEXPLORE.EXE
888	IEXPLORE.EXE
1708	JavaSetup8u351.exe
1708	JavaSetup8u351.exe
888	IEXPLORE.EXE
1708	JavaSetup8u351.exe
1708	JavaSetup8u351.exe
1592	jp2launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1860	2008	launcherfull-shiginima-v4300.exe	28
PID 2008 wrote to memory of 1860	2008	launcherfull-shiginima-v4300.exe	28
PID 2008 wrote to memory of 1860	2008	launcherfull-shiginima-v4300.exe	28
PID 2008 wrote to memory of 1860	2008	launcherfull-shiginima-v4300.exe	28
PID 1860 wrote to memory of 888	1860	iexplore.exe	30
PID 1860 wrote to memory of 888	1860	iexplore.exe	30
PID 1860 wrote to memory of 888	1860	iexplore.exe	30
PID 1860 wrote to memory of 888	1860	iexplore.exe	30
PID 1860 wrote to memory of 888	1860	iexplore.exe	30
PID 1860 wrote to memory of 888	1860	iexplore.exe	30
PID 1860 wrote to memory of 888	1860	iexplore.exe	30
PID 1860 wrote to memory of 896	1860	iexplore.exe	32
PID 1860 wrote to memory of 896	1860	iexplore.exe	32
PID 1860 wrote to memory of 896	1860	iexplore.exe	32
PID 1860 wrote to memory of 896	1860	iexplore.exe	32
PID 1860 wrote to memory of 896	1860	iexplore.exe	32
PID 1860 wrote to memory of 896	1860	iexplore.exe	32
PID 1860 wrote to memory of 896	1860	iexplore.exe	32
PID 896 wrote to memory of 1708	896	JavaSetup8u351.exe	33
PID 896 wrote to memory of 1708	896	JavaSetup8u351.exe	33
PID 896 wrote to memory of 1708	896	JavaSetup8u351.exe	33
PID 896 wrote to memory of 1708	896	JavaSetup8u351.exe	33
PID 896 wrote to memory of 1708	896	JavaSetup8u351.exe	33
PID 896 wrote to memory of 1708	896	JavaSetup8u351.exe	33
PID 896 wrote to memory of 1708	896	JavaSetup8u351.exe	33
PID 1708 wrote to memory of 756	1708	JavaSetup8u351.exe	35
PID 1708 wrote to memory of 756	1708	JavaSetup8u351.exe	35
PID 1708 wrote to memory of 756	1708	JavaSetup8u351.exe	35
PID 1708 wrote to memory of 756	1708	JavaSetup8u351.exe	35
PID 1708 wrote to memory of 756	1708	JavaSetup8u351.exe	35
PID 1708 wrote to memory of 756	1708	JavaSetup8u351.exe	35
PID 1708 wrote to memory of 756	1708	JavaSetup8u351.exe	35
PID 1708 wrote to memory of 1576	1708	JavaSetup8u351.exe	37
PID 1708 wrote to memory of 1576	1708	JavaSetup8u351.exe	37
PID 1708 wrote to memory of 1576	1708	JavaSetup8u351.exe	37
PID 1708 wrote to memory of 1576	1708	JavaSetup8u351.exe	37
PID 1708 wrote to memory of 1576	1708	JavaSetup8u351.exe	37
PID 1708 wrote to memory of 1576	1708	JavaSetup8u351.exe	37
PID 1708 wrote to memory of 1576	1708	JavaSetup8u351.exe	37
PID 1260 wrote to memory of 964	1260	msiexec.exe	40
PID 1260 wrote to memory of 964	1260	msiexec.exe	40
PID 1260 wrote to memory of 964	1260	msiexec.exe	40
PID 1260 wrote to memory of 964	1260	msiexec.exe	40
PID 1260 wrote to memory of 964	1260	msiexec.exe	40
PID 1260 wrote to memory of 964	1260	msiexec.exe	40
PID 1260 wrote to memory of 964	1260	msiexec.exe	40
PID 1260 wrote to memory of 856	1260	msiexec.exe	41
PID 1260 wrote to memory of 856	1260	msiexec.exe	41
PID 1260 wrote to memory of 856	1260	msiexec.exe	41
PID 1260 wrote to memory of 856	1260	msiexec.exe	41
PID 1260 wrote to memory of 856	1260	msiexec.exe	41
PID 1260 wrote to memory of 856	1260	msiexec.exe	41
PID 1260 wrote to memory of 856	1260	msiexec.exe	41
PID 856 wrote to memory of 820	856	installer.exe	42
PID 856 wrote to memory of 820	856	installer.exe	42
PID 856 wrote to memory of 820	856	installer.exe	42
PID 856 wrote to memory of 820	856	installer.exe	42
PID 856 wrote to memory of 820	856	installer.exe	42
PID 856 wrote to memory of 820	856	installer.exe	42
PID 856 wrote to memory of 820	856	installer.exe	42
PID 856 wrote to memory of 1592	856	installer.exe	44
PID 856 wrote to memory of 1592	856	installer.exe	44
PID 856 wrote to memory of 1592	856	installer.exe	44
PID 856 wrote to memory of 1592	856	installer.exe	44

C:\Users\Admin\AppData\Local\Temp\launcherfull-shiginima-v4300.exe
"C:\Users\Admin\AppData\Local\Temp\launcherfull-shiginima-v4300.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1860 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:888
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IV8L6YIU\JavaSetup8u351.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IV8L6YIU\JavaSetup8u351.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Users\Admin\AppData\Local\Temp\jds7136031.tmp\JavaSetup8u351.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7136031.tmp\JavaSetup8u351.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE
        
        "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp"
        5⤵
        Executes dropped EXE
        
        PID:756
    - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE
        
        "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\jre1.8.0_351full.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp"
        5⤵
        Executes dropped EXE
        
        PID:1576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CE1242D03C03762729B6A10E203199D4
  2⤵
  - Loads dropped DLL
  PID:964
- C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe
  "C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_351\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180351F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\ProgramData\Oracle\Java\installcache\7175874.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:820
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1592
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1076
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:304
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:968
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:656
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1056
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    PID:1764
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\ssvagent.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    PID:1420
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2012
  - - C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre1.8.0_351\bin\VCRUNTIME140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\ucrtbase.DLL

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
174KB

MD5
4dad43f2b4cb8a53eeb96862d35d92b8

SHA1
80e125445706985e0a736f49c964070a5da12cdf

SHA256
ba1e9fb47f6afd7d22e170745cf8cf4641a88357b4e7effccc446b8486e6baed

SHA512
f65fc702e6324db2033f04732adb4172e9ecf737e05a4af90b66b7cd933107338bad0dbb68ccf0abb217058a153e6e9e567337ed3f63264600a775c2edf3f1eb

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe

Filesize
111.5MB

MD5
df17b88720a2fe52476de4ed530f959e

SHA1
b452a00266f190b8ee9a941d3bb386b53395f1ce

SHA256
060c06fd8e8fea6097fc80949993f9a7580d1501698c7d28b86ff204cc96929d

SHA512
30c8c164f9cc7dca95f49953843d67adb3b1260a10b5395f370773345335367becba766867987a793512ea57e8a1cc51e7a4e66603d107ce0e57306e03ca543e

Download Submit
C:\ProgramData\Oracle\Java\installcache\7175874.tmp\baseimagefam8

Filesize
67.7MB

MD5
c68f61bae0654148ae82c9ac18c771f9

SHA1
fde79f7eebe45a096e7af4d7463294551dead994

SHA256
fe7870985a9af11cff29ed00c1a8042d5e1f3194b465146ddcaa9612a51a3195

SHA512
f08e5bbbd74c322a079618aee7da064f510bac05f1b0066da11d9829f8ad8e9ca03ad0e20116d64173e2b5a9a0e12c1ac95b2880805c6a4de2828839506f7107

Download Submit
C:\ProgramData\Oracle\Java\installcache\7175874.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\7175874.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\7175874.tmp\diff

Filesize
42.9MB

MD5
2c4665487dc2e07936d2301e94e4d5b8

SHA1
9a0368248e18378bfaa40991006094fcd1208bb9

SHA256
a8e0403e19829af777cd8f1abe8f9b1d60cc65ac9fdeb3e7e78629cb9e1faf62

SHA512
70c06bd80fb7d90b47f3e1337bbae1206bcd03da9dc2e4f821cf62c8dd84d5350ca15012f109b2a581ed07c7582456c0f187a69a0b15584b04182ddbcc3ceb1b

Download Submit
C:\ProgramData\Oracle\Java\installcache\7175874.tmp\newimage

Filesize
126.6MB

MD5
9446260ab5de2c07c3fe42a9f0285653

SHA1
5bb3b5219129d553d96cf188f96e02ec6d0e58e1

SHA256
d628d97cf441fb8ce26456dfad9c48060d25ab0228673df01975e5209983d925

SHA512
8186456908c70357f762ec895fb81c062e5e3c8000fed2734f85e41f092c319b04c1ebc1c89773e385550710b7af276ca8bd42a31c9f87c4588285bf8b11a99f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
da5a9f149955d936a31dc5e456666aac

SHA1
195238d41c1e13448f349f43bb295ef2d55cb47a

SHA256
79ac574c7c45144bb35b59ff79c78dc59b66592715dea01b389e3620db663224

SHA512
60d7d1f5405470ba1e6b80066af2e78240acbea8db58b5a03660874605178aebaa9ce342ca97f17798109e7411e82466db5af064e39eaddc05410f2abe672f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
727B

MD5
af92cf721fb1b993ebe9b9f0bd59b0a9

SHA1
2124f3294949aa5c8d0bcee92a4ad5ae7ca9b17c

SHA256
6dc16b58d8a60578ae009361595b9e0e39b2e66dafc28512774e28c2e0b82fdc

SHA512
ce2d7957f4c01675e071e5678a2aad2cc0c7a1907c9d139e11134063f931faa149b2dfb874d17872fc4d2a1562ec56a87903b4b79029589caadf56f2d7d2baa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
25e86fc66b65f1cc30d8242135702a7b

SHA1
b47f0473118b14bd4b8e00147458ccdcafd19003

SHA256
5db5a20cad4dbfd74872da0f94b49f9c1adcde1e516222bc65ae1cfc10974b2b

SHA512
7ef0da1e0db6271e8cf6631ab5cf8128d55f27a785b3eaa2e1c4a7bae143af133621690694543a2e3326e55e9b6d4bb99af62b63e9f916864848b83ce0e87935

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
79976c78d4b6275207205155f8f35862

SHA1
5824b4835ce9e0a0c2b22b08af1d3ed3015127ff

SHA256
05c07676d0a2482e058c94dd6fb57548c9d5bfac67ca652d65853c1744b84196

SHA512
ec97f9c8c17084b9d158d4ee0377a6c1874cdd85cca5bdb2fc66016084d5f93867cc6a552ee82903be8c280d4c32ad604a84dc85f000c183af360bdecf94277f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
f3eeb9dc07d240daba3fdda24f7a9a99

SHA1
0474002dc4b8a4b34af01e55505e84918a9b831c

SHA256
a2df9a1b906ea199b2cba23c1ff054b4bcb8742e7c2598133e85a22208f4c941

SHA512
e091ce46fb105168b01e2b05af038f564e9ee10ae789aca00225bbcea8fd5c5b638b5f0887847b42d66de9deaa31d15c6eda35d7536b837963a509166998dacd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
434B

MD5
8a4e437cb1d097f4745c8589651deafc

SHA1
39043a96b6ae7d8fc786ea3959e789f5ad80834e

SHA256
a5d818e11273d7e5650a2cc3730f0889227dd16a7cbbb3eb70e2f0fcca8fba69

SHA512
3595c1cbb6070a9a536a6e99a0481f3f197f373bb7169aa3decbabafd3b3b5814bbe026dd4b041f0aa0085c1702d34ad5dcf19c7d8db99f782c2ea2daf7162ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68062d5bc9353432c7796d385219adb2

SHA1
92d8880c10042a3d879c3d6dfb04346a13378e93

SHA256
4c502029731879bf82239ac585792ad39ed80158b1f21f89290e4bc436e614b5

SHA512
79897833ba2d3b59167b4791715e3637001cd614eb67fc4c9199ce359bbe70ed35f3fb93e61d839122966126efa5df5d0ca1358fc4013cec08454f670ea8ee0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c4c25c9ccb44765319f0da364aa5cbc

SHA1
5765428245834b2a3b5daaab86e0492d04d000a4

SHA256
69f43366ce0beef96b0a9507d12a3ac2a6866a8bad9232fa50842a9fcb5c0877

SHA512
dc0fdee074a74e4efb37f4e96b72defc49b20847695a84731407ed2d083a87653e2b8803086324eea8a9813e362e60b9ee87906930484a7d8462be3669c8b908

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a915b44d1fd8ed98780df8df2b09abf9

SHA1
44a0715f83909384351d3cba6f8cb0fc91ada630

SHA256
9a838066f24043e1f5ba5e6b2ba4db8ac63c0bd341a8b98496b4783c9c99260f

SHA512
dc3ac5a17260c2b456919bca67ececa86846a1ab7b9bfa831535ab8a08af082c44c3ceaa0670cfc32f7051a083fed5c0a40f84e1e46cadb3a99e91dbe2b93106

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
f2e19f2f24a508b8eca5c0137d992984

SHA1
eaa331ee0a5b7710864b4731d8bbf704e2877d29

SHA256
95a1b1ff03f0348d4e2062b2358135fe1434a70c044ce0c7f428ea8112d3cef0

SHA512
3af749daae8b3ae19e27d856ab2b2b0984e3a4b88e520164b4fe20abcb6e5f7a2df5c17b69b38de9cc4d781d55b5d71978423afb1c8a5ea7a7258813fccba1e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
88a029af871459e816f516595d043e35

SHA1
47a8f971e43c52bf0f89a1ba901c74377953edb6

SHA256
2abdf38413c97532b470c8f90d8d642ab114705ab60a432366d81eb3083bc8c4

SHA512
3abe7434232c90f4b79692aade85e830e1cf762c91511be5b8763702d1a28913ac2eedfdb713f3fe68ea9e6bfdbf28798698519fcab4cbd6b8e3fb0237db80c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f8e4c442cc0a9368e7e686a3afe90370

SHA1
0987854d464b7ef22f6d8a20f9b37c3eb1170134

SHA256
53c7b3463e2a0cebc7b66110dd883d2c2450058f0498942658aec652529264da

SHA512
66fa0e4889b588a872c7c43fed2d86e66b0e5adb34872d58c7acbefe84f17a39acc90456efb88e56bdf1069ab5c8039915b27dd2ca38f4b560d6e4183fc795e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\au.msi

Filesize
845KB

MD5
8eb92668c434cd93215b9981a9683fc4

SHA1
5b087204c1c7e1b985b11b7fcbfcb70e323ff79d

SHA256
bb3234ffa8ab178f621475a9415b46f29571dbb24fd75ddc590f4be6d6369779

SHA512
9e4cccf3ce7bc34c220528b5d206f35fc0a1355531511fbb414af01f09c19e579ff8e027b8125049dfd417ad284661832759ec2f0fb260371e471db02203f058

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\jre1.8.0_351full.msi

Filesize
70.0MB

MD5
2a16688489648f78ee304dce7734d0dd

SHA1
aa4c78aa153215068c52bdaeb0f88a5702f7cca6

SHA256
5fa5ae20eb7d3055f5f70c7bbd89361e299a3573f2bfc09de5f4f9b8f6ba7bc2

SHA512
bb6dbe10a70bc6a84884d71c18b7b3ef333b55eb5aa0c558f5bfc9f6c1cdbf939e1a198903469cb3104051e04ae2418f0b7fdbe4dfb35de5843593a5dac7441f

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp

Filesize
1016KB

MD5
b4db0cceb5714378be3ccd4535d3aa4c

SHA1
7611e868ba040b0936ff56e0c9b6929042d7a49a

SHA256
9687cc0d7d5a60d7e9669d775b2e7255f9f578e3cb7086a3e2c114175f3a87bc

SHA512
f69232951f638247f87403cd3a861c84c084bfa8adb501a4ffa1984c3d2e6a963193d49744e0c59b21a8cf683dddb09f567ce088dabca9f1b163fe1b3cb0324f

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp

Filesize
70.4MB

MD5
46769c6677f963cc4dc772f31350d20b

SHA1
42bc2fe2b629d1f7ad729db2c5bac9009291c961

SHA256
1eb15f60ea7bb0c7b4e5cc7e75fd5e7c0441ad689c90ebc96ab3008a29be2ba7

SHA512
436e0d7f8b281b21228262a848ea712542cee4ce98138bfb57a34c6157eea144dd7430b981b6255c0a301a1787aaee171144fea572e41e934d815ff9706adb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\mlf2v8h\imagestore.dat

Filesize
1KB

MD5
fa71626f7a62a2dfba8f942007c2c0e2

SHA1
94d7e82cb9b6eec3d242e7422e87cebf2db0226f

SHA256
947891b416ddb29522f57504afc57ee4076921f3faa72262e6854e4b0a16eb6f

SHA512
ef66a23538e5d8d857ca0f9e63790394c5a833457f95d2ea28e1c1c0dc33763b4a8360b2eeefa1612549be55ae1e7209144f8f81763a17a29f1334e5f82e62ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IV8L6YIU\JavaSetup8u351.exe

Filesize
2.2MB

MD5
82bc7b7e2716e6a631952daa1be4037e

SHA1
83ba6ede5983dd59b8e77439fd84e7b8085ee487

SHA256
3fa3ff57f229e3db478be90f6ce92a39f5043caffac116247b3430eb36f40b96

SHA512
35559edcf9dc2cb4740a1537bec5249ecfe306f7036f736b578fd07b6236ae3453b0a6e4d801e82506fa2ae770d7c80219af056e2313c3484b4474e1320885a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IV8L6YIU\JavaSetup8u351.exe.w9vj7gf.partial

Filesize
2.2MB

MD5
82bc7b7e2716e6a631952daa1be4037e

SHA1
83ba6ede5983dd59b8e77439fd84e7b8085ee487

SHA256
3fa3ff57f229e3db478be90f6ce92a39f5043caffac116247b3430eb36f40b96

SHA512
35559edcf9dc2cb4740a1537bec5249ecfe306f7036f736b578fd07b6236ae3453b0a6e4d801e82506fa2ae770d7c80219af056e2313c3484b4474e1320885a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7136031.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7136031.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
33KB

MD5
1fa8a0430f5e11d1f6769b40e883d6f2

SHA1
98714cd35b3b5e8271edb96300964cb8e8804ac3

SHA256
e3926f2131147e78194f2dfa6dc654c9e903f42a8939a5dbc0f1f6666a5bfda9

SHA512
e18d911e544cd4a8e4ffad5022a1d23fd1f432f1b1b6753da37e89d0f6ce73ad9e86251a56ae40562977cc7aed578385dc528e95a5c30529a57a86c82e0fed7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
41KB

MD5
66192e3443f223bab94a0ad7e2307689

SHA1
a3aba2321080dce916a9a439922a66d05bbda2a0

SHA256
3bf2e1edf87b4fee07c734ebae81b5e4c29a17ad89581c5f56306e6ab5abd9f3

SHA512
65fa95b9c450ac0af4fef2ee76ae6393a409cad3aacc6bcb9097cb318c79b17d82e4bd878e9f1b4e64b7f213292afb823f558be3cc9c88c8defb871a6c0a3fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
021a2a80d5b3df7f05d7e435c3feed89

SHA1
98f6da3c16bd8bda1c65404f6777b2c045492f61

SHA256
d46bcbbf016b81e8bd02c93c0db747cc9568d2a704485cb299a025f9fbbc3450

SHA512
a442ef2b3a518d5e54f699b61187cb7ac8d82bd2e788e56ef3d11842043c03be458e2a53c7ee6ee869e169e597e3760bfbbe02c78143bd344d853f2f83cfd33d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KPDVE8XU.txt

Filesize
601B

MD5
8cf7f591e2378973f5c49886e72c51c9

SHA1
c7e967f58b240d1a16fcedbae00d07222b185750

SHA256
3cbdaeaa18921c16733d26ed0059092ae903eb7bb4b948c2086e4c02d6cd2aa4

SHA512
21f1482443a226472b8c4873af9c6ee4e21b2dfc8cc7fa4b63001876d3c4928b1bbdaeb57df08b4d0da8f7d9a6ab04d455bf50a6b77ebfbb866668739cecaf33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QX4TFBBR.txt

Filesize
512B

MD5
9bf8c2000bf71ad830832dff57ecb981

SHA1
252d8bcd6e2562c85926ef27bfe5cf04067a7aea

SHA256
e7ff75d972ca0ada318cf9ab19318a564526d060283c7b1d34f3c7d71b72eef9

SHA512
a2c85c2ae16bfc9e9774ac68535f51041b3e9ff8962c87c0c208d9883f4156d92e8526cacd9a8ac40a007d12abe4e8146e7ec7bfa3bd8de30bf2c9a6e87bddef

Download Submit
C:\Windows\Installer\6d5cc5.msi

Filesize
70.4MB

MD5
46769c6677f963cc4dc772f31350d20b

SHA1
42bc2fe2b629d1f7ad729db2c5bac9009291c961

SHA256
1eb15f60ea7bb0c7b4e5cc7e75fd5e7c0441ad689c90ebc96ab3008a29be2ba7

SHA512
436e0d7f8b281b21228262a848ea712542cee4ce98138bfb57a34c6157eea144dd7430b981b6255c0a301a1787aaee171144fea572e41e934d815ff9706adb07

Download Submit
C:\Windows\Installer\MSI6184.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
C:\Windows\Installer\MSI6626.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
C:\Windows\Installer\MSI6712.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
174KB

MD5
4dad43f2b4cb8a53eeb96862d35d92b8

SHA1
80e125445706985e0a736f49c964070a5da12cdf

SHA256
ba1e9fb47f6afd7d22e170745cf8cf4641a88357b4e7effccc446b8486e6baed

SHA512
f65fc702e6324db2033f04732adb4172e9ecf737e05a4af90b66b7cd933107338bad0dbb68ccf0abb217058a153e6e9e567337ed3f63264600a775c2edf3f1eb

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
\ProgramData\Oracle\Java\installcache\7175874.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7175874.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7175874.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7175874.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\Local\Temp\jds7136031.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
\Windows\Installer\MSI6184.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Windows\Installer\MSI6626.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Windows\Installer\MSI6712.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
memory/820-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/820-132-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/820-133-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/820-124-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/856-136-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/856-123-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1260-97-0x000007FEFBE31000-0x000007FEFBE33000-memory.dmp

Filesize
8KB

Download
memory/1592-222-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-220-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-238-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-237-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-236-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-182-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-194-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-199-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-201-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-202-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-204-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-205-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-209-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-211-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-212-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-213-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-215-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-235-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-234-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-224-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-223-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-225-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-229-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-228-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-227-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-226-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-232-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-231-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-230-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1592-233-0x00000000024C0000-0x00000000044C0000-memory.dmp

Filesize
32.0MB

Download
memory/1764-165-0x00000000027A0000-0x00000000047A0000-memory.dmp

Filesize
32.0MB

Download
memory/2008-54-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download