3fa3ff57f229e3db478be90f6ce92a39f5043caffac116247b3430eb36f40b96

Analysis

max time kernel
97s
max time network
125s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/12/2022, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JavaSetup8u351.exe
Size

2.2MB
MD5

82bc7b7e2716e6a631952daa1be4037e
SHA1

83ba6ede5983dd59b8e77439fd84e7b8085ee487
SHA256

3fa3ff57f229e3db478be90f6ce92a39f5043caffac116247b3430eb36f40b96
SHA512

35559edcf9dc2cb4740a1537bec5249ecfe306f7036f736b578fd07b6236ae3453b0a6e4d801e82506fa2ae770d7c80219af056e2313c3484b4474e1320885a4
SSDEEP

49152:wOt2adcDKDdpeaqgzMEdqTCGg5O3jUfkptVxG0pb9wzEz+o7:wOt2ywCTejgzMEmjUu5Gs

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Executes dropped EXE 14 IoCs

pid	Process
1932	JavaSetup8u351.exe
1924	LZMA_EXE
1100	LZMA_EXE
1692	installer.exe
1756	bspatch.exe
1560	unpack200.exe
1600	unpack200.exe
1848	unpack200.exe
1196	unpack200.exe
568	unpack200.exe
1484	unpack200.exe
1480	unpack200.exe
1756	javaw.exe
536	ssvagent.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0098-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0054-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0067-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0046-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0062-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0090-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0057-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0041-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0048-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0065-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0056-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0090-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0065-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0061-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0063-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015602-113.dat	upx
behavioral1/files/0x0006000000015602-115.dat	upx
behavioral1/files/0x0006000000015602-116.dat	upx
behavioral1/files/0x0006000000015602-120.dat	upx
behavioral1/files/0x0006000000015602-119.dat	upx
behavioral1/files/0x0006000000015602-118.dat	upx
behavioral1/memory/1756-124-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1756-127-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1440	JavaSetup8u351.exe
1932	JavaSetup8u351.exe
1932	JavaSetup8u351.exe
1932	JavaSetup8u351.exe
1688	MsiExec.exe
1688	MsiExec.exe
1688	MsiExec.exe
1692	installer.exe
1756	bspatch.exe
1756	bspatch.exe
1756	bspatch.exe
1692	installer.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1560	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1600	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe
1848	unpack200.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-console-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-convert-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\bci.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\COPYRIGHT	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\libpng.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\santuario.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\access-bridge-32.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-environment-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\t2k.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\classlist	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\client\Xusage.txt	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jjs.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\management.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\sunec.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\trusted.libraries	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\hprof.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jli.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\ssv.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\blacklisted.certs	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\client\classes.jsa	javaw.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\blacklist	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\policy\limited\US_export_policy.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-file-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2iexp.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\servertool.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\content-types.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\fonts\LucidaBrightDemiItalic.ttf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\images\cursors\invalid32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\policy\unlimited\local_policy.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-multibyte-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-string-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\ktab.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\splash.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-sysinfo-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\instrument.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\vcruntime140.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\tzmappings	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\public_suffix_list.dat	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-debug-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\lcms.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\sunec.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\sunmscapi.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\sunpkcs11.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\images\cursors\win32_CopyNoDrop32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\javaws.pack	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\klist.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\cryptix.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\mesa3d.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\cmm\PYCC.pf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\messages_ko.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-timezone-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\zlib.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-synch-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\ffjcext.zip	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\fxplugins.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\ssvagent.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\jopt-simple.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\relaxngdatatype.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\currency.data	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\lcms.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\jfxrt.jar	installer.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c71f8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7EC7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7AEE.tmp	msiexec.exe
File created	C:\Windows\Installer\6c71fa.msi	msiexec.exe
File created	C:\Windows\Installer\6c71f6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c71f6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7552.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	JavaSetup8u351.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Windows\\SysWOW64"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0187-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0319-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0187-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0011-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_11"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0233-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0270-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_270"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0115-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0288-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0082-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0090-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_90"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0090-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0348-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_348"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0126-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0156-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0150-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0238-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0108-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0109-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_14"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0145-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0155-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_90"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0104-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0113-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0216-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_216"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0042-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_93"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_25"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0104-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0199-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0240-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_240"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0144-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0209-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0231-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_231"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0233-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_233"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0045-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_45"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0097-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0040-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0310-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0244-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_75"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0269-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0036-ABCDEFFEDCBA}\InprocServer32	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0359-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0342-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0035-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0093-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_93"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_01"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0092-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0159-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_159"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0325-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0160-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0057-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_57"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0073-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0357-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0165-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0252-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0204-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0108-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0166-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_166"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0218-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_218"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0266-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0096-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0109-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0127-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0087-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_87"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0313-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_313"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0032-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0106-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_106"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0061-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0315-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_86"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0226-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0357-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0048-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_48"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0131-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0167-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0226-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0072-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0159-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0101-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0298-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0339-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0172-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_246"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0028-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0261-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_14"	installer.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u351.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	JavaSetup8u351.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	JavaSetup8u351.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	JavaSetup8u351.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u351.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u351.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1932	JavaSetup8u351.exe
Token: SeIncreaseQuotaPrivilege	1932	JavaSetup8u351.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeSecurityPrivilege	1012	msiexec.exe
Token: SeCreateTokenPrivilege	1932	JavaSetup8u351.exe
Token: SeAssignPrimaryTokenPrivilege	1932	JavaSetup8u351.exe
Token: SeLockMemoryPrivilege	1932	JavaSetup8u351.exe
Token: SeIncreaseQuotaPrivilege	1932	JavaSetup8u351.exe
Token: SeMachineAccountPrivilege	1932	JavaSetup8u351.exe
Token: SeTcbPrivilege	1932	JavaSetup8u351.exe
Token: SeSecurityPrivilege	1932	JavaSetup8u351.exe
Token: SeTakeOwnershipPrivilege	1932	JavaSetup8u351.exe
Token: SeLoadDriverPrivilege	1932	JavaSetup8u351.exe
Token: SeSystemProfilePrivilege	1932	JavaSetup8u351.exe
Token: SeSystemtimePrivilege	1932	JavaSetup8u351.exe
Token: SeProfSingleProcessPrivilege	1932	JavaSetup8u351.exe
Token: SeIncBasePriorityPrivilege	1932	JavaSetup8u351.exe
Token: SeCreatePagefilePrivilege	1932	JavaSetup8u351.exe
Token: SeCreatePermanentPrivilege	1932	JavaSetup8u351.exe
Token: SeBackupPrivilege	1932	JavaSetup8u351.exe
Token: SeRestorePrivilege	1932	JavaSetup8u351.exe
Token: SeShutdownPrivilege	1932	JavaSetup8u351.exe
Token: SeDebugPrivilege	1932	JavaSetup8u351.exe
Token: SeAuditPrivilege	1932	JavaSetup8u351.exe
Token: SeSystemEnvironmentPrivilege	1932	JavaSetup8u351.exe
Token: SeChangeNotifyPrivilege	1932	JavaSetup8u351.exe
Token: SeRemoteShutdownPrivilege	1932	JavaSetup8u351.exe
Token: SeUndockPrivilege	1932	JavaSetup8u351.exe
Token: SeSyncAgentPrivilege	1932	JavaSetup8u351.exe
Token: SeEnableDelegationPrivilege	1932	JavaSetup8u351.exe
Token: SeManageVolumePrivilege	1932	JavaSetup8u351.exe
Token: SeImpersonatePrivilege	1932	JavaSetup8u351.exe
Token: SeCreateGlobalPrivilege	1932	JavaSetup8u351.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe
Token: SeRestorePrivilege	1012	msiexec.exe
Token: SeTakeOwnershipPrivilege	1012	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1932	JavaSetup8u351.exe
1932	JavaSetup8u351.exe
1932	JavaSetup8u351.exe
1932	JavaSetup8u351.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 1932	1440	JavaSetup8u351.exe	28
PID 1440 wrote to memory of 1932	1440	JavaSetup8u351.exe	28
PID 1440 wrote to memory of 1932	1440	JavaSetup8u351.exe	28
PID 1440 wrote to memory of 1932	1440	JavaSetup8u351.exe	28
PID 1440 wrote to memory of 1932	1440	JavaSetup8u351.exe	28
PID 1440 wrote to memory of 1932	1440	JavaSetup8u351.exe	28
PID 1440 wrote to memory of 1932	1440	JavaSetup8u351.exe	28
PID 1932 wrote to memory of 1924	1932	JavaSetup8u351.exe	31
PID 1932 wrote to memory of 1924	1932	JavaSetup8u351.exe	31
PID 1932 wrote to memory of 1924	1932	JavaSetup8u351.exe	31
PID 1932 wrote to memory of 1924	1932	JavaSetup8u351.exe	31
PID 1932 wrote to memory of 1100	1932	JavaSetup8u351.exe	33
PID 1932 wrote to memory of 1100	1932	JavaSetup8u351.exe	33
PID 1932 wrote to memory of 1100	1932	JavaSetup8u351.exe	33
PID 1932 wrote to memory of 1100	1932	JavaSetup8u351.exe	33
PID 1012 wrote to memory of 1688	1012	msiexec.exe	36
PID 1012 wrote to memory of 1688	1012	msiexec.exe	36
PID 1012 wrote to memory of 1688	1012	msiexec.exe	36
PID 1012 wrote to memory of 1688	1012	msiexec.exe	36
PID 1012 wrote to memory of 1688	1012	msiexec.exe	36
PID 1012 wrote to memory of 1688	1012	msiexec.exe	36
PID 1012 wrote to memory of 1688	1012	msiexec.exe	36
PID 1012 wrote to memory of 1692	1012	msiexec.exe	37
PID 1012 wrote to memory of 1692	1012	msiexec.exe	37
PID 1012 wrote to memory of 1692	1012	msiexec.exe	37
PID 1012 wrote to memory of 1692	1012	msiexec.exe	37
PID 1012 wrote to memory of 1692	1012	msiexec.exe	37
PID 1012 wrote to memory of 1692	1012	msiexec.exe	37
PID 1012 wrote to memory of 1692	1012	msiexec.exe	37
PID 1692 wrote to memory of 1756	1692	installer.exe	38
PID 1692 wrote to memory of 1756	1692	installer.exe	38
PID 1692 wrote to memory of 1756	1692	installer.exe	38
PID 1692 wrote to memory of 1756	1692	installer.exe	38
PID 1692 wrote to memory of 1756	1692	installer.exe	38
PID 1692 wrote to memory of 1756	1692	installer.exe	38
PID 1692 wrote to memory of 1756	1692	installer.exe	38
PID 1692 wrote to memory of 1560	1692	installer.exe	40
PID 1692 wrote to memory of 1560	1692	installer.exe	40
PID 1692 wrote to memory of 1560	1692	installer.exe	40
PID 1692 wrote to memory of 1560	1692	installer.exe	40
PID 1692 wrote to memory of 1600	1692	installer.exe	42
PID 1692 wrote to memory of 1600	1692	installer.exe	42
PID 1692 wrote to memory of 1600	1692	installer.exe	42
PID 1692 wrote to memory of 1600	1692	installer.exe	42
PID 1692 wrote to memory of 1848	1692	installer.exe	44
PID 1692 wrote to memory of 1848	1692	installer.exe	44
PID 1692 wrote to memory of 1848	1692	installer.exe	44
PID 1692 wrote to memory of 1848	1692	installer.exe	44
PID 1692 wrote to memory of 1196	1692	installer.exe	46
PID 1692 wrote to memory of 1196	1692	installer.exe	46
PID 1692 wrote to memory of 1196	1692	installer.exe	46
PID 1692 wrote to memory of 1196	1692	installer.exe	46
PID 1692 wrote to memory of 568	1692	installer.exe	48
PID 1692 wrote to memory of 568	1692	installer.exe	48
PID 1692 wrote to memory of 568	1692	installer.exe	48
PID 1692 wrote to memory of 568	1692	installer.exe	48
PID 1692 wrote to memory of 1484	1692	installer.exe	50
PID 1692 wrote to memory of 1484	1692	installer.exe	50
PID 1692 wrote to memory of 1484	1692	installer.exe	50
PID 1692 wrote to memory of 1484	1692	installer.exe	50
PID 1692 wrote to memory of 1480	1692	installer.exe	52
PID 1692 wrote to memory of 1480	1692	installer.exe	52
PID 1692 wrote to memory of 1480	1692	installer.exe	52
PID 1692 wrote to memory of 1480	1692	installer.exe	52

C:\Users\Admin\AppData\Local\Temp\JavaSetup8u351.exe
"C:\Users\Admin\AppData\Local\Temp\JavaSetup8u351.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Local\Temp\jds7070854.tmp\JavaSetup8u351.exe
  "C:\Users\Admin\AppData\Local\Temp\jds7070854.tmp\JavaSetup8u351.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE
    "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp"
    3⤵
    - Executes dropped EXE
    PID:1924
- - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE
    "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\jre1.8.0_351full.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp"
    3⤵
    - Executes dropped EXE
    PID:1100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 46B68696565CDE297647D9F5D01B57C1
  2⤵
  - Loads dropped DLL
  PID:1688
- C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe
  "C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_351\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180351F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\ProgramData\Oracle\Java\installcache\7122974.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1756
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1560
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1600
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:1848
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    PID:1196
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    PID:568
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:1484
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    PID:1480
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1756
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\ssvagent.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    PID:536
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:852
  - - C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre1.8.0_351\bin\VCRUNTIME140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
eb6f7af7eed6aa9ab03495b62fd3563f

SHA1
5a60eebe67ed90f3171970f8339e1404ca1bb311

SHA256
148adef6a34269e403bb509f9d5260abe52f413a6c268e8bd9869841d5f2bd02

SHA512
a9961212b40efc12fd1ab3cc6551c97c987e73b6e409c9ab8a5e1b24542f9e5884811f06883bd31d2585219c4f60c30de2d188788513c01b6cbfe22d539d7875

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
5765103e1f5412c43295bd752ccaea03

SHA1
6913bf1624599e55680a0292e22c89cab559db81

SHA256
8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

SHA512
5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f364190706414020c02cf4d531e0229d

SHA1
5899230b0d7ad96121c3be0df99235ddd8a47dc6

SHA256
a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2

SHA512
a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\ucrtbase.DLL

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
174KB

MD5
4dad43f2b4cb8a53eeb96862d35d92b8

SHA1
80e125445706985e0a736f49c964070a5da12cdf

SHA256
ba1e9fb47f6afd7d22e170745cf8cf4641a88357b4e7effccc446b8486e6baed

SHA512
f65fc702e6324db2033f04732adb4172e9ecf737e05a4af90b66b7cd933107338bad0dbb68ccf0abb217058a153e6e9e567337ed3f63264600a775c2edf3f1eb

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe

Filesize
111.5MB

MD5
df17b88720a2fe52476de4ed530f959e

SHA1
b452a00266f190b8ee9a941d3bb386b53395f1ce

SHA256
060c06fd8e8fea6097fc80949993f9a7580d1501698c7d28b86ff204cc96929d

SHA512
30c8c164f9cc7dca95f49953843d67adb3b1260a10b5395f370773345335367becba766867987a793512ea57e8a1cc51e7a4e66603d107ce0e57306e03ca543e

Download Submit
C:\ProgramData\Oracle\Java\installcache\7122974.tmp\baseimagefam8

Filesize
67.7MB

MD5
c68f61bae0654148ae82c9ac18c771f9

SHA1
fde79f7eebe45a096e7af4d7463294551dead994

SHA256
fe7870985a9af11cff29ed00c1a8042d5e1f3194b465146ddcaa9612a51a3195

SHA512
f08e5bbbd74c322a079618aee7da064f510bac05f1b0066da11d9829f8ad8e9ca03ad0e20116d64173e2b5a9a0e12c1ac95b2880805c6a4de2828839506f7107

Download Submit
C:\ProgramData\Oracle\Java\installcache\7122974.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\7122974.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\7122974.tmp\diff

Filesize
42.9MB

MD5
2c4665487dc2e07936d2301e94e4d5b8

SHA1
9a0368248e18378bfaa40991006094fcd1208bb9

SHA256
a8e0403e19829af777cd8f1abe8f9b1d60cc65ac9fdeb3e7e78629cb9e1faf62

SHA512
70c06bd80fb7d90b47f3e1337bbae1206bcd03da9dc2e4f821cf62c8dd84d5350ca15012f109b2a581ed07c7582456c0f187a69a0b15584b04182ddbcc3ceb1b

Download Submit
C:\ProgramData\Oracle\Java\installcache\7122974.tmp\newimage

Filesize
126.6MB

MD5
9446260ab5de2c07c3fe42a9f0285653

SHA1
5bb3b5219129d553d96cf188f96e02ec6d0e58e1

SHA256
d628d97cf441fb8ce26456dfad9c48060d25ab0228673df01975e5209983d925

SHA512
8186456908c70357f762ec895fb81c062e5e3c8000fed2734f85e41f092c319b04c1ebc1c89773e385550710b7af276ca8bd42a31c9f87c4588285bf8b11a99f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
da5a9f149955d936a31dc5e456666aac

SHA1
195238d41c1e13448f349f43bb295ef2d55cb47a

SHA256
79ac574c7c45144bb35b59ff79c78dc59b66592715dea01b389e3620db663224

SHA512
60d7d1f5405470ba1e6b80066af2e78240acbea8db58b5a03660874605178aebaa9ce342ca97f17798109e7411e82466db5af064e39eaddc05410f2abe672f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
727B

MD5
aac57b446523b4ac3892bc2da33e5855

SHA1
8f5195bf755b5b187682ef8e092c3497add579df

SHA256
3dfce9fd12087dff886d026d4eb156c27b3a8fac509f38c73fcf79789759d852

SHA512
7babcab7ba6d012176923c3be0b68614284c81a768076f813b8e09ac9f80cc945548f93be71a12ed17e33e52bcb19a2b01849d2390f7c95e67fd1741d2bdc881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
ddaabfaeb5297284372f878514b35e01

SHA1
ebc6206a3396ec69635c289ab7dad4fb4715afd7

SHA256
d1b21e9ad22843f78e6f82422505f8396c06416a919bf97bf61383a44690be14

SHA512
24383dc912ec843f686751c3f3ec21d4c52396fbddd255e4990afbfd41c69057c73c580deb792769d766e5aff16c5ad4dbbc8e88a2972f85902dc661a5e41abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
430B

MD5
e43fa5702c1d83095a6bcb5e322e4ed8

SHA1
c3c29e5338c2a8b9234cf0f5f666f153c3c427e6

SHA256
622d0600c9a471b776e1a628da93d3b0b670b3166fe9eca02024ed28f059a290

SHA512
6de21ccda63e5ab02dcaf95fdae334e2a0d06fd60463c24f93b00e43bc57bca73df4520a49061672de5e3457a6305e1f091d8520280e05c64c5b83b7d93f22bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
434B

MD5
7329e4bac2acfda676dd1e00dc250681

SHA1
15eb82f21cb6f40c0b0a2a51c236ffc9ecc3526d

SHA256
24e786cf84e470702a8af523137028e54b02001d87a5381997ed8076257b3247

SHA512
e32c6aa217279372ce2272978acd52927239452ec3ea94542908fe79a1c993e5fb204d94d91572bf992cced96ba6f4a4952fd0c866c0b454f1a9d1955db50bd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
47a803e8ba964d9e820ecc2a92d3e394

SHA1
c6a79b4ebd7a3a842df6e210e3c48f289018ba5c

SHA256
d97cb538441231b309f6c61d00f6d9b336db01f9b0cbcbe3648fd3cb6b1a1a2b

SHA512
195dc37dfcf36f383bfb62152cef7a255c9bde4cb6c218f76fdbf5a7784162d2f1c214ed9c262fcaac105017108f837d4f5a22092f6ebb9c3b2068a1fe734558

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
ba0404918591e4028d80215a76fc6520

SHA1
784a77842ea9c8cd24cc2b75fc8ae8e8034bf5ef

SHA256
e8aca4b60ff7cf783c8bd93485b528a8241767289e6b446feeace1496496d579

SHA512
5aebb9e9068a15a68ac98ecee22f23fe016c1b2d3725c1d4560ca5ac9c97cec1f4bcb0355cc4a0a942cb4fc1374d64c10958c612b94226f43de641dddd0bfa89

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\au.msi

Filesize
845KB

MD5
8eb92668c434cd93215b9981a9683fc4

SHA1
5b087204c1c7e1b985b11b7fcbfcb70e323ff79d

SHA256
bb3234ffa8ab178f621475a9415b46f29571dbb24fd75ddc590f4be6d6369779

SHA512
9e4cccf3ce7bc34c220528b5d206f35fc0a1355531511fbb414af01f09c19e579ff8e027b8125049dfd417ad284661832759ec2f0fb260371e471db02203f058

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\jre1.8.0_351full.msi

Filesize
70.0MB

MD5
2a16688489648f78ee304dce7734d0dd

SHA1
aa4c78aa153215068c52bdaeb0f88a5702f7cca6

SHA256
5fa5ae20eb7d3055f5f70c7bbd89361e299a3573f2bfc09de5f4f9b8f6ba7bc2

SHA512
bb6dbe10a70bc6a84884d71c18b7b3ef333b55eb5aa0c558f5bfc9f6c1cdbf939e1a198903469cb3104051e04ae2418f0b7fdbe4dfb35de5843593a5dac7441f

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp

Filesize
1016KB

MD5
b4db0cceb5714378be3ccd4535d3aa4c

SHA1
7611e868ba040b0936ff56e0c9b6929042d7a49a

SHA256
9687cc0d7d5a60d7e9669d775b2e7255f9f578e3cb7086a3e2c114175f3a87bc

SHA512
f69232951f638247f87403cd3a861c84c084bfa8adb501a4ffa1984c3d2e6a963193d49744e0c59b21a8cf683dddb09f567ce088dabca9f1b163fe1b3cb0324f

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp

Filesize
70.4MB

MD5
46769c6677f963cc4dc772f31350d20b

SHA1
42bc2fe2b629d1f7ad729db2c5bac9009291c961

SHA256
1eb15f60ea7bb0c7b4e5cc7e75fd5e7c0441ad689c90ebc96ab3008a29be2ba7

SHA512
436e0d7f8b281b21228262a848ea712542cee4ce98138bfb57a34c6157eea144dd7430b981b6255c0a301a1787aaee171144fea572e41e934d815ff9706adb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7070854.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7070854.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
33KB

MD5
54d4a6611d291fe17805aab1bf43a4a2

SHA1
9f9e39df7bf489898d93fdb468448205c8f4ca22

SHA256
bd6e5be3cebb657bf3550a88561884a946ff4820091275fad378e1481e010bfc

SHA512
b54354462a314eb23707f91b0760ac60de6dbc5f234623451b08fa8450981e3975da6d88d848549ccca58c0a0be312bf80dffadc46efee618defdae576631c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
41KB

MD5
bc408a2f19bbc03fbfc5da7b498adbbc

SHA1
f0a6c5ce0c23d01f5a4ee5671e6f872f141ee0d2

SHA256
be1f040ab3bba309f14decb179a955b60369ba574bf3a582a173de61bd484cc9

SHA512
46ca12541499c45a9b796d5db018d8b330b6e0e6e926ebe82914118b50ec69c738724f2e63123f2902a1b82a7b3c7bdcd38be93d26ccc1c5bff02488ec7322f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
90470ad95397e4ca134d72be2d71ddda

SHA1
2f511799280249185f4ded247a61407ccd14f0e4

SHA256
f2c61d742e3fa3e56bb0a76396530c3142ba1661511cdcf25aebf89b4acd440d

SHA512
d65c70d794baca8b22573c10dbdd626bb60c9994bcc93368d80c0f756a04edd1da40363cc0e61ce3bfb1a7025ddec644062a5f8ad9d1a8c16080ca19ebb42ed8

Download Submit
C:\Windows\Installer\6c71fa.msi

Filesize
70.4MB

MD5
46769c6677f963cc4dc772f31350d20b

SHA1
42bc2fe2b629d1f7ad729db2c5bac9009291c961

SHA256
1eb15f60ea7bb0c7b4e5cc7e75fd5e7c0441ad689c90ebc96ab3008a29be2ba7

SHA512
436e0d7f8b281b21228262a848ea712542cee4ce98138bfb57a34c6157eea144dd7430b981b6255c0a301a1787aaee171144fea572e41e934d815ff9706adb07

Download Submit
C:\Windows\Installer\MSI7552.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
C:\Windows\Installer\MSI7AEE.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
C:\Windows\Installer\MSI7EC7.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
eb6f7af7eed6aa9ab03495b62fd3563f

SHA1
5a60eebe67ed90f3171970f8339e1404ca1bb311

SHA256
148adef6a34269e403bb509f9d5260abe52f413a6c268e8bd9869841d5f2bd02

SHA512
a9961212b40efc12fd1ab3cc6551c97c987e73b6e409c9ab8a5e1b24542f9e5884811f06883bd31d2585219c4f60c30de2d188788513c01b6cbfe22d539d7875

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f364190706414020c02cf4d531e0229d

SHA1
5899230b0d7ad96121c3be0df99235ddd8a47dc6

SHA256
a797c0d43a52e7c8205397225ac931638d73b567683f38dd803195da9d34eac2

SHA512
a9c8abbd846ab55942f440e905d1f3864b82257b8daa44c784b1997a060de0c0439ecc25a2193032d4d85191535e9253e435deed23bdf3d3cb48c4209005a02e

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
174KB

MD5
4dad43f2b4cb8a53eeb96862d35d92b8

SHA1
80e125445706985e0a736f49c964070a5da12cdf

SHA256
ba1e9fb47f6afd7d22e170745cf8cf4641a88357b4e7effccc446b8486e6baed

SHA512
f65fc702e6324db2033f04732adb4172e9ecf737e05a4af90b66b7cd933107338bad0dbb68ccf0abb217058a153e6e9e567337ed3f63264600a775c2edf3f1eb

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
\ProgramData\Oracle\Java\installcache\7122974.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7122974.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7122974.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7122974.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\Local\Temp\jds7070854.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
\Windows\Installer\MSI7552.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Windows\Installer\MSI7AEE.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Windows\Installer\MSI7EC7.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
memory/1012-84-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

Filesize
8KB

Download
memory/1240-187-0x0000000002850000-0x0000000004850000-memory.dmp

Filesize
32.0MB

Download
memory/1240-190-0x0000000002850000-0x0000000004850000-memory.dmp

Filesize
32.0MB

Download
memory/1240-203-0x0000000002850000-0x0000000004850000-memory.dmp

Filesize
32.0MB

Download
memory/1240-204-0x0000000002850000-0x0000000004850000-memory.dmp

Filesize
32.0MB

Download
memory/1240-207-0x0000000002850000-0x0000000004850000-memory.dmp

Filesize
32.0MB

Download
memory/1692-123-0x00000000000A0000-0x00000000000B7000-memory.dmp

Filesize
92KB

Download
memory/1692-170-0x00000000000A0000-0x00000000000B7000-memory.dmp

Filesize
92KB

Download
memory/1756-127-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1756-126-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1756-125-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1756-124-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1932-57-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads