3bc1e207766bcff7b7328c5d336ec8e9211485cfd05242a0ff79e1a8ef49b1fb

Analysis

max time kernel
184s
max time network
306s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04-01-2023 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcherfull-shiginima-v4400.exe
Size

5.4MB
MD5

c3db052da531710367faf5e011475715
SHA1

46f599e4e1ece582006739debe0a522925a9cd13
SHA256

7c6220b046553f9c95b8098ff83bfc6b7828093650becbc1b44e3d7819d7efd1
SHA512

67bfb67b36dab91e37b1ada7fbd688dc39cf19c337e3938d1f7e4f47173b7dc9d0b93dc035d6511ce65b8fe44384bb9cffa9953e97c6fffadb29fd561eec7feb
SSDEEP

98304:qpTJ89MMbcZsgsDlilods/txVGHTJKsTnEFnAzvDfBzXEYNsJ5Ono:aTm9MMbcFililB0HdRTnEFnAzlEQsJ5H

Score

8^/10

adware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
1576	JavaSetup8u351.exe
1108	JavaSetup8u351.exe
1440	LZMA_EXE
1904	LZMA_EXE
2136	installer.exe
2172	bspatch.exe
2420	unpack200.exe
2488	unpack200.exe
2516	unpack200.exe
2552	unpack200.exe
2664	unpack200.exe
2688	unpack200.exe
2712	unpack200.exe
2736	javaw.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001c86c-125.dat	upx
behavioral1/files/0x000500000001c86c-127.dat	upx
behavioral1/files/0x000500000001c86c-128.dat	upx
behavioral1/files/0x000500000001c86c-132.dat	upx
behavioral1/files/0x000500000001c86c-131.dat	upx
behavioral1/files/0x000500000001c86c-130.dat	upx
behavioral1/memory/2172-136-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2172-144-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2172-151-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1576	JavaSetup8u351.exe
1108	JavaSetup8u351.exe
1108	JavaSetup8u351.exe
1108	JavaSetup8u351.exe
1108	JavaSetup8u351.exe
1300	MsiExec.exe
1300	MsiExec.exe
1300	MsiExec.exe
2136	installer.exe
2172	bspatch.exe
2172	bspatch.exe
2172	bspatch.exe
2136	installer.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2420	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2488	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe
2516	unpack200.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-processthreads-l1-1-1.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jfr.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\wsdetect.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\API-MS-Win-core-xstate-l2-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\xalan.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\java.security	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-localization-l1-2-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\jpeg.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-stdio-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\jsse.pack	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\rt.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\COPYRIGHT	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\awt.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\client\Xusage.txt	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\dt_shmem.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jfxmedia.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\mesa3d.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\messages_ko.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\messages_zh_CN.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-string-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\deploy.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\dt_socket.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\j2pcsc.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-processthreads-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-utility-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jawt.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jdwp.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jjs.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\giflib.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\jcup.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\jaccess.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\jsse.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\README.txt	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\java_crw_demo.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\asm.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\security\cacerts	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\javacpl.cpl	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\javafx\webkit.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\colorimaging.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\lcms.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\fonts\LucidaBrightItalic.ttf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\i386\jvm.cfg	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\dtplugin\deployJava1.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\unicode.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy.pack	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_7268570\java.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\cmm\sRGB.pf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2ssv.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\resource.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\rmid.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\ffjcext.zip	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\net.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\localedata.pack	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-datetime-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\pkcs11wrapper.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\[email protected]	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\jfr\profile.jfc	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-heap-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\instrument.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\verify.dll	installer.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6e2434.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A8D.tmp	msiexec.exe
File created	C:\Windows\Installer\6e2436.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32C9.tmp	msiexec.exe
File created	C:\Windows\Installer\6e2438.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6e2434.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F7D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3318.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 30ba012d8720d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "121"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "492"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "5677"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "197"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3269"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aceebcc37ca6ee47b8e987c22c88adcb000000000200000000001066000000010000200000002a932d73903cad8b229e39171424b65f0f87729da5f52c1e6cacf43ff27af5d6000000000e80000000020000200000003f126cdc00585ec6fb8e3242e1871769301735424aa7d004a12133b3cb5f3f474001000062d4a59ecc715f0ea9aed446eeaeba405999eb7a67f0166e2288aee73b7243072cf7d999f3124aab10ebad9ee1ace168fd0f3da0d059465b20e69b5e037b8a541d66a2feb30526127e47c321771b33a9e1ac7846d2a347481461343c72f1da5686d3c997ddf1e7c0bf6c6966982454a4ac75594ea0c22e5e3618877cb9e98088075e6e9d6dfc1c61a05de91706f4d5824c6707a7ceb8b6662c0c420849225c91b20ff1de2b5c0449ac493b2de898cf053a695e3e73a0eef592e888321888e06a0f406c7a52f7d4515c8f2f38b8766bf5e6ad8db7d51667af93371fe413b107de7e8d4b5c0672ee497ced3b8d639f5e9d09c257fcc1c1a473a6e0d6dfa672cdbf5904629401d91e9a2b7efaee7725bef9a99cef7642ba485fcf5ba37cf846aef1a99eeba90eba208103fa220824765d7be3dbd01f0d995986de31a10c35cd1672400000006654cdedb4374f7bccefd061204dd556ab41b893279dc35e1b97ce7ec8908d34f7c44dc0b42f251e7f01a3571f97f0d91ebf16abccace15fc77eb98a7dff37ac	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "324"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "3060"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3F9094A1-8C7A-11ED-BBEB-FA28CBED7ACF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "5595"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "8153"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "5530"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "3054"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "197"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\launchershiginima.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "115"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "3060"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "5677"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "5530"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "701"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "498"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "2966"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "282"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "5886"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "282"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "2972"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "707"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "330"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3263"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "5683"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0042-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_45"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0082-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_92"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_36"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0086-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_17"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0087-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0075-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_05"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_10"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_43"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_35"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_93"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_38"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_54"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_09"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0064-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0066-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0088-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_01"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0051-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_35"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0072-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_72"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2238130150F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_39"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_16"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0083-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\ = "isInstalled Class"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_46"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_31"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_36"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_12"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0060-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0083-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_02"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0082-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_82"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_11"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_54"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\javaw.exe\IsHostApp	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0064-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0042-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_14"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0060-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_67"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_13"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
564	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1108	JavaSetup8u351.exe
Token: SeIncreaseQuotaPrivilege	1108	JavaSetup8u351.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeSecurityPrivilege	332	msiexec.exe
Token: SeCreateTokenPrivilege	1108	JavaSetup8u351.exe
Token: SeAssignPrimaryTokenPrivilege	1108	JavaSetup8u351.exe
Token: SeLockMemoryPrivilege	1108	JavaSetup8u351.exe
Token: SeIncreaseQuotaPrivilege	1108	JavaSetup8u351.exe
Token: SeMachineAccountPrivilege	1108	JavaSetup8u351.exe
Token: SeTcbPrivilege	1108	JavaSetup8u351.exe
Token: SeSecurityPrivilege	1108	JavaSetup8u351.exe
Token: SeTakeOwnershipPrivilege	1108	JavaSetup8u351.exe
Token: SeLoadDriverPrivilege	1108	JavaSetup8u351.exe
Token: SeSystemProfilePrivilege	1108	JavaSetup8u351.exe
Token: SeSystemtimePrivilege	1108	JavaSetup8u351.exe
Token: SeProfSingleProcessPrivilege	1108	JavaSetup8u351.exe
Token: SeIncBasePriorityPrivilege	1108	JavaSetup8u351.exe
Token: SeCreatePagefilePrivilege	1108	JavaSetup8u351.exe
Token: SeCreatePermanentPrivilege	1108	JavaSetup8u351.exe
Token: SeBackupPrivilege	1108	JavaSetup8u351.exe
Token: SeRestorePrivilege	1108	JavaSetup8u351.exe
Token: SeShutdownPrivilege	1108	JavaSetup8u351.exe
Token: SeDebugPrivilege	1108	JavaSetup8u351.exe
Token: SeAuditPrivilege	1108	JavaSetup8u351.exe
Token: SeSystemEnvironmentPrivilege	1108	JavaSetup8u351.exe
Token: SeChangeNotifyPrivilege	1108	JavaSetup8u351.exe
Token: SeRemoteShutdownPrivilege	1108	JavaSetup8u351.exe
Token: SeUndockPrivilege	1108	JavaSetup8u351.exe
Token: SeSyncAgentPrivilege	1108	JavaSetup8u351.exe
Token: SeEnableDelegationPrivilege	1108	JavaSetup8u351.exe
Token: SeManageVolumePrivilege	1108	JavaSetup8u351.exe
Token: SeImpersonatePrivilege	1108	JavaSetup8u351.exe
Token: SeCreateGlobalPrivilege	1108	JavaSetup8u351.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1980	iexplore.exe
1980	iexplore.exe
1108	JavaSetup8u351.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1980	iexplore.exe
1980	iexplore.exe
564	IEXPLORE.EXE
564	IEXPLORE.EXE
564	IEXPLORE.EXE
564	IEXPLORE.EXE
1108	JavaSetup8u351.exe
1108	JavaSetup8u351.exe
1980	iexplore.exe
1108	JavaSetup8u351.exe
1108	JavaSetup8u351.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 1980	928	launcherfull-shiginima-v4400.exe	27
PID 928 wrote to memory of 1980	928	launcherfull-shiginima-v4400.exe	27
PID 928 wrote to memory of 1980	928	launcherfull-shiginima-v4400.exe	27
PID 928 wrote to memory of 1980	928	launcherfull-shiginima-v4400.exe	27
PID 1980 wrote to memory of 564	1980	iexplore.exe	29
PID 1980 wrote to memory of 564	1980	iexplore.exe	29
PID 1980 wrote to memory of 564	1980	iexplore.exe	29
PID 1980 wrote to memory of 564	1980	iexplore.exe	29
PID 1980 wrote to memory of 564	1980	iexplore.exe	29
PID 1980 wrote to memory of 564	1980	iexplore.exe	29
PID 1980 wrote to memory of 564	1980	iexplore.exe	29
PID 1980 wrote to memory of 1576	1980	iexplore.exe	31
PID 1980 wrote to memory of 1576	1980	iexplore.exe	31
PID 1980 wrote to memory of 1576	1980	iexplore.exe	31
PID 1980 wrote to memory of 1576	1980	iexplore.exe	31
PID 1980 wrote to memory of 1576	1980	iexplore.exe	31
PID 1980 wrote to memory of 1576	1980	iexplore.exe	31
PID 1980 wrote to memory of 1576	1980	iexplore.exe	31
PID 1576 wrote to memory of 1108	1576	JavaSetup8u351.exe	32
PID 1576 wrote to memory of 1108	1576	JavaSetup8u351.exe	32
PID 1576 wrote to memory of 1108	1576	JavaSetup8u351.exe	32
PID 1576 wrote to memory of 1108	1576	JavaSetup8u351.exe	32
PID 1576 wrote to memory of 1108	1576	JavaSetup8u351.exe	32
PID 1576 wrote to memory of 1108	1576	JavaSetup8u351.exe	32
PID 1576 wrote to memory of 1108	1576	JavaSetup8u351.exe	32
PID 1108 wrote to memory of 1440	1108	JavaSetup8u351.exe	34
PID 1108 wrote to memory of 1440	1108	JavaSetup8u351.exe	34
PID 1108 wrote to memory of 1440	1108	JavaSetup8u351.exe	34
PID 1108 wrote to memory of 1440	1108	JavaSetup8u351.exe	34
PID 1108 wrote to memory of 1440	1108	JavaSetup8u351.exe	34
PID 1108 wrote to memory of 1440	1108	JavaSetup8u351.exe	34
PID 1108 wrote to memory of 1440	1108	JavaSetup8u351.exe	34
PID 1108 wrote to memory of 1904	1108	JavaSetup8u351.exe	36
PID 1108 wrote to memory of 1904	1108	JavaSetup8u351.exe	36
PID 1108 wrote to memory of 1904	1108	JavaSetup8u351.exe	36
PID 1108 wrote to memory of 1904	1108	JavaSetup8u351.exe	36
PID 1108 wrote to memory of 1904	1108	JavaSetup8u351.exe	36
PID 1108 wrote to memory of 1904	1108	JavaSetup8u351.exe	36
PID 1108 wrote to memory of 1904	1108	JavaSetup8u351.exe	36
PID 332 wrote to memory of 1300	332	msiexec.exe	39
PID 332 wrote to memory of 1300	332	msiexec.exe	39
PID 332 wrote to memory of 1300	332	msiexec.exe	39
PID 332 wrote to memory of 1300	332	msiexec.exe	39
PID 332 wrote to memory of 1300	332	msiexec.exe	39
PID 332 wrote to memory of 1300	332	msiexec.exe	39
PID 332 wrote to memory of 1300	332	msiexec.exe	39
PID 332 wrote to memory of 2136	332	msiexec.exe	40
PID 332 wrote to memory of 2136	332	msiexec.exe	40
PID 332 wrote to memory of 2136	332	msiexec.exe	40
PID 332 wrote to memory of 2136	332	msiexec.exe	40
PID 332 wrote to memory of 2136	332	msiexec.exe	40
PID 332 wrote to memory of 2136	332	msiexec.exe	40
PID 332 wrote to memory of 2136	332	msiexec.exe	40
PID 2136 wrote to memory of 2172	2136	installer.exe	41
PID 2136 wrote to memory of 2172	2136	installer.exe	41
PID 2136 wrote to memory of 2172	2136	installer.exe	41
PID 2136 wrote to memory of 2172	2136	installer.exe	41
PID 2136 wrote to memory of 2172	2136	installer.exe	41
PID 2136 wrote to memory of 2172	2136	installer.exe	41
PID 2136 wrote to memory of 2172	2136	installer.exe	41
PID 2136 wrote to memory of 2420	2136	installer.exe	43
PID 2136 wrote to memory of 2420	2136	installer.exe	43
PID 2136 wrote to memory of 2420	2136	installer.exe	43
PID 2136 wrote to memory of 2420	2136	installer.exe	43

C:\Users\Admin\AppData\Local\Temp\launcherfull-shiginima-v4400.exe
"C:\Users\Admin\AppData\Local\Temp\launcherfull-shiginima-v4400.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:928
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:564
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\JavaSetup8u351.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\JavaSetup8u351.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\jds7184875.tmp\JavaSetup8u351.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7184875.tmp\JavaSetup8u351.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE
        
        "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp"
        5⤵
        Executes dropped EXE
        
        PID:1440
    - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE
        
        "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\jre1.8.0_351full.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp"
        5⤵
        Executes dropped EXE
        
        PID:1904
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:1389579 /prefetch:2
    3⤵
    PID:2684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A8A105A0855781C156DCA3F238C171F1
  2⤵
  - Loads dropped DLL
  PID:1300
- C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe
  "C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_351\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180351F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\ProgramData\Oracle\Java\installcache\7226481.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2172
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2420
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2488
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2516
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2552
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2664
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:2688
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    PID:2712
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    PID:2736
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\ssvagent.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    PID:2836
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:2992
  - - C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:3060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre1.8.0_351\bin\VCRUNTIME140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\ucrtbase.DLL

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
174KB

MD5
4dad43f2b4cb8a53eeb96862d35d92b8

SHA1
80e125445706985e0a736f49c964070a5da12cdf

SHA256
ba1e9fb47f6afd7d22e170745cf8cf4641a88357b4e7effccc446b8486e6baed

SHA512
f65fc702e6324db2033f04732adb4172e9ecf737e05a4af90b66b7cd933107338bad0dbb68ccf0abb217058a153e6e9e567337ed3f63264600a775c2edf3f1eb

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe

Filesize
111.5MB

MD5
df17b88720a2fe52476de4ed530f959e

SHA1
b452a00266f190b8ee9a941d3bb386b53395f1ce

SHA256
060c06fd8e8fea6097fc80949993f9a7580d1501698c7d28b86ff204cc96929d

SHA512
30c8c164f9cc7dca95f49953843d67adb3b1260a10b5395f370773345335367becba766867987a793512ea57e8a1cc51e7a4e66603d107ce0e57306e03ca543e

Download Submit
C:\ProgramData\Oracle\Java\installcache\7226481.tmp\baseimagefam8

Filesize
67.7MB

MD5
c68f61bae0654148ae82c9ac18c771f9

SHA1
fde79f7eebe45a096e7af4d7463294551dead994

SHA256
fe7870985a9af11cff29ed00c1a8042d5e1f3194b465146ddcaa9612a51a3195

SHA512
f08e5bbbd74c322a079618aee7da064f510bac05f1b0066da11d9829f8ad8e9ca03ad0e20116d64173e2b5a9a0e12c1ac95b2880805c6a4de2828839506f7107

Download Submit
C:\ProgramData\Oracle\Java\installcache\7226481.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\7226481.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\7226481.tmp\diff

Filesize
42.9MB

MD5
2c4665487dc2e07936d2301e94e4d5b8

SHA1
9a0368248e18378bfaa40991006094fcd1208bb9

SHA256
a8e0403e19829af777cd8f1abe8f9b1d60cc65ac9fdeb3e7e78629cb9e1faf62

SHA512
70c06bd80fb7d90b47f3e1337bbae1206bcd03da9dc2e4f821cf62c8dd84d5350ca15012f109b2a581ed07c7582456c0f187a69a0b15584b04182ddbcc3ceb1b

Download Submit
C:\ProgramData\Oracle\Java\installcache\7226481.tmp\newimage

Filesize
126.6MB

MD5
9446260ab5de2c07c3fe42a9f0285653

SHA1
5bb3b5219129d553d96cf188f96e02ec6d0e58e1

SHA256
d628d97cf441fb8ce26456dfad9c48060d25ab0228673df01975e5209983d925

SHA512
8186456908c70357f762ec895fb81c062e5e3c8000fed2734f85e41f092c319b04c1ebc1c89773e385550710b7af276ca8bd42a31c9f87c4588285bf8b11a99f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
da5a9f149955d936a31dc5e456666aac

SHA1
195238d41c1e13448f349f43bb295ef2d55cb47a

SHA256
79ac574c7c45144bb35b59ff79c78dc59b66592715dea01b389e3620db663224

SHA512
60d7d1f5405470ba1e6b80066af2e78240acbea8db58b5a03660874605178aebaa9ce342ca97f17798109e7411e82466db5af064e39eaddc05410f2abe672f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
b85f62f461fcd8f88f843d27366343ae

SHA1
5f869f942757e78de1d1886e376e350ecd303180

SHA256
730e67179905dc17b5ec06fb3d66dcfe3116faf3415b45478d6905d4006b7237

SHA512
891c4d1094bac5ef613636f49f30156b06a0b84ea8cc503e6d75cce49f1481e32a61c3012402a42521abbd6d130a0e8171585fcc7b0825f2bf782940489950fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
727B

MD5
66e1eb29b2f919f05bd2efc618283db3

SHA1
cb053a306df8124f0f31b8c3086167bb39c94ed6

SHA256
da47f89fd9cd628fcab810fcdf2276755052b73321921d39dfcd54fc4f530073

SHA512
1a92e004a84a6469072b3eeaf0856ac08ed7310a6324af21c01764c25349539ac8e6217747146457c61ee4a40eaae1a3eee5840e169001e8d73699066928fabc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
bab23bb790bf19e2680a1fee436e9d51

SHA1
c3e384b5810e53d43e0d29637ad41159d63c855b

SHA256
7e143916a9f19dd0f411c2745c4df4dd8b35fed4ce675f294ce2b7a53fd4f7c5

SHA512
40551056fef333784aa4e97db2ffb0874303c97368d88ad55164a880c969ec66f494e3ac111ca6125cfa33fac6cab06ea3648b4aa98bf3341083d3cbb20ae81d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
10f9e7a218b1f1d5293c057ff60cebae

SHA1
a80129e6d42d9befa85437561184f926d23b251b

SHA256
d37be43311d5cde9f041a6a4bcbe8806c94dcab41dc4f89ea931c9ecfee7d42d

SHA512
8484fa48bd2c521e05833032a5d90701bf1e9ef9a3bc8a91e46e37665e1a607c384e2bb40f1db46cae018f13967658c9848c2f0b09b244032072f47b1c87fefb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
430B

MD5
3ce78e55328c89204c622ea337892fff

SHA1
cb780424091057068f7b79543b5c55093388eeda

SHA256
4b86a98e3b1bc9fe60481d82284bcf61949cc45fca335a33e1c4a39fdd0d5e69

SHA512
6a61873385616f7b10e7bde0f1388ce01e0874bc25d0a18f2b87b7f24ce70b8bbe0d3f7d7df6861a0af888f1f99ba304f0928b8bdc68839c49af6857dcee06ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
416B

MD5
93c6df82f7b7a3530f8bdf3eba41fffe

SHA1
f415fc07d076b2f00fa181e57fd1ae288e766bec

SHA256
0a826279c07aca850db5947c591b1e096b1be83164b2dcfa8bd145673bedcef6

SHA512
3c639c57f099dd1a135444f8894a4aaf60fd70651cfc5ea8448b8f4160b27273f3867aea17b65496897b9984a305c7b1bc3ab3ba651098e41bd468fc0cb2fd96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
434B

MD5
b1521a45f63a31e5332ab90462eca429

SHA1
d687f124b0e65cb8caae6d44cddaf789b86e5f7e

SHA256
8fa6d1347c9966372c391a4bad0501b48695d77a0c62071b1de0db6776a1a554

SHA512
70857a373de4e417f679c4f7964a77f00912990775b853e3241a5bfd81363e59c6fc032b370c0fe65135e791cf00704f05e5e3fe547adf20f291884e894c09df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e81ffb12a933283f4bc8456a97e8bc56

SHA1
7e1bdf9a86467cef3160f51657932ce3f4fc2d53

SHA256
0b65d5bab657c73efec2b9ef0780589bc7c6471a69434cfffb87f8735076561b

SHA512
b2a78e86e862dbb2b6be7067f603a607c4a706c647882371ddf815f932b1e3fd60b312a7669f01f20e3483b73ee5939070586bce59a1fc4aa5a72f1e36a4fb7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
af117c1b91904238ab72b37d0adcad38

SHA1
06e0b8b56bdba662a2e5aaccf310d7bb6d04566b

SHA256
a95f1502c3a045ad94db698a6d7b997ac5952253b03118dc0ee6851a2a441748

SHA512
e33c7b5be192314bd6d52960b3fd08d16777d7fb9c829c6b55db58f12bc88993be4a134914d6fbb1ba128aacf789b6b9b303dc501c11785971594a5875fcd300

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
c6ac47af73e8b1ce4737e862f87b5621

SHA1
24bf02a24f1abe0c5bfd76ab249a3dc1881b5fd7

SHA256
4ec9dce5e71e31b6782944c5d557f6d9983f89f1f174aff8c889051fcea77d39

SHA512
e909cab77c17039b65f26bd4bb0d48ef329161a278a3cbbb273a967348cf8ae5343a2ebbf121ff56c5a2534211a450910208739fc133bb0838b5f0ebd8120c38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
6f263f97044eaa3cf3e5960584ca3375

SHA1
22d9742de58612922936565e97c158f2655c2b71

SHA256
3e055fc2b3a45d18ac032a44b553d168868a1f6cf51f8f98cc8050e8537a688c

SHA512
b92ba4045b0629eecdae1e35429a4d56ae948bb5347358e78e6bb46d0f1aa801e9a930e7ad2db93befde226a7bccf85f69d3e8e2e8a4c5f9ee57041780b088cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\au.msi

Filesize
845KB

MD5
8eb92668c434cd93215b9981a9683fc4

SHA1
5b087204c1c7e1b985b11b7fcbfcb70e323ff79d

SHA256
bb3234ffa8ab178f621475a9415b46f29571dbb24fd75ddc590f4be6d6369779

SHA512
9e4cccf3ce7bc34c220528b5d206f35fc0a1355531511fbb414af01f09c19e579ff8e027b8125049dfd417ad284661832759ec2f0fb260371e471db02203f058

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\jre1.8.0_351full.msi

Filesize
70.0MB

MD5
2a16688489648f78ee304dce7734d0dd

SHA1
aa4c78aa153215068c52bdaeb0f88a5702f7cca6

SHA256
5fa5ae20eb7d3055f5f70c7bbd89361e299a3573f2bfc09de5f4f9b8f6ba7bc2

SHA512
bb6dbe10a70bc6a84884d71c18b7b3ef333b55eb5aa0c558f5bfc9f6c1cdbf939e1a198903469cb3104051e04ae2418f0b7fdbe4dfb35de5843593a5dac7441f

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp

Filesize
1016KB

MD5
b4db0cceb5714378be3ccd4535d3aa4c

SHA1
7611e868ba040b0936ff56e0c9b6929042d7a49a

SHA256
9687cc0d7d5a60d7e9669d775b2e7255f9f578e3cb7086a3e2c114175f3a87bc

SHA512
f69232951f638247f87403cd3a861c84c084bfa8adb501a4ffa1984c3d2e6a963193d49744e0c59b21a8cf683dddb09f567ce088dabca9f1b163fe1b3cb0324f

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp

Filesize
70.4MB

MD5
46769c6677f963cc4dc772f31350d20b

SHA1
42bc2fe2b629d1f7ad729db2c5bac9009291c961

SHA256
1eb15f60ea7bb0c7b4e5cc7e75fd5e7c0441ad689c90ebc96ab3008a29be2ba7

SHA512
436e0d7f8b281b21228262a848ea712542cee4ce98138bfb57a34c6157eea144dd7430b981b6255c0a301a1787aaee171144fea572e41e934d815ff9706adb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
14KB

MD5
ee7826b9496437dcae469dba19a25af3

SHA1
dc142107335c80163afec4462f3ef3f41ef79815

SHA256
f7dd626f5116c4fb859e1c27188901333dcfda93ef401fe632e2da66644f2acc

SHA512
281634288c93b841849c3d32d6276ff5e039cae0069bc145ec67d48b5bcf293aebeb13ea2c125dcfbead8e9830abc989c5cb26dd1dd013e748f65a7fed29fd74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
14KB

MD5
ee7826b9496437dcae469dba19a25af3

SHA1
dc142107335c80163afec4462f3ef3f41ef79815

SHA256
f7dd626f5116c4fb859e1c27188901333dcfda93ef401fe632e2da66644f2acc

SHA512
281634288c93b841849c3d32d6276ff5e039cae0069bc145ec67d48b5bcf293aebeb13ea2c125dcfbead8e9830abc989c5cb26dd1dd013e748f65a7fed29fd74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
15KB

MD5
362ed0911c6173895e5c930aec3014c9

SHA1
9e2d68abb71ba70c8d9b4d651496fe5b765c0aa9

SHA256
409e359ca9534442cb6cd89dd86fa7ddc847b1781d98c1299bfcf7e3d2d2b65a

SHA512
f1bdf5fb9b8aaba85903c09e0bdc40b2cb34c524d997fa8722353e1dcf8e4bab5e6bc399e5a927839a277d33902297c0f0237775fa14bed43a5555a7782a002e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
5KB

MD5
081aa41e369309a61fdf75e74770a377

SHA1
2ea22131994294a3c09aeac80f8961b88861b747

SHA256
5d42ecfbcd5084cceca3a278b54f8433133825399c91681849818a307a5365d8

SHA512
db207ebad62f50882906b76a6e1055b142f013d3e2a6e76a8c1d558982d91bce3fe0e3670c1a7d9a4131264746dfd792f439b5ed803402ae034220485da0efa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\JavaSetup8u351.exe

Filesize
2.2MB

MD5
82bc7b7e2716e6a631952daa1be4037e

SHA1
83ba6ede5983dd59b8e77439fd84e7b8085ee487

SHA256
3fa3ff57f229e3db478be90f6ce92a39f5043caffac116247b3430eb36f40b96

SHA512
35559edcf9dc2cb4740a1537bec5249ecfe306f7036f736b578fd07b6236ae3453b0a6e4d801e82506fa2ae770d7c80219af056e2313c3484b4474e1320885a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZN60M0QQ\JavaSetup8u351.exe.fy1po9k.partial

Filesize
2.2MB

MD5
82bc7b7e2716e6a631952daa1be4037e

SHA1
83ba6ede5983dd59b8e77439fd84e7b8085ee487

SHA256
3fa3ff57f229e3db478be90f6ce92a39f5043caffac116247b3430eb36f40b96

SHA512
35559edcf9dc2cb4740a1537bec5249ecfe306f7036f736b578fd07b6236ae3453b0a6e4d801e82506fa2ae770d7c80219af056e2313c3484b4474e1320885a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7184875.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7184875.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
40KB

MD5
ebab06155fa9a4f27a7d23e661637959

SHA1
84afaee556830ba44e9e14e224558bb66fe52218

SHA256
cf78021b0f51e522f5aebc51bc8863519e1e3faf739dcf50c54a9281715fe641

SHA512
f6fe267fcf773cf0f323f0a78371fc9d962f39f0e30cacc6c54abf6bb6aef9ea9cecf9c6c4ba77e46afadb84dd2586231cd9d0c848d8a13b7ef7214c8d877720

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
44KB

MD5
519998095d951e746aadcac3af1a61ae

SHA1
da4b12447ead6d7430557052321f05fa86467471

SHA256
41d702990218fd173b1f0f61b97355ea263472db391f730dca5eb717aa1f0863

SHA512
4637b2e9d992ee136dc1c7b463dfd96b064dc481391f2d12b04c66162939b778205250d885abeffe4424afc96c209d8643503919eac5533ebbc9c4e5adc8852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
1bead7da4c211989385eea4a4b783f85

SHA1
25aa0f24c1e0d5889bd7c96262b50882b21ebaaa

SHA256
2f40121ced18efabcca205ba968f2b61dcaf89ec9027559e1dcd7c19f325fb13

SHA512
a3483a1d2c79389ffc33af449c5a7d9309dea60094232e7f0db0515f07bdc90bb8437ac1ee6254304fdda317c271ef8dca867302d4f42e5793ec4a00f13362b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0L48PAJK.txt

Filesize
867B

MD5
ca645d34ff08e3cdabe450f4f56cf577

SHA1
c8cddf08a6462a74a9e55d71299aed9260e986ce

SHA256
c79e569ff347087a49d5be9d64942a845d442be56aeeff2b2e05655138e8f876

SHA512
3ae1a7fa2fc603f2a9d3c183b486dd3f2936d1373186780020ab72b53ebc67a8f2c59609f27d15e1d8467d042ffced76ea6884c3a02e8c8f31220c1020e95e22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WYTY2R3A.txt

Filesize
603B

MD5
b313c948cb520393da79a413b0abe99e

SHA1
f7ac111e1e02e90d97f04333afaf474555cea214

SHA256
459d48ad1b32c7110c7bd5ccef57f3771611067b245b552c683ae5a754136b86

SHA512
fa69441935b136430a350431e6660a9404d5e4d84be91c8fe219e07b55dbff7a35ab1807600f4684c3dcd439c2bce0da62f6ca48532f98b2cced3a3198f6345b

Download Submit
C:\Windows\Installer\6e2438.msi

Filesize
70.4MB

MD5
46769c6677f963cc4dc772f31350d20b

SHA1
42bc2fe2b629d1f7ad729db2c5bac9009291c961

SHA256
1eb15f60ea7bb0c7b4e5cc7e75fd5e7c0441ad689c90ebc96ab3008a29be2ba7

SHA512
436e0d7f8b281b21228262a848ea712542cee4ce98138bfb57a34c6157eea144dd7430b981b6255c0a301a1787aaee171144fea572e41e934d815ff9706adb07

Download Submit
C:\Windows\Installer\MSI2A8D.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
C:\Windows\Installer\MSI2F7D.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
C:\Windows\Installer\MSI3318.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
174KB

MD5
4dad43f2b4cb8a53eeb96862d35d92b8

SHA1
80e125445706985e0a736f49c964070a5da12cdf

SHA256
ba1e9fb47f6afd7d22e170745cf8cf4641a88357b4e7effccc446b8486e6baed

SHA512
f65fc702e6324db2033f04732adb4172e9ecf737e05a4af90b66b7cd933107338bad0dbb68ccf0abb217058a153e6e9e567337ed3f63264600a775c2edf3f1eb

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
\ProgramData\Oracle\Java\installcache\7226481.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7226481.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7226481.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7226481.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\Local\Temp\jds7184875.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
\Windows\Installer\MSI2A8D.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Windows\Installer\MSI2F7D.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Windows\Installer\MSI3318.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
memory/332-106-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download
memory/928-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/2136-143-0x00000000000F0000-0x0000000000107000-memory.dmp

Filesize
92KB

Download
memory/2136-135-0x00000000000F0000-0x0000000000107000-memory.dmp

Filesize
92KB

Download
memory/2172-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2172-151-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2172-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2172-138-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2172-137-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2172-145-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2172-146-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/2736-179-0x0000000002540000-0x0000000004540000-memory.dmp

Filesize
32.0MB

Download
memory/3060-196-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download
memory/3060-200-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download
memory/3060-211-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download
memory/3060-213-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download
memory/3060-216-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download
memory/3060-220-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download
memory/3060-221-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download
memory/3060-222-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download
memory/3060-224-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download
memory/3060-225-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download
memory/3060-226-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download
memory/3060-228-0x0000000002640000-0x0000000004640000-memory.dmp

Filesize
32.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads