51a8d363bee48c41e89fc5ff6b9659d93d9521d94b824df9cf907588c2246f44

Analysis

max time kernel
1185s
max time network
891s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-01-2023 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Minecraft.exe
Size

4.4MB
MD5

62da1cde5869df964fc628ab9d226fb4
SHA1

6b4ebcd1685180d4e4477f5a7e9c36138e2e9aed
SHA256

51a8d363bee48c41e89fc5ff6b9659d93d9521d94b824df9cf907588c2246f44
SHA512

d29dc55c6ef957e624f445ca746db1e0bc4ba543df6e4aea4dc2f0ed8284bab80ff6268dc834722d695044cd1bb32cd6ca2086327aee22312b3d33bbd6b33d97
SSDEEP

98304:9Gz4kB1F8O+ZJpzMkqvc+tymgjSnm2Mwp3CTua:9YBcO+P2kqvchunHMwp3CTua

Score

8^/10

adware persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

pid	Process
1444	JavaSetup8u351.exe
1804	JavaSetup8u351.exe
2040	LZMA_EXE
644	LZMA_EXE
1952	installer.exe
1500	bspatch.exe
1576	unpack200.exe
1644	javaw.exe
1880	unpack200.exe
1648	unpack200.exe
1076	javaws.exe
1812	unpack200.exe
1164	unpack200.exe
1644	javaw.exe
1932	ssvagent.exe
1076	javaws.exe
1244	MsiExec.exe
1872	javaws.exe
1388	jp2launcher.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0046-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0143-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0114-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0330-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0279-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0075-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0111-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0278-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0188-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0249-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0134-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0166-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0171-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0014-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0238-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0317-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0152-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0175-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0180-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0269-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0242-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0208-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0155-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0290-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0066-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0188-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0048-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0185-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0201-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0218-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0115-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0070-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0190-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0218-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0047-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0038-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0053-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0169-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0064-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0257-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0259-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0329-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0357-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0120-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0237-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0253-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0098-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0110-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0141-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001d63c-134.dat	upx
behavioral1/files/0x000400000001d63c-132.dat	upx
behavioral1/memory/1500-136-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x000400000001d63c-137.dat	upx
behavioral1/files/0x000400000001d63c-139.dat	upx
behavioral1/files/0x000400000001d63c-141.dat	upx
behavioral1/files/0x000400000001d63c-140.dat	upx
behavioral1/memory/1500-144-0x0000000000230000-0x0000000000247000-memory.dmp	upx
behavioral1/memory/1500-148-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1500-149-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1444	JavaSetup8u351.exe
1804	JavaSetup8u351.exe
1804	JavaSetup8u351.exe
1804	JavaSetup8u351.exe
1664	MsiExec.exe
1664	MsiExec.exe
1664	MsiExec.exe
1952	installer.exe
1500	bspatch.exe
1500	bspatch.exe
1500	bspatch.exe
1952	installer.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1576	unpack200.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1644	javaw.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe
1880	unpack200.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jli.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\keytool.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\classlist	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\management.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\plugin2\msvcp140.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\zip.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\unicode.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\jaccess.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-file-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\javafx\webkit.md	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_7297523\java.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-file-l2-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\tnameserv.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\javafx\libxslt.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\xerces.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\zipfs.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\README.txt	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\THIRDPARTYLICENSEREADME-JAVAFX.txt	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\kinit.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\plugin2\vcruntime140.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\jopt-simple.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\pkcs11cryptotoken.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\fonts\LucidaBrightItalic.ttf	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\plugin2\npjp2.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\[email protected]	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\klist.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\mesa3d.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\messages_pt_BR.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\images\cursors\win32_MoveDrop32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\resources.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\tzmappings	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\fontmanager.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\glib-lite.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\javafx\libffi.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-utility-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\fxplugins.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\JAWTAccessBridge-32.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\rmiregistry.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-processthreads-l1-1-1.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\dt_socket.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\dom.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\net.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-processenvironment-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-profile-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jabswitch.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\javafx_font.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\dynalink.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\calendars.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\msvcp140_1.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\verify.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\deploy\splash_11-lic.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jaas_nt.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\legal\jdk\jcup.md	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\ext\sunpkcs11.jar	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\images\cursors\invalid32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\lib\rt.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaw.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\jjs.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-core-timezone-l1-1-0.dll	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-convert-l1-1-0.dll	installer.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6eb83b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\6eb83e.msi	msiexec.exe
File created	C:\Windows\Installer\6eb840.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID18.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6eb839.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC509.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC539.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC22.tmp	msiexec.exe
File created	C:\Windows\Installer\6eb839.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC49B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6eb840.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF0E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\6eb83e.msi	msiexec.exe
File created	C:\Windows\Installer\6eb842.msi	msiexec.exe
File created	C:\Windows\Installer\6eb83b.ipi	msiexec.exe
File created	C:\Windows\Installer\6eb83d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7A.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a09676188020d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "266"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	JavaSetup8u351.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Windows\\SysWOW64"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.bing.com/search?q=javajavvawnloadminecraft&src=IE-TopResult&FORM=IE11TR&conversationid="	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "266"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = 982362fd7f20d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000077f44307227f5ce0da03298e9e6c35f2aea7e30212ccc575987ae902a4ac7981000000000e800000000200002000000022967af7ff729c72d0b485eecb830fe18b7ac0c8fb592424450d2ec976c082592000000044b4aa62971b323c5c2d1a4f5b2bbaa0c3ec8b8eb6a76b9d9fe84bf256668a9b4000000081b1a077252db656d3f013ee45f074834cb3d95d0999666bb4683b8bbaa1933be08e1062bc71803d1f9b79a1b0b5227f0b22e2f2e8d8e61633fd20ffed60ac9d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7044eddd7f20d901	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0019-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_19"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0069-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0152-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0062-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_40"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0226-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0317-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0077-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0212-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0244-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0265-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_24"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0166-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_166"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0084-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0338-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0225-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0248-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0037-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_94"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0301-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0345-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0134-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0358-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0160-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_45"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0187-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0091-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_91"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0071-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0166-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_166"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0319-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0328-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0231-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0072-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_50"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0208-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_208"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0305-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0214-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0090-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0224-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0291-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0118-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_118"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0270-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0274-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0050-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0096-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0084-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0350-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0340-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0327-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_327"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0050-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0128-ABCDEFFEDCBC}	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0161-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_161"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0221-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0233-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0289-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_289"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_76"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0071-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0082-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0254-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0081-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0051-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0118-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_118"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0320-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_59"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0023-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0029-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_87"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0177-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_177"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0073-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_73"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0307-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_307"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0318-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0322-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0095-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0113-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0112-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0027-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0245-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0119-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_86"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0115-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0310-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_80"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0196-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0274-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0009-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0057-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_57"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0300-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0008-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0132-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0090-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0090-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0286-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0035-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0100-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0117-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0078-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0018-0000-0261-ABCDEFFEDCBA}\InprocServer32	installer.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1076	javaws.exe
1244	MsiExec.exe
1952	installer.exe
1952	installer.exe
1872	javaws.exe
1388	jp2launcher.exe
1952	installer.exe
1952	installer.exe
2040	msiexec.exe
2040	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
564	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1804	JavaSetup8u351.exe
Token: SeIncreaseQuotaPrivilege	1804	JavaSetup8u351.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeSecurityPrivilege	2040	msiexec.exe
Token: SeCreateTokenPrivilege	1804	JavaSetup8u351.exe
Token: SeAssignPrimaryTokenPrivilege	1804	JavaSetup8u351.exe
Token: SeLockMemoryPrivilege	1804	JavaSetup8u351.exe
Token: SeIncreaseQuotaPrivilege	1804	JavaSetup8u351.exe
Token: SeMachineAccountPrivilege	1804	JavaSetup8u351.exe
Token: SeTcbPrivilege	1804	JavaSetup8u351.exe
Token: SeSecurityPrivilege	1804	JavaSetup8u351.exe
Token: SeTakeOwnershipPrivilege	1804	JavaSetup8u351.exe
Token: SeLoadDriverPrivilege	1804	JavaSetup8u351.exe
Token: SeSystemProfilePrivilege	1804	JavaSetup8u351.exe
Token: SeSystemtimePrivilege	1804	JavaSetup8u351.exe
Token: SeProfSingleProcessPrivilege	1804	JavaSetup8u351.exe
Token: SeIncBasePriorityPrivilege	1804	JavaSetup8u351.exe
Token: SeCreatePagefilePrivilege	1804	JavaSetup8u351.exe
Token: SeCreatePermanentPrivilege	1804	JavaSetup8u351.exe
Token: SeBackupPrivilege	1804	JavaSetup8u351.exe
Token: SeRestorePrivilege	1804	JavaSetup8u351.exe
Token: SeShutdownPrivilege	1804	JavaSetup8u351.exe
Token: SeDebugPrivilege	1804	JavaSetup8u351.exe
Token: SeAuditPrivilege	1804	JavaSetup8u351.exe
Token: SeSystemEnvironmentPrivilege	1804	JavaSetup8u351.exe
Token: SeChangeNotifyPrivilege	1804	JavaSetup8u351.exe
Token: SeRemoteShutdownPrivilege	1804	JavaSetup8u351.exe
Token: SeUndockPrivilege	1804	JavaSetup8u351.exe
Token: SeSyncAgentPrivilege	1804	JavaSetup8u351.exe
Token: SeEnableDelegationPrivilege	1804	JavaSetup8u351.exe
Token: SeManageVolumePrivilege	1804	JavaSetup8u351.exe
Token: SeImpersonatePrivilege	1804	JavaSetup8u351.exe
Token: SeCreateGlobalPrivilege	1804	JavaSetup8u351.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1968	iexplore.exe
1968	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1968	iexplore.exe
1968	iexplore.exe
564	IEXPLORE.EXE
564	IEXPLORE.EXE
564	IEXPLORE.EXE
564	IEXPLORE.EXE
1968	iexplore.exe
1968	iexplore.exe
1804	JavaSetup8u351.exe
1804	JavaSetup8u351.exe
1804	JavaSetup8u351.exe
1804	JavaSetup8u351.exe
1244	MsiExec.exe
1388	jp2launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1968	2016	Minecraft.exe	27
PID 2016 wrote to memory of 1968	2016	Minecraft.exe	27
PID 2016 wrote to memory of 1968	2016	Minecraft.exe	27
PID 2016 wrote to memory of 1968	2016	Minecraft.exe	27
PID 1968 wrote to memory of 564	1968	iexplore.exe	29
PID 1968 wrote to memory of 564	1968	iexplore.exe	29
PID 1968 wrote to memory of 564	1968	iexplore.exe	29
PID 1968 wrote to memory of 564	1968	iexplore.exe	29
PID 1968 wrote to memory of 1444	1968	iexplore.exe	32
PID 1968 wrote to memory of 1444	1968	iexplore.exe	32
PID 1968 wrote to memory of 1444	1968	iexplore.exe	32
PID 1968 wrote to memory of 1444	1968	iexplore.exe	32
PID 1968 wrote to memory of 1444	1968	iexplore.exe	32
PID 1968 wrote to memory of 1444	1968	iexplore.exe	32
PID 1968 wrote to memory of 1444	1968	iexplore.exe	32
PID 1444 wrote to memory of 1804	1444	JavaSetup8u351.exe	33
PID 1444 wrote to memory of 1804	1444	JavaSetup8u351.exe	33
PID 1444 wrote to memory of 1804	1444	JavaSetup8u351.exe	33
PID 1444 wrote to memory of 1804	1444	JavaSetup8u351.exe	33
PID 1444 wrote to memory of 1804	1444	JavaSetup8u351.exe	33
PID 1444 wrote to memory of 1804	1444	JavaSetup8u351.exe	33
PID 1444 wrote to memory of 1804	1444	JavaSetup8u351.exe	33
PID 1804 wrote to memory of 2040	1804	JavaSetup8u351.exe	35
PID 1804 wrote to memory of 2040	1804	JavaSetup8u351.exe	35
PID 1804 wrote to memory of 2040	1804	JavaSetup8u351.exe	35
PID 1804 wrote to memory of 2040	1804	JavaSetup8u351.exe	35
PID 1804 wrote to memory of 644	1804	JavaSetup8u351.exe	37
PID 1804 wrote to memory of 644	1804	JavaSetup8u351.exe	37
PID 1804 wrote to memory of 644	1804	JavaSetup8u351.exe	37
PID 1804 wrote to memory of 644	1804	JavaSetup8u351.exe	37
PID 2040 wrote to memory of 1664	2040	msiexec.exe	40
PID 2040 wrote to memory of 1664	2040	msiexec.exe	40
PID 2040 wrote to memory of 1664	2040	msiexec.exe	40
PID 2040 wrote to memory of 1664	2040	msiexec.exe	40
PID 2040 wrote to memory of 1664	2040	msiexec.exe	40
PID 2040 wrote to memory of 1664	2040	msiexec.exe	40
PID 2040 wrote to memory of 1664	2040	msiexec.exe	40
PID 2040 wrote to memory of 1952	2040	msiexec.exe	41
PID 2040 wrote to memory of 1952	2040	msiexec.exe	41
PID 2040 wrote to memory of 1952	2040	msiexec.exe	41
PID 2040 wrote to memory of 1952	2040	msiexec.exe	41
PID 2040 wrote to memory of 1952	2040	msiexec.exe	41
PID 2040 wrote to memory of 1952	2040	msiexec.exe	41
PID 2040 wrote to memory of 1952	2040	msiexec.exe	41
PID 1952 wrote to memory of 1500	1952	installer.exe	43
PID 1952 wrote to memory of 1500	1952	installer.exe	43
PID 1952 wrote to memory of 1500	1952	installer.exe	43
PID 1952 wrote to memory of 1500	1952	installer.exe	43
PID 1952 wrote to memory of 1500	1952	installer.exe	43
PID 1952 wrote to memory of 1500	1952	installer.exe	43
PID 1952 wrote to memory of 1500	1952	installer.exe	43
PID 1952 wrote to memory of 1576	1952	installer.exe	44
PID 1952 wrote to memory of 1576	1952	installer.exe	44
PID 1952 wrote to memory of 1576	1952	installer.exe	44
PID 1952 wrote to memory of 1576	1952	installer.exe	44
PID 1952 wrote to memory of 1644	1952	installer.exe	58
PID 1952 wrote to memory of 1644	1952	installer.exe	58
PID 1952 wrote to memory of 1644	1952	installer.exe	58
PID 1952 wrote to memory of 1644	1952	installer.exe	58
PID 1952 wrote to memory of 1880	1952	installer.exe	48
PID 1952 wrote to memory of 1880	1952	installer.exe	48
PID 1952 wrote to memory of 1880	1952	installer.exe	48
PID 1952 wrote to memory of 1880	1952	installer.exe	48
PID 1952 wrote to memory of 1648	1952	installer.exe	50

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://adoptium.net/
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:564
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EF53UGF7\JavaSetup8u351.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EF53UGF7\JavaSetup8u351.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\jds7233532.tmp\JavaSetup8u351.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7233532.tmp\JavaSetup8u351.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE
        
        "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp"
        5⤵
        Executes dropped EXE
        
        PID:2040
    - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE
        
        "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\jre1.8.0_351full.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp"
        5⤵
        Executes dropped EXE
        
        PID:644

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524
1⤵
PID:1564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86F4992942DC71B1DFE156DF1817A105
  2⤵
  - Loads dropped DLL
  PID:1664
- C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe
  "C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_351\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180351F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\ProgramData\Oracle\Java\installcache\7261565.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1500
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1576
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    PID:1644
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1880
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1648
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    PID:1076
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:1812
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files (x86)\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    PID:1164
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1644
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\ssvagent.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    PID:1932
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1076
  - - C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:1244
- - C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1872
  - - C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1388
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E981FBF1B24D6FD431F32447B20FD457 M Global\MSI0000
  2⤵
  PID:1000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1BA476271720888E281D3B221FC2A8BA
  2⤵
  PID:1820
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCDEEF60E9C76BB72E1C2ECAC6B71C89 M Global\MSI0000
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre1.8.0_351\bin\VCRUNTIME140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
174KB

MD5
4dad43f2b4cb8a53eeb96862d35d92b8

SHA1
80e125445706985e0a736f49c964070a5da12cdf

SHA256
ba1e9fb47f6afd7d22e170745cf8cf4641a88357b4e7effccc446b8486e6baed

SHA512
f65fc702e6324db2033f04732adb4172e9ecf737e05a4af90b66b7cd933107338bad0dbb68ccf0abb217058a153e6e9e567337ed3f63264600a775c2edf3f1eb

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_351\installer.exe

Filesize
111.5MB

MD5
df17b88720a2fe52476de4ed530f959e

SHA1
b452a00266f190b8ee9a941d3bb386b53395f1ce

SHA256
060c06fd8e8fea6097fc80949993f9a7580d1501698c7d28b86ff204cc96929d

SHA512
30c8c164f9cc7dca95f49953843d67adb3b1260a10b5395f370773345335367becba766867987a793512ea57e8a1cc51e7a4e66603d107ce0e57306e03ca543e

Download Submit
C:\ProgramData\Oracle\Java\installcache\7261565.tmp\baseimagefam8

Filesize
67.7MB

MD5
c68f61bae0654148ae82c9ac18c771f9

SHA1
fde79f7eebe45a096e7af4d7463294551dead994

SHA256
fe7870985a9af11cff29ed00c1a8042d5e1f3194b465146ddcaa9612a51a3195

SHA512
f08e5bbbd74c322a079618aee7da064f510bac05f1b0066da11d9829f8ad8e9ca03ad0e20116d64173e2b5a9a0e12c1ac95b2880805c6a4de2828839506f7107

Download Submit
C:\ProgramData\Oracle\Java\installcache\7261565.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\7261565.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache\7261565.tmp\diff

Filesize
42.9MB

MD5
2c4665487dc2e07936d2301e94e4d5b8

SHA1
9a0368248e18378bfaa40991006094fcd1208bb9

SHA256
a8e0403e19829af777cd8f1abe8f9b1d60cc65ac9fdeb3e7e78629cb9e1faf62

SHA512
70c06bd80fb7d90b47f3e1337bbae1206bcd03da9dc2e4f821cf62c8dd84d5350ca15012f109b2a581ed07c7582456c0f187a69a0b15584b04182ddbcc3ceb1b

Download Submit
C:\ProgramData\Oracle\Java\installcache\7261565.tmp\newimage

Filesize
126.6MB

MD5
9446260ab5de2c07c3fe42a9f0285653

SHA1
5bb3b5219129d553d96cf188f96e02ec6d0e58e1

SHA256
d628d97cf441fb8ce26456dfad9c48060d25ab0228673df01975e5209983d925

SHA512
8186456908c70357f762ec895fb81c062e5e3c8000fed2734f85e41f092c319b04c1ebc1c89773e385550710b7af276ca8bd42a31c9f87c4588285bf8b11a99f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
da5a9f149955d936a31dc5e456666aac

SHA1
195238d41c1e13448f349f43bb295ef2d55cb47a

SHA256
79ac574c7c45144bb35b59ff79c78dc59b66592715dea01b389e3620db663224

SHA512
60d7d1f5405470ba1e6b80066af2e78240acbea8db58b5a03660874605178aebaa9ce342ca97f17798109e7411e82466db5af064e39eaddc05410f2abe672f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
b85f62f461fcd8f88f843d27366343ae

SHA1
5f869f942757e78de1d1886e376e350ecd303180

SHA256
730e67179905dc17b5ec06fb3d66dcfe3116faf3415b45478d6905d4006b7237

SHA512
891c4d1094bac5ef613636f49f30156b06a0b84ea8cc503e6d75cce49f1481e32a61c3012402a42521abbd6d130a0e8171585fcc7b0825f2bf782940489950fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
727B

MD5
66e1eb29b2f919f05bd2efc618283db3

SHA1
cb053a306df8124f0f31b8c3086167bb39c94ed6

SHA256
da47f89fd9cd628fcab810fcdf2276755052b73321921d39dfcd54fc4f530073

SHA512
1a92e004a84a6469072b3eeaf0856ac08ed7310a6324af21c01764c25349539ac8e6217747146457c61ee4a40eaae1a3eee5840e169001e8d73699066928fabc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
bab23bb790bf19e2680a1fee436e9d51

SHA1
c3e384b5810e53d43e0d29637ad41159d63c855b

SHA256
7e143916a9f19dd0f411c2745c4df4dd8b35fed4ce675f294ce2b7a53fd4f7c5

SHA512
40551056fef333784aa4e97db2ffb0874303c97368d88ad55164a880c969ec66f494e3ac111ca6125cfa33fac6cab06ea3648b4aa98bf3341083d3cbb20ae81d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
64006b608afe56c43c0f025404da2942

SHA1
fc51e6222aefb4b2e33704d969e66d028a37f2bc

SHA256
9d39983a385d76a9c15a4bf1c9023a6565b88d03e40df389120882c8612bf0df

SHA512
26f91bd09ccffa2f27b4e45c02f2194d89788fdbe837cdc3e7b8983f1f0d0c9fec7c1fd108c3935971db5eb2e5f652d9b9be96e7e4525131a677194235bbb26f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
430B

MD5
95eeb05b2baec27dfc0434553f24b620

SHA1
d947d7fbfb814afe8546580d996025514ca7e5b1

SHA256
0e2bfa60a4a494e2161c2b094784ee7744fe9407bac75a0bd1cc7776b437edd1

SHA512
57419710587fd9748a86ed1496dd64fb45402a4b4254fb3c01a10a76d3e2ac1e0d0f8831f0157f5ace325e27d008b5ec186365d05b1b42bfb733d5ea93658e6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
416B

MD5
89471fc13efc998b5daa719d2c53d012

SHA1
fb4dcf228b26136b42531367e159a773c9064b04

SHA256
5983f2ee2f5c924c64ca82351c7564c8ff3fb135e3ba99009ddf9b410ac33aa3

SHA512
a9a7375170a1b68514e5592f77717ccf296f6438824051f9c23d2515af57fd44802fe5bd5346d8419e1bad8c0a75497f7724c31ccd467fe583a1f0703a92e2c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
434B

MD5
dd554b93bb63ea7b0c1e836be3da8d28

SHA1
f8aeefa4969ed332b2c8e4c2b202ed641fc9b610

SHA256
6c38116a247dfeb99657bc41054edb61173f7408bfad6f40ded0ad2cb215c341

SHA512
e3da10705bfee8c882ff777ab89eb75fd54e687a96e162f5335908399367251adc9504109b20cd5a9c854f71ffefdfe0143cd7b49ee926a99959865c74135163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95e2bbf17f3367dc30102e8a09d8004c

SHA1
f6d1c7fdbcf051c20e50b49cc0d20a1fcbc7c2ce

SHA256
5130d58fef76de32e9aa90cfa4e73eefcbf89d6bd50b6c089e11c48bee2c42ed

SHA512
f9e784f52e6ab49f3434842126ce92958bdd3b20f00797c5afad01b4864dd9408ba06cf1fd257e87e325d91d4f5f2b9dfc25140018ce6ce3268a5ac2c5eb691d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ae09f1d0b9de8fbbd273dc112c71690

SHA1
ef339e65118ceafa991e0936fc82363c97750c17

SHA256
4bae4cbf2a762244e3a9ec7ecbc6211b375384ac0a4c7e5af30b83924b8f5a13

SHA512
6a20f1bff8d1b1018a76c2e50f29d1ade2cb2c0683f724f68775aa6c9730d434060b14cc01c1e3c742594a23be1f67d09c72573352dd829969362b1b69076bb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f828109dec0f71c44202768470fcefc4

SHA1
18a7460fce352880ece649fee122fd73722ea198

SHA256
537275fb53f52abc93a0cfb04adeb4f616ccd8d522ea9e643d29680e3b48b715

SHA512
958ad46ebdeef6ccc73dec809817a3089d6d5d01d158782676479350b0a45c8f3b82e1da67559511c1cd1d8cb053494c7cc4159d7789ec647b54e4eb3e728ec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5ad7539c19c08f59a58174d0a15daf4

SHA1
c31addf50341c67080eb0a7f4ae6c19f37db1947

SHA256
948e1b161f5d52ab0b664b1f90e8fb880478fb28b0117e38611e19d5da9916ad

SHA512
951c78235a99553d7671d04e84c557e7bf0474fb4bc5d9f29eb3d459a8d0984670f6aeadcff4d48764e30dee6aabc6903c0da570588fa4224862f0f1770b65f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
fecd2c216ddfef43e08c418de1ec5b2d

SHA1
2a696c6b0c2f93f565ee918b299f65922d3084f0

SHA256
d7f2c9096b597e8b3175c8630c7f33618d6fc8dc01c768e3e50727d413af3235

SHA512
ab0dd9c66d4c515b0c30e5efd9a10fb6e6b643d50920fb40d234de7693f4a0205be8d910aad0c1b8f32db7ed17f7892db9eaf7cdc66b28c576b309d91615bcb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
83752d1d50447ae7f8612b4498319637

SHA1
89be22a9f9d223dd1f5df0782cc32033614296bd

SHA256
f29b5e428e37b2885aae546d656c6a988de2b96f79edfcd83fb1a741e7459330

SHA512
469f3d34f3dfa34d082bb513d6023c00d5e1d226311677b4103c80301099307974bd1c5410027df5943b5c12550c8ae52f0b9b7ce0edb2f745eca015478f02f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
da514f8c9c41bd471ff280809b08e788

SHA1
b1129c76503fa5a1f498496b3bd5702f1f7aa90b

SHA256
634657ddb6cec87504f2d540a3fcd3725fba2653098dfc524c14c18b4c286448

SHA512
841173b6093d2a9ee447f184cee16924411443dbbe45542ad04c88b32bdf8b4421b73bc5029c459eecd599341c89ef62e61b88dd876d7af4257d2f0f97f99b2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\au.msi

Filesize
845KB

MD5
8eb92668c434cd93215b9981a9683fc4

SHA1
5b087204c1c7e1b985b11b7fcbfcb70e323ff79d

SHA256
bb3234ffa8ab178f621475a9415b46f29571dbb24fd75ddc590f4be6d6369779

SHA512
9e4cccf3ce7bc34c220528b5d206f35fc0a1355531511fbb414af01f09c19e579ff8e027b8125049dfd417ad284661832759ec2f0fb260371e471db02203f058

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\jre1.8.0_351full.msi

Filesize
70.0MB

MD5
2a16688489648f78ee304dce7734d0dd

SHA1
aa4c78aa153215068c52bdaeb0f88a5702f7cca6

SHA256
5fa5ae20eb7d3055f5f70c7bbd89361e299a3573f2bfc09de5f4f9b8f6ba7bc2

SHA512
bb6dbe10a70bc6a84884d71c18b7b3ef333b55eb5aa0c558f5bfc9f6c1cdbf939e1a198903469cb3104051e04ae2418f0b7fdbe4dfb35de5843593a5dac7441f

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp

Filesize
1016KB

MD5
b4db0cceb5714378be3ccd4535d3aa4c

SHA1
7611e868ba040b0936ff56e0c9b6929042d7a49a

SHA256
9687cc0d7d5a60d7e9669d775b2e7255f9f578e3cb7086a3e2c114175f3a87bc

SHA512
f69232951f638247f87403cd3a861c84c084bfa8adb501a4ffa1984c3d2e6a963193d49744e0c59b21a8cf683dddb09f567ce088dabca9f1b163fe1b3cb0324f

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\msi.tmp

Filesize
70.4MB

MD5
46769c6677f963cc4dc772f31350d20b

SHA1
42bc2fe2b629d1f7ad729db2c5bac9009291c961

SHA256
1eb15f60ea7bb0c7b4e5cc7e75fd5e7c0441ad689c90ebc96ab3008a29be2ba7

SHA512
436e0d7f8b281b21228262a848ea712542cee4ce98138bfb57a34c6157eea144dd7430b981b6255c0a301a1787aaee171144fea572e41e934d815ff9706adb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
2KB

MD5
c5ebf1b4ffa4afecee3f2f60791bae50

SHA1
9b72b7520c064ea41aa2cd92d6ebcc6aa00b65e0

SHA256
abaf7039f6da67ee50e134b10867889d9ecf7ea9f6a8017ee65ad0e6109b0f3d

SHA512
395ae70c8b9baf5fc9ebdaf4736f17a7e4979c1b27d8c0911ebd0e26b9a86d84a8ea66971d20b3f03f80f01f1a90415ab36b532b214205780533d2e018364e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
11KB

MD5
b63be3d82563827b9d92d9b43b97350e

SHA1
fa597d5b64473fbeee3803f9b962221f0aa9be6a

SHA256
6ff67cc5421ee0c516447619476ad9226b08826bdb8dff7bccc52d5db5a9c86e

SHA512
c8f7ea4c41769ff51d9f0cf6864a08b6a50165144ac0e6677e0626ec01621a71665135e0fbbf9bb9ccaebfd0ea5becf31582f9493ad429c00213bd76c952dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
11KB

MD5
b63be3d82563827b9d92d9b43b97350e

SHA1
fa597d5b64473fbeee3803f9b962221f0aa9be6a

SHA256
6ff67cc5421ee0c516447619476ad9226b08826bdb8dff7bccc52d5db5a9c86e

SHA512
c8f7ea4c41769ff51d9f0cf6864a08b6a50165144ac0e6677e0626ec01621a71665135e0fbbf9bb9ccaebfd0ea5becf31582f9493ad429c00213bd76c952dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
39KB

MD5
6ea251f0522c198501e29c26e44b9aba

SHA1
95943880e5458e2f5d4a52b02432f33b0b7d70dd

SHA256
42d08c65074aeaa5783cb8296511db1d018e21f42bd1edff2013f4edbf2dd4c7

SHA512
ab8039e42639de1c5145f6e3f816cb0b0488166efb9c1d96b1e411cd7f9120171110d47774784b07e0b630e0900c50e9740719abad0204ddf3447c04537f8540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
40KB

MD5
0e7b3e69af0aacfa59eb10f57275b865

SHA1
cd2c38739059f8673b328b039127e81a7fc92421

SHA256
ff416069c53476bfe839ee47dd2c7427774877360dc4cb1ebf34c894a0bc98cd

SHA512
dd1d258eeaaf2e3d4de8ea31c428c9789a54b45c878ff492f3e42134788c33ca239acb80718f58e3bb45ea5b45f9835abeffc4502d5c868f4f0a732c23624bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EF53UGF7\JavaSetup8u351.exe

Filesize
2.2MB

MD5
82bc7b7e2716e6a631952daa1be4037e

SHA1
83ba6ede5983dd59b8e77439fd84e7b8085ee487

SHA256
3fa3ff57f229e3db478be90f6ce92a39f5043caffac116247b3430eb36f40b96

SHA512
35559edcf9dc2cb4740a1537bec5249ecfe306f7036f736b578fd07b6236ae3453b0a6e4d801e82506fa2ae770d7c80219af056e2313c3484b4474e1320885a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EF53UGF7\JavaSetup8u351.exe.6q12ro4.partial

Filesize
2.2MB

MD5
82bc7b7e2716e6a631952daa1be4037e

SHA1
83ba6ede5983dd59b8e77439fd84e7b8085ee487

SHA256
3fa3ff57f229e3db478be90f6ce92a39f5043caffac116247b3430eb36f40b96

SHA512
35559edcf9dc2cb4740a1537bec5249ecfe306f7036f736b578fd07b6236ae3453b0a6e4d801e82506fa2ae770d7c80219af056e2313c3484b4474e1320885a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7233532.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7233532.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
39KB

MD5
5da30980f87ec53accaf78e98f1ee1ec

SHA1
2d875f270b28eb3a28bfa8a7d06533bb90a8cbda

SHA256
dd4714c866056d68689141bbea2edaa5556c9ea96bbfd27d002d49d635beaf13

SHA512
05f6a21861e8e4ba73c00a06815a16758f97f130d7d591f6daf00a3a8d49c26b693edb46df6e5b21a172a63380419c0cb53cb12b83833380802a9ca2958e1042

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
53KB

MD5
287c704eb8e8b894da8a95792b45fdb3

SHA1
65ac648ef6fb74fd0b2a865c949d8f85f23f367f

SHA256
78f4c5fa48d27e4859a0c2e05dd8de30eaa2f9e3c7349f792bdfbbe2713e2068

SHA512
daf18ab5573287474863ac83039d1e37263131bc4c9ebbb1b4d74a92c92d08ef540c7d7c6285ab4bd1379dedf07c9d16997d460c142cfb4d245f487bb454f085

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
2KB

MD5
61bad9296d1d51fdea49649b932d3bce

SHA1
a00e04fcd642d081d82215405b916151deb68ca8

SHA256
dbef438060b80c328168e685cf7ef71d7b55397c81a965559006a5a969d6b8aa

SHA512
2aff535896ee4a1d189dc4520527dd66cf0b3a9149cff59cea9b45893db09f7c0a2744d3521b74508f6245f50c11300df0fa0c73d1a0abb0cbab7bb20bfa1dbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FBZFQTZZ.txt

Filesize
511B

MD5
665e2fcf2c98289c5f738ae07eb1ac65

SHA1
d31c6a1ecb2463a2506fe85098880d01e60c321a

SHA256
cdb81281cbfd5ac34e5ad15dd2d1f9b37486ebca32d6fe29df5b7fd2c67ae367

SHA512
63488bb4e52d120def773db015ff6df5939382514ee121c5d2f240eeb3220469a54c352b8ad0e2c4448c38f76a9d0acbc1fb161b1eb47b028d9e2d67d8ee5774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UOYB6DGX.txt

Filesize
601B

MD5
8b6987107d83b142f056cf2cf99f61dd

SHA1
c5719832d43041c77147a09dd619d328971e78ea

SHA256
b8004a15a90a3ffc9bcc658a804d47c73be110804f5ddbe2c96cea9b6de27dfc

SHA512
f11373ab045dd41ce2aa6068dd7f307171181b0c782f58650df2af6f6010e7d2c92586a6692dc9824f637fa2049b864fa6d24b754ec31b81c4840d417faec37b

Download Submit
C:\Windows\Installer\6eb83d.msi

Filesize
70.4MB

MD5
46769c6677f963cc4dc772f31350d20b

SHA1
42bc2fe2b629d1f7ad729db2c5bac9009291c961

SHA256
1eb15f60ea7bb0c7b4e5cc7e75fd5e7c0441ad689c90ebc96ab3008a29be2ba7

SHA512
436e0d7f8b281b21228262a848ea712542cee4ce98138bfb57a34c6157eea144dd7430b981b6255c0a301a1787aaee171144fea572e41e934d815ff9706adb07

Download Submit
C:\Windows\Installer\MSIBF0E.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
C:\Windows\Installer\MSIC49B.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
C:\Windows\Installer\MSIC539.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
174KB

MD5
4dad43f2b4cb8a53eeb96862d35d92b8

SHA1
80e125445706985e0a736f49c964070a5da12cdf

SHA256
ba1e9fb47f6afd7d22e170745cf8cf4641a88357b4e7effccc446b8486e6baed

SHA512
f65fc702e6324db2033f04732adb4172e9ecf737e05a4af90b66b7cd933107338bad0dbb68ccf0abb217058a153e6e9e567337ed3f63264600a775c2edf3f1eb

Download Submit
\Program Files (x86)\Java\jre1.8.0_351\bin\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
\ProgramData\Oracle\Java\installcache\7261565.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7261565.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7261565.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache\7261565.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\Local\Temp\jds7233532.tmp\JavaSetup8u351.exe

Filesize
1.9MB

MD5
f39998ce3424007f4e5772d547a69fbc

SHA1
071f69e3f29f4d30006358a249c12cda7ac9b636

SHA256
cb9818a058f448dabe8b045ac3ef06ef4973fa3e4996cc035f779672a0397715

SHA512
5b7fb094159170dbc2144678799c6b273b2eb62deef143036b63f7472c41e1a9a9ae991ed8c4b4df411e641cd387e3e3d125d497098d636213cc8915d8d2e853

Download Submit
\Windows\Installer\MSIBF0E.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Windows\Installer\MSIC49B.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
\Windows\Installer\MSIC539.tmp

Filesize
601KB

MD5
bbed445fd227324054eab65b74115170

SHA1
b84c37d0fa489624cd7b2c50a6ea8ec9d130eb4a

SHA256
5d523cf6795d8ef9503a781e4cfe24a432e3ea15f145264a28b41b8eaba0f1d8

SHA512
4ecb71be9c688c08c1a4099efec117698379f06392bdb87a6a6ad05180872973a8323822bf5bebbc56b382daeee6048328cc71c252ba41ac358d739946afcf05

Download Submit
memory/1244-228-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-233-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-246-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-245-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-244-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-243-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-242-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-241-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-239-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-238-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-235-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-232-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-231-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-230-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-227-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-222-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-218-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-216-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-215-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-214-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-213-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-194-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-200-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-206-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-209-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1244-210-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/1388-289-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-288-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-295-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-296-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-297-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-291-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-300-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-294-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-292-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-304-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-303-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-287-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-308-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-281-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-302-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-273-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1388-266-0x0000000002710000-0x0000000004710000-memory.dmp

Filesize
32.0MB

Download
memory/1500-146-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1500-149-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1500-148-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1500-145-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1500-144-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1500-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1644-223-0x00000000022E0000-0x00000000042E0000-memory.dmp

Filesize
32.0MB

Download
memory/1644-173-0x00000000022E0000-0x00000000042E0000-memory.dmp

Filesize
32.0MB

Download
memory/1952-135-0x0000000000190000-0x00000000001A7000-memory.dmp

Filesize
92KB

Download
memory/1952-147-0x0000000000190000-0x00000000001A7000-memory.dmp

Filesize
92KB

Download
memory/2016-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/2040-117-0x000007FEFB5F1000-0x000007FEFB5F3000-memory.dmp

Filesize
8KB

Download