107bb526c374d6fd9f45317c0c16e83ab50076f2bcd630caf3d6794596fae69b

Analysis

max time kernel
330s
max time network
421s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2023, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SKlauncher 3.0.exe
Size

1.2MB
MD5

32c7e3347f8e532e675d154eb07f4ccf
SHA1

5ca004745e2cdab497a7d6ef29c7efb25dc4046d
SHA256

107bb526c374d6fd9f45317c0c16e83ab50076f2bcd630caf3d6794596fae69b
SHA512

c82f3a01719f30cbb876a1395fda713ddba07b570bc188515b1b705e54e15a7cca5f71f741d51763f63aa5f40e00df06f63b341ed4db6b1be87b3ee59460dbe2
SSDEEP

24576:Dh199z42ojP6a7HJlF9eu5XFQZSIZeNGdmEE8H17UBcegl:R9zbgH3euNFQZr/oEE892cfl

Score

10^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2632 created 4144	2632	svchost.exe	186

Blocklisted process makes network request 1 IoCs

flow	pid	Process
259	3464	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

pid	Process
3748	ChromeRecovery.exe
1276	jre-8u351-windows-x64.exe
944	jre-8u351-windows-x64.exe
4144	installer.exe
1140	bspatch.exe
1712	unpack200.exe
2756	unpack200.exe
1144	unpack200.exe
2628	unpack200.exe
3452	unpack200.exe
4700	unpack200.exe
3528	unpack200.exe
3168	javaw.exe
1380	ssvagent.exe
3748	javaws.exe
3008	jp2launcher.exe
2756	javaws.exe
4248	jp2launcher.exe
1732	MSI5C3B.tmp

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0174-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0119-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0235-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0090-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0095-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0259-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0349-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0098-ABCDEFFEDCBA}\INPROCSERVER32	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0041-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0097-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0200-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0195-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0066-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0342-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0038-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0324-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0126-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0179-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MSI5C3B.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0212-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0245-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0040-ABCDEFFEDCBB}\INPROCSERVER32	MSI5C3B.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0180-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0337-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0079-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0177-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0127-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0200-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0009-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0119-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0104-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0147-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0292-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0241-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0225-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0316-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0228-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0273-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}\InprocServer32	MSI5C3B.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBA}\InprocServer32	MSI5C3B.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0212-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0274-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0026-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0120-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1140-171-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/1140-172-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/1140-173-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
4348	javaw.exe
668	MsiExec.exe
668	MsiExec.exe
668	MsiExec.exe
1712	unpack200.exe
2756	unpack200.exe
1144	unpack200.exe
2628	unpack200.exe
3452	unpack200.exe
4700	unpack200.exe
3528	unpack200.exe
3168	javaw.exe
3168	javaw.exe
3168	javaw.exe
3168	javaw.exe
3168	javaw.exe
3168	javaw.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe
4144	installer.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1380	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 12 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	MSI5C3B.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MSI5C3B.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	MSI5C3B.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	MSI5C3B.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MSI5C3B.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MSI5C3B.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	MSI5C3B.tmp
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	MSI5C3B.tmp
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_pt_BR.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\localedata.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_LinkDrop32x32.gif	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\orbd.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\rmid.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-heap-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-synch-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\net.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\cryptix.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\GRAY.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jsse.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\javaws.jar	unpack200.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\j2pcsc.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\dom.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\thaidict.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\logging.properties	installer.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2044_1424794275\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-errorhandling-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-interlocked-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\ktab.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-debug-l1-1-0.dll	installer.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2044_1424794275\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Java\jre1.8.0_351\THIRDPARTYLICENSEREADME.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jpeg.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\pkcs11cryptotoken.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_de.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\policy\limited\local_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-private-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jabswitch.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jfxmedia.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\management.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\colorimaging.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\dynalink.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\mesa3d.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\relaxngom.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\net.properties	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_240810703\javaw.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\msvcp140_1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\npt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\xmlresolver.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\win32_MoveDrop32x32.gif	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\management\snmp.acl.template	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\psfont.properties.ja	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_240810703\java.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-multibyte-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\plugin2\vcruntime140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\ffjcext.zip	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\policy\limited\US_export_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\trusted.libraries	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-process-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\JavaAccessBridge-64.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\klist.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\rmiregistry.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\freebxml.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\jcup.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\sunec.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jfr\profile.jfc	installer.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2FDD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI303C.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a24a0.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F64180351F0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a24a0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B09.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CDF.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a24a3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3682.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1140	4816	WerFault.exe	81

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MSI5C3B.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	MSI5C3B.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	MSI5C3B.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MSI5C3B.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	MSI5C3B.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0235-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0103-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0118-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0169-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0189-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0250-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_250"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0301-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_301"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0065-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_72"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0244-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0273-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0074-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0109-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0117-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_117"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0152-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0213-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_213"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0159-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0269-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0234-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.1_03"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0104-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0252-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_75"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0156-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0163-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0142-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0303-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0107-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0149-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0324-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_324"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_06"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0253-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0123-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0221-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0140-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0093-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_93"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0329-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0100-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0072-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_45"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0329-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0238-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0127-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0149-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0340-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0211-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_211"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0215-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0228-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0075-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0189-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0060-ABCDEFFEDCBA}	MSI5C3B.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0187-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_47"	MSI5C3B.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0361-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_361"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0176-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0227-ABCDEFFEDCBC}	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0017-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0295-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0056-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0086-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0119-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0287-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0134-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_134"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBC}	MSI5C3B.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0131-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}	MSI5C3B.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0011-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0128-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0070-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0226-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0044-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBC}	MSI5C3B.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_41"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	MSI5C3B.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	MSI5C3B.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0059-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MSI5C3B.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0225-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0314-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBA}	MSI5C3B.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0200-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_200"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0194-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0196-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBA}\InprocServer32	MSI5C3B.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}	MSI5C3B.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32	MSI5C3B.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0205-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0199-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0303-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0194-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0288-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32	MSI5C3B.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0047-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	MSI5C3B.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0005-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_101"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBC}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0196-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0053-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	MSI5C3B.tmp

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2568	chrome.exe
2568	chrome.exe
2244	chrome.exe
2244	chrome.exe
2964	chrome.exe
2964	chrome.exe
4288	chrome.exe
4288	chrome.exe
4112	chrome.exe
4112	chrome.exe
2520	chrome.exe
2520	chrome.exe
5024	chrome.exe
5024	chrome.exe
3908	chrome.exe
3908	chrome.exe
3060	chrome.exe
3060	chrome.exe
3892	chrome.exe
3892	chrome.exe
4868	chrome.exe
4868	chrome.exe
4948	chrome.exe
4948	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
2140	chrome.exe
2140	chrome.exe
3748	javaws.exe
3748	javaws.exe
3008	jp2launcher.exe
3008	jp2launcher.exe
2756	javaws.exe
2756	javaws.exe
4248	jp2launcher.exe
4248	jp2launcher.exe
1732	MSI5C3B.tmp
1732	MSI5C3B.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	944	jre-8u351-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	944	jre-8u351-windows-x64.exe
Token: SeSecurityPrivilege	3464	msiexec.exe
Token: SeCreateTokenPrivilege	944	jre-8u351-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	944	jre-8u351-windows-x64.exe
Token: SeLockMemoryPrivilege	944	jre-8u351-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	944	jre-8u351-windows-x64.exe
Token: SeMachineAccountPrivilege	944	jre-8u351-windows-x64.exe
Token: SeTcbPrivilege	944	jre-8u351-windows-x64.exe
Token: SeSecurityPrivilege	944	jre-8u351-windows-x64.exe
Token: SeTakeOwnershipPrivilege	944	jre-8u351-windows-x64.exe
Token: SeLoadDriverPrivilege	944	jre-8u351-windows-x64.exe
Token: SeSystemProfilePrivilege	944	jre-8u351-windows-x64.exe
Token: SeSystemtimePrivilege	944	jre-8u351-windows-x64.exe
Token: SeProfSingleProcessPrivilege	944	jre-8u351-windows-x64.exe
Token: SeIncBasePriorityPrivilege	944	jre-8u351-windows-x64.exe
Token: SeCreatePagefilePrivilege	944	jre-8u351-windows-x64.exe
Token: SeCreatePermanentPrivilege	944	jre-8u351-windows-x64.exe
Token: SeBackupPrivilege	944	jre-8u351-windows-x64.exe
Token: SeRestorePrivilege	944	jre-8u351-windows-x64.exe
Token: SeShutdownPrivilege	944	jre-8u351-windows-x64.exe
Token: SeDebugPrivilege	944	jre-8u351-windows-x64.exe
Token: SeAuditPrivilege	944	jre-8u351-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	944	jre-8u351-windows-x64.exe
Token: SeChangeNotifyPrivilege	944	jre-8u351-windows-x64.exe
Token: SeRemoteShutdownPrivilege	944	jre-8u351-windows-x64.exe
Token: SeUndockPrivilege	944	jre-8u351-windows-x64.exe
Token: SeSyncAgentPrivilege	944	jre-8u351-windows-x64.exe
Token: SeEnableDelegationPrivilege	944	jre-8u351-windows-x64.exe
Token: SeManageVolumePrivilege	944	jre-8u351-windows-x64.exe
Token: SeImpersonatePrivilege	944	jre-8u351-windows-x64.exe
Token: SeCreateGlobalPrivilege	944	jre-8u351-windows-x64.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4348	javaw.exe
4348	javaw.exe
944	jre-8u351-windows-x64.exe
944	jre-8u351-windows-x64.exe
944	jre-8u351-windows-x64.exe
944	jre-8u351-windows-x64.exe
3008	jp2launcher.exe
4248	jp2launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4348	2416	SKlauncher 3.0.exe	80
PID 2416 wrote to memory of 4348	2416	SKlauncher 3.0.exe	80
PID 2244 wrote to memory of 4960	2244	chrome.exe	96
PID 2244 wrote to memory of 4960	2244	chrome.exe	96
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 4696	2244	chrome.exe	99
PID 2244 wrote to memory of 2568	2244	chrome.exe	100
PID 2244 wrote to memory of 2568	2244	chrome.exe	100
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101
PID 2244 wrote to memory of 3972	2244	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\SKlauncher 3.0.exe
"C:\Users\Admin\AppData\Local\Temp\SKlauncher 3.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Xms32m -Xmx256m -jar "C:\Users\Admin\AppData\Local\Temp\SKlauncher 3.0.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 4816 -ip 4816
1⤵
PID:1904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4816 -s 1764
1⤵
- Program crash
PID:1140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe4d9a4f50,0x7ffe4d9a4f60,0x7ffe4d9a4f70
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1612 /prefetch:2
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2428
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff7012ea890,0x7ff7012ea8a0,0x7ff7012ea8b0
    3⤵
    PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2332 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1084 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3820 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3908 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3832 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe
  "C:\Users\Admin\Downloads\jre-8u351-windows-x64.exe"
  2⤵
  - Executes dropped EXE
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\jds240781062.tmp\jre-8u351-windows-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\jds240781062.tmp\jre-8u351-windows-x64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:944
  - - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
      -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_351\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
      4⤵
      PID:3748
  - - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
      -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_351\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
      4⤵
      PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,18429512983965678391,4551379777685763696,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3252 /prefetch:8
  2⤵
  PID:3336
- C:\Users\Admin\Downloads\SKlauncher 3.0.exe
  "C:\Users\Admin\Downloads\SKlauncher 3.0.exe"
  2⤵
  PID:968
- - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xms32m -Xmx256m -jar "C:\Users\Admin\Downloads\SKlauncher 3.0.exe"
    3⤵
    PID:2564
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:1380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4124

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2044
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2044_1424794275\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2044_1424794275\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={ffe4785d-e08a-45a2-abdf-835942e9d11a} --system
  2⤵
  - Executes dropped EXE
  PID:3748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3464
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4156761FD2B53F5A17111AC00B7505DB
  2⤵
  - Loads dropped DLL
  PID:668
- C:\Program Files\Java\jre1.8.0_351\installer.exe
  "C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:4144
- - C:\ProgramData\Oracle\Java\installcache_x64\240793750.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    PID:1140
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1712
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2756
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1144
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2628
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3452
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4700
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3528
- - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3168
- - C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    PID:1380
- - C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3748
  - - C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3008
- - C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2756
  - - C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4248
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 455DB8B22C96D9756F040790D942CFAC E Global\MSI0000
  2⤵
  PID:3168
- C:\Windows\Installer\MSI5C3B.tmp
  "C:\Windows\Installer\MSI5C3B.tmp" ProductCode={26A24AE4-039D-4CA4-87B4-2F86418066F0} /s
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- - C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    PID:4400
  - - C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_66" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzY2XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:4196
- - C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
    "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -u auto-update
    3⤵
    PID:4916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\flatlaf.temp\flatlaf-windows-x86_64-4067024248000.dll

Filesize
9KB

MD5
697d496ac9f5aaab8ae025322358c61e

SHA1
2043eac8cdcc2e24b854af1eacd77a5f2a395a27

SHA256
a7273a4cf48ab3413f2c186cc95a3367a73ce99f8d45329383219d4cc27003aa

SHA512
b6702cd49a3af9f97f697565136f140692af9f8b271e672f2e91c920a23212b778583786f2377078117113647926338614a92c4a2423318b7a21ba2fe3a89838

Download Submit
memory/1140-172-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1140-173-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1140-171-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2564-320-0x0000022230AA0000-0x0000022231AA0000-memory.dmp

Filesize
16.0MB

Download
memory/2564-294-0x0000022230AA0000-0x0000022231AA0000-memory.dmp

Filesize
16.0MB

Download
memory/2564-314-0x0000022230AA0000-0x0000022231AA0000-memory.dmp

Filesize
16.0MB

Download
memory/2564-306-0x0000022230AA0000-0x0000022231AA0000-memory.dmp

Filesize
16.0MB

Download
memory/3008-241-0x0000012970840000-0x0000012971840000-memory.dmp

Filesize
16.0MB

Download
memory/3008-196-0x0000012970840000-0x0000012971840000-memory.dmp

Filesize
16.0MB

Download
memory/3008-209-0x0000012970840000-0x0000012971840000-memory.dmp

Filesize
16.0MB

Download
memory/3748-271-0x0000026D00000000-0x0000026D01000000-memory.dmp

Filesize
16.0MB

Download
memory/3952-296-0x0000019D1DCF0000-0x0000019D1ECF0000-memory.dmp

Filesize
16.0MB

Download
memory/4196-256-0x0000000004F80000-0x0000000005F80000-memory.dmp

Filesize
16.0MB

Download
memory/4248-220-0x000002251C410000-0x000002251D410000-memory.dmp

Filesize
16.0MB

Download
memory/4248-239-0x000002251C410000-0x000002251D410000-memory.dmp

Filesize
16.0MB

Download
memory/4248-238-0x000002251C410000-0x000002251D410000-memory.dmp

Filesize
16.0MB

Download
memory/4248-237-0x000002251C410000-0x000002251D410000-memory.dmp

Filesize
16.0MB

Download
memory/4248-232-0x000002251C410000-0x000002251D410000-memory.dmp

Filesize
16.0MB

Download
memory/4348-159-0x0000000002580000-0x0000000003580000-memory.dmp

Filesize
16.0MB

Download
memory/4348-158-0x0000000002580000-0x0000000003580000-memory.dmp

Filesize
16.0MB

Download
memory/4348-155-0x0000000002580000-0x0000000003580000-memory.dmp

Filesize
16.0MB

Download
memory/4348-137-0x0000000002580000-0x0000000003580000-memory.dmp

Filesize
16.0MB

Download