7c6220b046553f9c95b8098ff83bfc6b7828093650becbc1b44e3d7819d7efd1

Resubmissions

31/01/2023, 04:49

230131-ffnbzsgd2s 4

31/01/2023, 04:45

230131-fdfjcsgc7w 8

31/01/2023, 04:39

230131-fabq1aef46 4

Analysis

max time kernel
77s
max time network
116s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
31/01/2023, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shiginima Launcher ML.ES.exe
Size

5.4MB
MD5

c3db052da531710367faf5e011475715
SHA1

46f599e4e1ece582006739debe0a522925a9cd13
SHA256

7c6220b046553f9c95b8098ff83bfc6b7828093650becbc1b44e3d7819d7efd1
SHA512

67bfb67b36dab91e37b1ada7fbd688dc39cf19c337e3938d1f7e4f47173b7dc9d0b93dc035d6511ce65b8fe44384bb9cffa9953e97c6fffadb29fd561eec7feb
SSDEEP

98304:qpTJ89MMbcZsgsDlilods/txVGHTJKsTnEFnAzvDfBzXEYNsJ5Ono:aTm9MMbcFililB0HdRTnEFnAzlEQsJ5H

Score

8^/10

adware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
77	1856	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
1584	JavaSetup8u361.exe
1544	JavaSetup8u361.exe
884	LZMA_EXE
544	LZMA_EXE
2024	installer.exe
1572	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
1584	JavaSetup8u361.exe
1544	JavaSetup8u361.exe
1544	JavaSetup8u361.exe
1544	JavaSetup8u361.exe
1544	JavaSetup8u361.exe
852	MsiExec.exe
852	MsiExec.exe
852	MsiExec.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
1572	javaw.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe
2024	installer.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\cldrdata.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\tzdb.dat	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jli.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\java_crw_demo.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\javafx.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\content-types.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\policy\limited\US_export_policy.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\glass.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\meta-index	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\jfr\default.jfc	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\jsse.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jabswitch.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\plugin2\msvcp140.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\JavaAccessBridge-32.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\fontconfig.properties.src	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jpeg.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\instrument.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\thaidict.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\decora_sse.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\sunpkcs11.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\zip.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-sysinfo-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-runtime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\sound.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\fonts\LucidaBrightRegular.ttf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\localedata.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\jcup.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\API-MS-Win-core-xstate-l2-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\fonts\LucidaBrightDemiItalic.ttf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\splash_11-lic.gif	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-file-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\management\snmp.acl.template	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jfxmedia.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\javaws.policy	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\images\cursors\win32_MoveNoDrop32x32.gif	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2iexp.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jdwp.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\j2pcsc.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\asm.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\client\Xusage.txt	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\classlist	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\msvcp140_2.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\zipfs.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\gstreamer.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\zlib.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\images\cursors\win32_MoveDrop32x32.gif	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\README.txt	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-util-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\rmiregistry.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssv.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\rt.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\cmm\CIEXYZ.pf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_7146218\java.exe	installer.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC91D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBFB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC89.tmp	msiexec.exe
File created	C:\Windows\Installer\6cba6a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cba6a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC43C.tmp	msiexec.exe
File created	C:\Windows\Installer\6cba6c.ipi	msiexec.exe
File created	C:\Windows\Installer\6cba6e.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 28fbf5443735d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Windows\\SysWOW64"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb800000000020000000000106600000001000020000000ed37d8297f95108b423a8fa8be2c6f36e058b7a147423b9fde15b2cc1195cad6000000000e80000000020000200000000a28cddb67010ed449baf85681a17b73502b0e6d6e902da89e1cf789902f4987200000004b74615729e7a471a685737d3bc3c392f333a3b50ad675a045bd45788b9f5dcc40000000ec980038855b50fe72e90cdc9e2875e15eb733ce384ca96cfbe24dc806e962682ea6a11450a61c7bb36ba7747af2fe4ab8c369969023fc8793a12c7dbb667027	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb8000000000200000000001066000000010000200000001dc09f43f788fdb774f6393c55493ad760fa75168f3387ec9e60bb243297b325000000000e8000000002000020000000a4279438b2523211702c667717a48917add107c87066265a9b606fbd7f6a158540010000081862206dcf873cebcb7d872522ce790c587e7773caf86a839fb3b4542ae9fe41e20b40f63130732c1bb3212f0c85bdb887987590a2a17dd3fb4cc7e78a1cfe9f21f661f1265ce8fdb1134df702194479feba02da061d421d2d8634cf5190beff85f1e981ee58e3be54bf98df850f5f551adf6dc5b4093fec97db0a22fce06f2df09be409ff0420f8b87c427572841f091d3c6bb5f1e5f08653812b6635f3c374d8efabbb57c208dca015091f60a642e22650925eb3d94ce8e54edad7ff0c924d8cb2228ab3211f095acd124485bd91dce32f139e450b0aaf26c1cc972054ff1d0c53cd248debc86647c34b190923c5cbe9f4f9030cefeb89b6796758ef3f369ec91bb58fe75618b80e079400502611e8843571e7ed92fd9bd21e587e4532fa2df685e749362663b8bc42296f8d377439791a1006680101a7fad4f2994e9e63400000000a80806bc95a8e2ee7e7f193ba378c5bb75f7233af70434b8bcb59ab95ce0257bda9a82db1ef7a5b07a274ac5b8aeb5c0ffbaf9108b835868aeb7463b87b9d26	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7518B021-A12A-11ED-96D9-C6AD45B766F5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	JavaSetup8u361.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0034f84f3735d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0053-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0096-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_96"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0148-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0153-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_153"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0170-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0096-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0117-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_06"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0151-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0098-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0179-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0194-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_194"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0075-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_76"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0130-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0200-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_81"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0111-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0117-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_117"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0121-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_121"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0076-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_83"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0132-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0147-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0152-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0189-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0188-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0091-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0104-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_32"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0195-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0212-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0119-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0198-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_198"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0201-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0207-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0128-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0171-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0108-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_108"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0166-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_166"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0130-ABCDEFFEDCBB}	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0108-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0198-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0097-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0146-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0191-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0107-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0183-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_27"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0050-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0127-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0130-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0061-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_61"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0145-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_85"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0087-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0117-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0094-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_94"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0095-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0135-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0192-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0151-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0088-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0089-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_89"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0193-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0126-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_52"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0133-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0174-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0193-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0072-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0121-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_121"	installer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1988	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1544	JavaSetup8u361.exe
Token: SeIncreaseQuotaPrivilege	1544	JavaSetup8u361.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeSecurityPrivilege	1856	msiexec.exe
Token: SeCreateTokenPrivilege	1544	JavaSetup8u361.exe
Token: SeAssignPrimaryTokenPrivilege	1544	JavaSetup8u361.exe
Token: SeLockMemoryPrivilege	1544	JavaSetup8u361.exe
Token: SeIncreaseQuotaPrivilege	1544	JavaSetup8u361.exe
Token: SeMachineAccountPrivilege	1544	JavaSetup8u361.exe
Token: SeTcbPrivilege	1544	JavaSetup8u361.exe
Token: SeSecurityPrivilege	1544	JavaSetup8u361.exe
Token: SeTakeOwnershipPrivilege	1544	JavaSetup8u361.exe
Token: SeLoadDriverPrivilege	1544	JavaSetup8u361.exe
Token: SeSystemProfilePrivilege	1544	JavaSetup8u361.exe
Token: SeSystemtimePrivilege	1544	JavaSetup8u361.exe
Token: SeProfSingleProcessPrivilege	1544	JavaSetup8u361.exe
Token: SeIncBasePriorityPrivilege	1544	JavaSetup8u361.exe
Token: SeCreatePagefilePrivilege	1544	JavaSetup8u361.exe
Token: SeCreatePermanentPrivilege	1544	JavaSetup8u361.exe
Token: SeBackupPrivilege	1544	JavaSetup8u361.exe
Token: SeRestorePrivilege	1544	JavaSetup8u361.exe
Token: SeShutdownPrivilege	1544	JavaSetup8u361.exe
Token: SeDebugPrivilege	1544	JavaSetup8u361.exe
Token: SeAuditPrivilege	1544	JavaSetup8u361.exe
Token: SeSystemEnvironmentPrivilege	1544	JavaSetup8u361.exe
Token: SeChangeNotifyPrivilege	1544	JavaSetup8u361.exe
Token: SeRemoteShutdownPrivilege	1544	JavaSetup8u361.exe
Token: SeUndockPrivilege	1544	JavaSetup8u361.exe
Token: SeSyncAgentPrivilege	1544	JavaSetup8u361.exe
Token: SeEnableDelegationPrivilege	1544	JavaSetup8u361.exe
Token: SeManageVolumePrivilege	1544	JavaSetup8u361.exe
Token: SeImpersonatePrivilege	1544	JavaSetup8u361.exe
Token: SeCreateGlobalPrivilege	1544	JavaSetup8u361.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1200	iexplore.exe
1200	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1200	iexplore.exe
1200	iexplore.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1544	JavaSetup8u361.exe
1544	JavaSetup8u361.exe
1544	JavaSetup8u361.exe
1544	JavaSetup8u361.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1200	832	Shiginima Launcher ML.ES.exe	28
PID 832 wrote to memory of 1200	832	Shiginima Launcher ML.ES.exe	28
PID 832 wrote to memory of 1200	832	Shiginima Launcher ML.ES.exe	28
PID 832 wrote to memory of 1200	832	Shiginima Launcher ML.ES.exe	28
PID 1200 wrote to memory of 1988	1200	iexplore.exe	30
PID 1200 wrote to memory of 1988	1200	iexplore.exe	30
PID 1200 wrote to memory of 1988	1200	iexplore.exe	30
PID 1200 wrote to memory of 1988	1200	iexplore.exe	30
PID 1200 wrote to memory of 1988	1200	iexplore.exe	30
PID 1200 wrote to memory of 1988	1200	iexplore.exe	30
PID 1200 wrote to memory of 1988	1200	iexplore.exe	30
PID 1200 wrote to memory of 1584	1200	iexplore.exe	32
PID 1200 wrote to memory of 1584	1200	iexplore.exe	32
PID 1200 wrote to memory of 1584	1200	iexplore.exe	32
PID 1200 wrote to memory of 1584	1200	iexplore.exe	32
PID 1200 wrote to memory of 1584	1200	iexplore.exe	32
PID 1200 wrote to memory of 1584	1200	iexplore.exe	32
PID 1200 wrote to memory of 1584	1200	iexplore.exe	32
PID 1584 wrote to memory of 1544	1584	JavaSetup8u361.exe	33
PID 1584 wrote to memory of 1544	1584	JavaSetup8u361.exe	33
PID 1584 wrote to memory of 1544	1584	JavaSetup8u361.exe	33
PID 1584 wrote to memory of 1544	1584	JavaSetup8u361.exe	33
PID 1584 wrote to memory of 1544	1584	JavaSetup8u361.exe	33
PID 1584 wrote to memory of 1544	1584	JavaSetup8u361.exe	33
PID 1584 wrote to memory of 1544	1584	JavaSetup8u361.exe	33
PID 1544 wrote to memory of 884	1544	JavaSetup8u361.exe	35
PID 1544 wrote to memory of 884	1544	JavaSetup8u361.exe	35
PID 1544 wrote to memory of 884	1544	JavaSetup8u361.exe	35
PID 1544 wrote to memory of 884	1544	JavaSetup8u361.exe	35
PID 1544 wrote to memory of 884	1544	JavaSetup8u361.exe	35
PID 1544 wrote to memory of 884	1544	JavaSetup8u361.exe	35
PID 1544 wrote to memory of 884	1544	JavaSetup8u361.exe	35
PID 1544 wrote to memory of 544	1544	JavaSetup8u361.exe	37
PID 1544 wrote to memory of 544	1544	JavaSetup8u361.exe	37
PID 1544 wrote to memory of 544	1544	JavaSetup8u361.exe	37
PID 1544 wrote to memory of 544	1544	JavaSetup8u361.exe	37
PID 1544 wrote to memory of 544	1544	JavaSetup8u361.exe	37
PID 1544 wrote to memory of 544	1544	JavaSetup8u361.exe	37
PID 1544 wrote to memory of 544	1544	JavaSetup8u361.exe	37
PID 1856 wrote to memory of 852	1856	msiexec.exe	40
PID 1856 wrote to memory of 852	1856	msiexec.exe	40
PID 1856 wrote to memory of 852	1856	msiexec.exe	40
PID 1856 wrote to memory of 852	1856	msiexec.exe	40
PID 1856 wrote to memory of 852	1856	msiexec.exe	40
PID 1856 wrote to memory of 852	1856	msiexec.exe	40
PID 1856 wrote to memory of 852	1856	msiexec.exe	40
PID 1856 wrote to memory of 2024	1856	msiexec.exe	41
PID 1856 wrote to memory of 2024	1856	msiexec.exe	41
PID 1856 wrote to memory of 2024	1856	msiexec.exe	41
PID 1856 wrote to memory of 2024	1856	msiexec.exe	41
PID 1856 wrote to memory of 2024	1856	msiexec.exe	41
PID 1856 wrote to memory of 2024	1856	msiexec.exe	41
PID 1856 wrote to memory of 2024	1856	msiexec.exe	41
PID 2024 wrote to memory of 1572	2024	installer.exe	42
PID 2024 wrote to memory of 1572	2024	installer.exe	42
PID 2024 wrote to memory of 1572	2024	installer.exe	42
PID 2024 wrote to memory of 1572	2024	installer.exe	42

C:\Users\Admin\AppData\Local\Temp\Shiginima Launcher ML.ES.exe
"C:\Users\Admin\AppData\Local\Temp\Shiginima Launcher ML.ES.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1200 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1988
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT1AL9CX\JavaSetup8u361.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT1AL9CX\JavaSetup8u361.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\jds7108123.tmp\JavaSetup8u361.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7108123.tmp\JavaSetup8u361.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
        
        "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
        5⤵
        Executes dropped EXE
        
        PID:884
    - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
        
        "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
        5⤵
        Executes dropped EXE
        
        PID:544

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 32D986F50327AD49CFADA58915DCD915
  2⤵
  - Loads dropped DLL
  PID:852
- C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe
  "C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_361\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180361F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1572
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    PID:1368
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:1680
  - - C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_361" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\client\jvm.dll

Filesize
3.8MB

MD5
9544b9113212187322433e63957facfb

SHA1
aa6a5404a745a6c683b055b26eccec151234ee68

SHA256
8249bcff9a8d9aa7e580076e2c84147571270eb27c74a7dc8df52a447b123d86

SHA512
c65ba9dd79ed41f92515280c9f87b94b5495daafc614b708d62fee2307fe51293c829651db070ca2cfe8eb0122dff013be815c0cf58770bc75eddbc5d2360fc6

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\java.dll

Filesize
139KB

MD5
286bba6f961e7d873d5c84f57cd1118a

SHA1
c659530ae34fabc24dc6fb55f37485a8d0bca2d0

SHA256
4f068301312fab1d1fd3e3ea0bcd87c4f730f69031337decb343b9ecb5028984

SHA512
c03ad585fd3f486448c86831f93118575b3586fac79f55448daa794ba6be95fc2a1595186d6c8b7881303b3cd1226b2eb10b7bdbc59a457384ba1340daabf058

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe

Filesize
243KB

MD5
71ac3db0e1d4363ff8695ca610af1ae4

SHA1
35ee53d9c6b541f4e9422875fb5a246d975afc85

SHA256
fbc762cd79977cee061bc9d2bf19c9687856759afec067121cce58e1cc124d2c

SHA512
53a75165d3a4683573f7d16015bda25cbfdabb8981ca8ffd0789105a6cdbf9a02f4e7a71b47efc581c14a90fd54760e4e7dc6e9786abc325a190c945b67cffb8

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe

Filesize
243KB

MD5
71ac3db0e1d4363ff8695ca610af1ae4

SHA1
35ee53d9c6b541f4e9422875fb5a246d975afc85

SHA256
fbc762cd79977cee061bc9d2bf19c9687856759afec067121cce58e1cc124d2c

SHA512
53a75165d3a4683573f7d16015bda25cbfdabb8981ca8ffd0789105a6cdbf9a02f4e7a71b47efc581c14a90fd54760e4e7dc6e9786abc325a190c945b67cffb8

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\ucrtbase.DLL

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe

Filesize
853KB

MD5
87706ed4a1182eba06403297a4e82b54

SHA1
1dc5a582f3c636ff4b1d584691b79a2efb1bf971

SHA256
409b73823b06416f140d1c77214788eb33873ba7ce9be2e012826c52cd3339e3

SHA512
796d7df635532a1db788f591ad9226d0e63ce84d306662265d30327536dd1318f91e51663bc0ee7df49569d681c36e802c461cedeccc3826b9f68260a243ac4e

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\i386\jvm.cfg

Filesize
623B

MD5
9aef14a90600cd453c4e472ba83c441f

SHA1
10c53c9fe9970d41a84cb45c883ea6c386482199

SHA256
9e86b24ff2b19d814bbaedd92df9f0e1ae86bf11a86a92989c9f91f959b736e1

SHA512
481562547bf9e37d270d9a2881ac9c86fc8f928b5c176e9baf6b8f7b72fb9827c84ef0c84b60894656a6e82dd141779b8d283c6e7a0e85d2829ea071c6db7d14

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\rt.jar

Filesize
53.2MB

MD5
32a3259b2753bf46dd1d6db41bfde524

SHA1
c4deb978992124134cf71d6b48af8fd3dfab8072

SHA256
e37b804af67aee09c8852ee666268970a17b71c3da475b3ffd098236d455367b

SHA512
7fd21fe13ce64009a1440f2992ff955f6934cdc5c43914781f0f994c32be9c8da5cae1b73d07355826905eec6a0a0b604163849ff6d3173120a561059b1451c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
1b0e6f4b96a8445c8db2d9feb453d419

SHA1
5b364176c11912e3f635cf5ad74d6c038a14b0d4

SHA256
7d5760661c3d1c56c3da59beb495b67e68de59af188c37539ea97374ff4ca235

SHA512
9cbcc8625c948d7c3960dde63032b1039e85b0dcae6564e86edbf067bb6f191313bc3219378c3a22c8fdc9687b9fb553bf600216c6bae0ca65d64744435e264a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
727B

MD5
5231d5c9b44965ee612379fef936d043

SHA1
1efe77c198f21092000fe876dd132f6060bb48fb

SHA256
fe7f49cfd264ae1be08c5b65f3b6dafbdc9b93ace006c5519ce2c8dbb1bd2e1d

SHA512
45938a4a0ad639eac721d65a0d6d2b6d6d3d895ce9f06b2e6e1589172a7bd8d82c51937fb2f1f30c49bb1dbe60ee5c9c9163fa5259bb28de9b220540afe5155d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
59c7d1c3e315494e116f2c507c82c767

SHA1
12a70b21e3d5d6f4aa8b9f06e115754d2ad47de6

SHA256
9164088264623e289af26a53f6aae4948e9190885685866c9c7675382406d50c

SHA512
a5dafd1fe7527b25a13de644ba43a79e1f2a50aed20f46c8b2b60af9926d08775480fb22f926f903231bf183da016b2dfebb0cc1195505e00b5ab7c84a0f9ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
b9301e00a6fcb9e53a99ebd7cbdf8128

SHA1
34ad5deb272bc34d1ef74057b6ce81404afac905

SHA256
fa1a5ae29c947c2ae91b46a318639884d7303c00d63a41ba1a3762f0100787f6

SHA512
fc7754370bd48aa71d9792019cbbfff2fb8df8e54f3f0c29a3830cde1aea7c1e24b789230ac7779c4b253c15912709366bb6ba4e16da953677905f1e8a3fe95b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
430B

MD5
5cd169ec71c272e9f497399b485a116c

SHA1
9d56b7155d853d9caa111fda235e6be642509b0d

SHA256
35de90bbc820009394fb98cf7ff326f8aa613d6df9b656dc5e48d94c8b87be9a

SHA512
9effd0a5347f9a161aa2fb33730aed697925892323a81b36e61472121fb5fd4abb2f1887866a14ce6fcb797d0eb694ce4600aa68092dc8a32a348c8f39eee9d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
404B

MD5
79ac0916acdb97ed8333f1ee81e6d0f6

SHA1
0f7d94aadaf679884fd588eac1647b52b70bf409

SHA256
15c62256283882d27801df01d869daba4c81a93b892e5c495210c5a183a64bc8

SHA512
a7258dc9d43c98ddd05f18c1157712c1bcd001576c9d4ed0d2c373893b117351419ae47e0e0857a80f8e3a237c3c0dc2b8562fb9cb1477b0997f5b4ab6f266e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0da317f9558e027fe5e4e5df64a1a0f

SHA1
91d0a41e43e82f0307225eba0efc48a4eaa9b0c2

SHA256
a29e8aafde07e0f775aceca93ad29fc97c065f2944b35e282842913232e75e8a

SHA512
31efbd1bd5ce42c20af21ccb9d19fc6e3affdd4d80dd952bcb55a9bac0464d21535ed34a9c1ccd77363b8c83a07a72e2a34d6a0daee510051d062e8af553feda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19fe40f736de6037712fb4c4bd8cb6e9

SHA1
d79a1d782e6a888861327f2b42f832aacd4d8000

SHA256
16a2b583ab77b2759d02cbe6a1d934bf3836a646aaed778dbb940464a7170f29

SHA512
22d413786c917a8836fa895fa4df395e7aad89f4cdeea640962fe268d49324ce04d3e5c1028e4ad399e2db1b11db58782650a4591d20ff14bef8993bc8600819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
59c2d2478f178495373c01b3bea9cc99

SHA1
02e3e04ae9f25827b25864d65aee45215799dafe

SHA256
357f46e48923e051b0dcd2d80833522cddaa18d6aba11d2d26c95c939b7893c6

SHA512
90ed8d397c1dea228ae8f71079e4fca071eae703ebb72ccc32c8a1c65ecfb639be9f6a367d6e02281307cf3c030e56acbba37f6c05951a7b13e0100db9f61355

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
945682a8b73d0739b9d0f3a33c2c4361

SHA1
b8d8296f5cb3db8ce0f3a3e64f0a1ecd823557b6

SHA256
36613644d50abad286c1d8aeaae258d6907025aeecdb2e95f42172495d22d09e

SHA512
57d3e67f35aace51bed16d669deca130e34e64f73ccbf3fb690ba3fb1a9fc3de73bdab09b80abbcbb324cbb57cc2f43ef60207a0c8ce49f6d248ee412eb883e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi

Filesize
843KB

MD5
c95a831719a0a8659911c2d961a9e425

SHA1
84e5db605edecd9976f2a7d45b00c2c5deabe11d

SHA256
bb5d1befb8970ee28066d13727056d54e0ee624564556757c26c75d6faafcc9d

SHA512
073f2e9ce88f18ddf6d5e9d1d47a142b68a4935d73854580ca6d5b619473632965051e398bf5485ff0664d2caf2ed13d4260ab64428c7ea2cce78983feed3069

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi

Filesize
52.6MB

MD5
1aa57a5a04ec43b25937efa2a3f0f0ad

SHA1
6121bef34c9c603e8b03140c05e0418096ac7bb6

SHA256
66a697fe354addb90ae4e3c6b617f9ca0e5a65a439435f674e3f6d8c7db85b6b

SHA512
1461ff7fc5d3a1e3fff20bd42324f0dc6f82bbdb9d35cc425535449a0f8e346599c4012802f0a801cce243eea4d878e6430a02db5b24fe6cc99b24cdad31c4e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp

Filesize
1016KB

MD5
459a51b2e65d53e4e568215e77317cc5

SHA1
f2308f14d1033f79a1d10b392520cb2459b0e737

SHA256
9da5f7bb7d99c3b8d5c9100a0573e928f48452319989ab026af5fcff1119a5d9

SHA512
7e3b8cb97c4c61eb147473d62dc163205ecd85235e6c711b39c4a76b06e8cee7d70f2594e0710df90e1b949c4bdb442a759912afeb72c6b4f0a34750daf17886

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp

Filesize
53.5MB

MD5
c760bc95af603fec0c41cafd82498a5d

SHA1
6bed421c5268fcd02f3d9439a314fffd84b29235

SHA256
c93f2de2ed4d5420671f5d5ba858b841683183aba9248f9890c4b277c39d2995

SHA512
cc9324416d98cd4ca1ec6e607e684336964d74da5f29f3d56d82b56ac0fe225c1420fbe08f9a559bf80307ea740e9140154f136aa9d3bc473baf60d736b7fd52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\mlf2v8h\imagestore.dat

Filesize
1KB

MD5
894812e307f442b79d24cb58e8eda64c

SHA1
b73dca90577a195c52aa7416c3fc4dc652f2fe4c

SHA256
a8700aa7f7ad7dacbaed9347615ccd7d5ffedd62afc62aed6d867240b0c252b7

SHA512
33c29b1b9ba7bcc68852149000ea0402b4ba491be13954f1b0117d94e029c3e8abd89e2cefc36634027cc79ecf1b17b85ca9a5507c08c6dff5dba10b99febd6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT1AL9CX\JavaSetup8u361.exe

Filesize
2.2MB

MD5
d3809baddaf7b1e7d94484160043328b

SHA1
e1979f5248d3b20858b11386ce22b1ccb0a9bfb5

SHA256
e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079

SHA512
96350ef6c81a1bc7d3c6b29c2a66ffaa1cf4f86172d3f52d39bcbf3886da41208b75cfe16bbf4ea23e04b2e0616637083eeacdefb8c0edc3ce6d0f2f89f881c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT1AL9CX\JavaSetup8u361.exe.dohh73j.partial

Filesize
2.2MB

MD5
d3809baddaf7b1e7d94484160043328b

SHA1
e1979f5248d3b20858b11386ce22b1ccb0a9bfb5

SHA256
e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079

SHA512
96350ef6c81a1bc7d3c6b29c2a66ffaa1cf4f86172d3f52d39bcbf3886da41208b75cfe16bbf4ea23e04b2e0616637083eeacdefb8c0edc3ce6d0f2f89f881c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7108123.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7108123.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
40KB

MD5
5889f7fce512d183851b5b3d283bf3de

SHA1
5751d4baece7c0f033c351b63d0c974f24679b0d

SHA256
8b069948f1459d7ba8d461120b5b7183c4971176ad2253e1ad6138778be1b628

SHA512
e07d20aff8df8d9f81018ed5fd6cabbe8e553ce4a96bc2ed6492ab4e2bf9bf14b5ff0d193e9e5ace286874a5cc5448dc6ff728dd8f5861d6f9d785930777f978

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
53KB

MD5
d7387a1ed2ffd46c773cabeaf8f0f88e

SHA1
0bad6c6e647777e22060355d8dd7a6371a3ee45b

SHA256
45d87fac0dd34c417da69907a7c973641474e09290e5f3c4ee171e0d3e1b99ec

SHA512
915e3bcdd65a62f8c965db896686a10acad31ba6cb8d2d588620dc790bfbdb0203bc0b4cabd714cee1e981324823735a0e6c797989c67a8bd060b0076c30e6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
bbdd7c7422f8801964da9a421f075c85

SHA1
52fe0113c5b217df3cf24e267e2fa961bf9e4046

SHA256
360e7fa543b19cf718ca699c503b50b3511514bf0919235698d1f7d243e7e015

SHA512
c02884be89b82a2f687f6a6092b51aa17c27d80d4255bd7aac9e1cdd5f7cbeef9e5c7caa2af92eb232aea005330f4230d3fd433f4614fe248827ff2ff1826ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7D95KEAU.txt

Filesize
512B

MD5
007b18119085332050cdf6efda832b6b

SHA1
de01afebedc7031b8d99b4a251c1f344ca68a93d

SHA256
753e4ef4c215eaed2e4fc7a9902deef1f1abedb9d0bb47b236236951ad714cb8

SHA512
e890d127b690f6a01e2c0a0919470baeee271870e8c5a33b4ed7efeed998e9939e8a194898360ce693aa0b2741cf5927c36e95bd454e5bc23203e8c5d5e59bb8

Download Submit
C:\Windows\Installer\6cba6e.msi

Filesize
53.5MB

MD5
c760bc95af603fec0c41cafd82498a5d

SHA1
6bed421c5268fcd02f3d9439a314fffd84b29235

SHA256
c93f2de2ed4d5420671f5d5ba858b841683183aba9248f9890c4b277c39d2995

SHA512
cc9324416d98cd4ca1ec6e607e684336964d74da5f29f3d56d82b56ac0fe225c1420fbe08f9a559bf80307ea740e9140154f136aa9d3bc473baf60d736b7fd52

Download Submit
C:\Windows\Installer\MSIC43C.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSIC91D.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSICC89.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
cd3cec3d65ae62fdf044f720245f29c0

SHA1
c4643779a0f0f377323503f2db8d2e4d74c738ca

SHA256
676a6da661e0c02e72bea510f5a48cae71fdc4da0b1b089c24bff87651ec0141

SHA512
aca1029497c5a9d26ee09810639278eb17b8fd11b15c9017c8b578fced29cef56f172750c4cc2b0d1ebf8683d29e15de52a6951fb23d78712e31ddcb41776b0f

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
b181124928d8eb7b6caa0c2c759155cb

SHA1
1aadbbd43eff2df7bab51c6f3bda2eb2623b281a

SHA256
24ea638dfa9f40e2f395e26e36d308db2ab25ed1baa5c796ac2c560ad4c89d77

SHA512
2a43bf4d50d47924374cde689be24799c4e1c132c0bc981f5109952d3322e91dd5a9352b53bb55ca79a6ea92e2c387e87c064b9d8c8f519b77fff973d752dc8f

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
b5c8334a10b191031769d5de01df9459

SHA1
83a8fcc777c7e8c42fa4c59ee627baf6cbed1969

SHA256
6c27ac0542281649ec8638602fbc24f246424ba550564fc7b290b683f79e712d

SHA512
59e53c515dfa2cd96182ca6539ed0ea2ebb01f5991beb08166d1fc53576aeaafebbb2c5ee0ccbdab60ae45fc6a048fff0b5e1b8c9c26907791d31fb7e75b1f39

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
86421619dad87870e5f3cc0beb1f7963

SHA1
2f0fe3eb94fa90577846d49c03c4fd08ef9d3fb2

SHA256
64eccd818f6ffc13f57a2ec5ca358b401ffbb1ca13b0c523d479ef5ee9eb44ab

SHA512
dbce9904dd5a403a5a69e528ee1179cc5faab1361715a29b1a0de0cd33ad3ae9c9d5620dafb161fda86cb27909d001be8955940fd051077ffe6f3ff82357ad31

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\java.dll

Filesize
139KB

MD5
286bba6f961e7d873d5c84f57cd1118a

SHA1
c659530ae34fabc24dc6fb55f37485a8d0bca2d0

SHA256
4f068301312fab1d1fd3e3ea0bcd87c4f730f69031337decb343b9ecb5028984

SHA512
c03ad585fd3f486448c86831f93118575b3586fac79f55448daa794ba6be95fc2a1595186d6c8b7881303b3cd1226b2eb10b7bdbc59a457384ba1340daabf058

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\java.dll

Filesize
139KB

MD5
286bba6f961e7d873d5c84f57cd1118a

SHA1
c659530ae34fabc24dc6fb55f37485a8d0bca2d0

SHA256
4f068301312fab1d1fd3e3ea0bcd87c4f730f69031337decb343b9ecb5028984

SHA512
c03ad585fd3f486448c86831f93118575b3586fac79f55448daa794ba6be95fc2a1595186d6c8b7881303b3cd1226b2eb10b7bdbc59a457384ba1340daabf058

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe

Filesize
243KB

MD5
71ac3db0e1d4363ff8695ca610af1ae4

SHA1
35ee53d9c6b541f4e9422875fb5a246d975afc85

SHA256
fbc762cd79977cee061bc9d2bf19c9687856759afec067121cce58e1cc124d2c

SHA512
53a75165d3a4683573f7d16015bda25cbfdabb8981ca8ffd0789105a6cdbf9a02f4e7a71b47efc581c14a90fd54760e4e7dc6e9786abc325a190c945b67cffb8

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\Local\Temp\jds7108123.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
\Windows\Installer\MSIC43C.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
\Windows\Installer\MSIC91D.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
\Windows\Installer\MSICC89.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
memory/832-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1496-183-0x0000000002680000-0x0000000004680000-memory.dmp

Filesize
32.0MB

Download
memory/1496-198-0x0000000002680000-0x0000000004680000-memory.dmp

Filesize
32.0MB

Download
memory/1496-196-0x0000000002680000-0x0000000004680000-memory.dmp

Filesize
32.0MB

Download
memory/1496-179-0x0000000002680000-0x0000000004680000-memory.dmp

Filesize
32.0MB

Download
memory/1496-181-0x0000000002680000-0x0000000004680000-memory.dmp

Filesize
32.0MB

Download
memory/1856-112-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads