e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079

Analysis

max time kernel
66s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JavaSetup8u361.exe
Size

2.2MB
MD5

d3809baddaf7b1e7d94484160043328b
SHA1

e1979f5248d3b20858b11386ce22b1ccb0a9bfb5
SHA256

e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079
SHA512

96350ef6c81a1bc7d3c6b29c2a66ffaa1cf4f86172d3f52d39bcbf3886da41208b75cfe16bbf4ea23e04b2e0616637083eeacdefb8c0edc3ce6d0f2f89f881c6
SSDEEP

49152:OOt2ad8mKKue2/8cTs0HFTPO86O3jUfkptVx41inlc8z+o2:OOt2yMT/8cTs09RjUu54Ai

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3436 created 1772	3436	svchost.exe	99

Executes dropped EXE 6 IoCs

pid	Process
744	JavaSetup8u361.exe
4940	LZMA_EXE
3212	LZMA_EXE
1772	installer.exe
2452	javaw.exe
2164	ssvagent.exe

Loads dropped DLL 53 IoCs

pid	Process
4648	MsiExec.exe
4648	MsiExec.exe
4648	MsiExec.exe
2452	javaw.exe
2452	javaw.exe
2452	javaw.exe
2452	javaw.exe
2452	javaw.exe
2452	javaw.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
1772	installer.exe
2164	ssvagent.exe
2164	ssvagent.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0270-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0098-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0091-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0224-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0233-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0067-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0191-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0277-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0197-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0142-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0271-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0213-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0309-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0161-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0060-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0197-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0215-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0048-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0107-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0122-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0079-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0067-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0092-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0175-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0265-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0169-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0177-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0347-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0191-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0168-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0121-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0146-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0135-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0183-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File opened for modification	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\servertool.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jawt.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\public_suffix_list.dat	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jsdt.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_es.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\tzdb.dat	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\fonts\LucidaSansRegular.ttf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\access-bridge-32.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\THIRDPARTYLICENSEREADME.txt	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jfxmedia.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\splashscreen.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\fonts\LucidaBrightDemiBold.ttf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jfr.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-private-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\zip.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\plugin.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\resource.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\sunec.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-process-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\libffi.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\tzmappings	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\deploy.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\dcpr.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\javafx.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\psfont.properties.ja	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\prism_sw.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\policy\unlimited\local_policy.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\verify.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\currency.data	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\classlist	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\giflib.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\java.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\zipfs.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_zh_HK.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\localedata.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2iexp.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_zh_CN.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\i386\jvm.cfg	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\vcruntime140.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\libxslt.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\fontmanager.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\pkcs11wrapper.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\meta-index	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\relaxngom.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\COPYRIGHT	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jaas_nt.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\client\jvm.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\relaxngdatatype.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_ja.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\images\cursors\win32_MoveDrop32x32.gif	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\policy\limited\US_export_policy.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jli.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\JAWTAccessBridge-32.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\glass.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-datetime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\psfontj2d.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF341.tmp	msiexec.exe
File created	C:\Windows\Installer\e56e76a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC39.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF18B.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F32180361F0}	msiexec.exe
File created	C:\Windows\Installer\e56e767.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56e767.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEEEA.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0203-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0167-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0209-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0312-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_97"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0183-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0225-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0106-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_106"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0192-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0291-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0083-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_83"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0209-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0252-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0194-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0065-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_65"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_80"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0125-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0126-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0242-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0219-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0161-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_27"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0137-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0147-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0144-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0176-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.1_04"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_28"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0154-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0256-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0264-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0170-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0205-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0075-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_75"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0084-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0192-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_192"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0215-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0186-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0186-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_186"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0215-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_215"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0112-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0218-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_70"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_16"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0044-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0128-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_128"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0340-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_340"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_04"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0107-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0206-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0199-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0162-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_162"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0284-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_284"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0199-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_199"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0214-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0147-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0299-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0139-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0122-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_122"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0182-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0158-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0150-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0307-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0099-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0222-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_222"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0206-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0139-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_04"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0088-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0158-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0159-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_159"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0042-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_42"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_14"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0266-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0279-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_279"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0132-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_21"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0317-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0194-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0175-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_37"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0044-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_44"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0129-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0220-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0172-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0143-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_03"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0241-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0214-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0219-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0052-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_52"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0091-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_91"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0191-ABCDEFFEDCBC}	installer.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	JavaSetup8u361.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	744	JavaSetup8u361.exe
Token: SeIncreaseQuotaPrivilege	744	JavaSetup8u361.exe
Token: SeSecurityPrivilege	3244	msiexec.exe
Token: SeCreateTokenPrivilege	744	JavaSetup8u361.exe
Token: SeAssignPrimaryTokenPrivilege	744	JavaSetup8u361.exe
Token: SeLockMemoryPrivilege	744	JavaSetup8u361.exe
Token: SeIncreaseQuotaPrivilege	744	JavaSetup8u361.exe
Token: SeMachineAccountPrivilege	744	JavaSetup8u361.exe
Token: SeTcbPrivilege	744	JavaSetup8u361.exe
Token: SeSecurityPrivilege	744	JavaSetup8u361.exe
Token: SeTakeOwnershipPrivilege	744	JavaSetup8u361.exe
Token: SeLoadDriverPrivilege	744	JavaSetup8u361.exe
Token: SeSystemProfilePrivilege	744	JavaSetup8u361.exe
Token: SeSystemtimePrivilege	744	JavaSetup8u361.exe
Token: SeProfSingleProcessPrivilege	744	JavaSetup8u361.exe
Token: SeIncBasePriorityPrivilege	744	JavaSetup8u361.exe
Token: SeCreatePagefilePrivilege	744	JavaSetup8u361.exe
Token: SeCreatePermanentPrivilege	744	JavaSetup8u361.exe
Token: SeBackupPrivilege	744	JavaSetup8u361.exe
Token: SeRestorePrivilege	744	JavaSetup8u361.exe
Token: SeShutdownPrivilege	744	JavaSetup8u361.exe
Token: SeDebugPrivilege	744	JavaSetup8u361.exe
Token: SeAuditPrivilege	744	JavaSetup8u361.exe
Token: SeSystemEnvironmentPrivilege	744	JavaSetup8u361.exe
Token: SeChangeNotifyPrivilege	744	JavaSetup8u361.exe
Token: SeRemoteShutdownPrivilege	744	JavaSetup8u361.exe
Token: SeUndockPrivilege	744	JavaSetup8u361.exe
Token: SeSyncAgentPrivilege	744	JavaSetup8u361.exe
Token: SeEnableDelegationPrivilege	744	JavaSetup8u361.exe
Token: SeManageVolumePrivilege	744	JavaSetup8u361.exe
Token: SeImpersonatePrivilege	744	JavaSetup8u361.exe
Token: SeCreateGlobalPrivilege	744	JavaSetup8u361.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
744	JavaSetup8u361.exe
744	JavaSetup8u361.exe
744	JavaSetup8u361.exe
744	JavaSetup8u361.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 744	1280	JavaSetup8u361.exe	81
PID 1280 wrote to memory of 744	1280	JavaSetup8u361.exe	81
PID 1280 wrote to memory of 744	1280	JavaSetup8u361.exe	81
PID 744 wrote to memory of 4940	744	JavaSetup8u361.exe	89
PID 744 wrote to memory of 4940	744	JavaSetup8u361.exe	89
PID 744 wrote to memory of 4940	744	JavaSetup8u361.exe	89
PID 744 wrote to memory of 3212	744	JavaSetup8u361.exe	91
PID 744 wrote to memory of 3212	744	JavaSetup8u361.exe	91
PID 744 wrote to memory of 3212	744	JavaSetup8u361.exe	91
PID 3244 wrote to memory of 4648	3244	msiexec.exe	98
PID 3244 wrote to memory of 4648	3244	msiexec.exe	98
PID 3244 wrote to memory of 4648	3244	msiexec.exe	98
PID 3244 wrote to memory of 1772	3244	msiexec.exe	99
PID 3244 wrote to memory of 1772	3244	msiexec.exe	99
PID 3244 wrote to memory of 1772	3244	msiexec.exe	99
PID 1772 wrote to memory of 2452	1772	installer.exe	100
PID 1772 wrote to memory of 2452	1772	installer.exe	100
PID 1772 wrote to memory of 2452	1772	installer.exe	100
PID 3436 wrote to memory of 2164	3436	svchost.exe	103
PID 3436 wrote to memory of 2164	3436	svchost.exe	103
PID 3436 wrote to memory of 2164	3436	svchost.exe	103

C:\Users\Admin\AppData\Local\Temp\JavaSetup8u361.exe
"C:\Users\Admin\AppData\Local\Temp\JavaSetup8u361.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\jds240548375.tmp\JavaSetup8u361.exe
  "C:\Users\Admin\AppData\Local\Temp\jds240548375.tmp\JavaSetup8u361.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
    "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
    3⤵
    - Executes dropped EXE
    PID:4940
- - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
    "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
    3⤵
    - Executes dropped EXE
    PID:3212
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe
    -Djdk.disableLastUsageTracking -cp "C:\Program Files (x86)\Java\jre1.8.0_361\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
    3⤵
    PID:4812
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe
    -Djdk.disableLastUsageTracking -cp "C:\Program Files (x86)\Java\jre1.8.0_361\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
    3⤵
    PID:4420

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E155F8B12C88A60F9A0B03436366E78D
  2⤵
  - Loads dropped DLL
  PID:4648
- C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe
  "C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_361\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180361F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2452
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2164
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:1148
  - - C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_361" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:3632
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    PID:2380
  - - C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_361" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:4008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 51C55B21D16AFB402E5BB94CD015B850 E Global\MSI0000
  2⤵
  PID:1516
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9CA12A155BD7247BCDFC672A813EB5AC
  2⤵
  PID:4208
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 345B3226DEE2EA23054F872280FDAB01 E Global\MSI0000
  2⤵
  PID:3716
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 55293BEB1C3455258438CF8BF82A9C65
  2⤵
  PID:4072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C81E694497259785DF45F0DE368A470 E Global\MSI0000
  2⤵
  PID:2464
- C:\Windows\Installer\MSI4DE9.tmp
  "C:\Windows\Installer\MSI4DE9.tmp" ProductCode={26A24AE4-039D-4CA4-87B4-2F86418066F0} /s
  2⤵
  PID:4844
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\Java\jre1.8.0_361\bin\wsdetect.dll"
    3⤵
    PID:1696
- - C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    PID:1852
  - - C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_66" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzY2XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:668
- - C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
    "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -u auto-update
    3⤵
    PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre1.8.0_361\bin\WindowsAccessBridge-32.dll

Filesize
164KB

MD5
2d71f962c98788eaec762f02a74db260

SHA1
60a8feb42981d09017892a58e0f429c12c3cb5d0

SHA256
7c750610c77c11232f7f057a8fab36c8335871a18575a5891812bde1798e8010

SHA512
f0cdfd21b84c3a2df0bc41fb485d9135688f471d22e6c4e54ff8cea3478d0659aa0ef86c82f980a57159f7145a851358fe07779af3e94a3df90ce2689da57446

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
10KB

MD5
801750157960c928af876c3ec8dd4651

SHA1
1cb405eb7339ef121df51f5eba44e0b0177a76d3

SHA256
be330de7aa8f2f33bcdabf0cec2551399b4ea0f22335a0277ea9c3a7aa405bdd

SHA512
70d84b12ec65f497720dd3ee2c634a67d2f0011c9ea825bdbf20343f3572a99432a843cb178f705d923649694cd38aea9ed97b7162138e56374cd369d158d2b0

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
10KB

MD5
801750157960c928af876c3ec8dd4651

SHA1
1cb405eb7339ef121df51f5eba44e0b0177a76d3

SHA256
be330de7aa8f2f33bcdabf0cec2551399b4ea0f22335a0277ea9c3a7aa405bdd

SHA512
70d84b12ec65f497720dd3ee2c634a67d2f0011c9ea825bdbf20343f3572a99432a843cb178f705d923649694cd38aea9ed97b7162138e56374cd369d158d2b0

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
8af9779906d36b71166a1e286c880d0d

SHA1
deb18c79ab7def1f7ce1b22f90d21b3f6c5d8ef3

SHA256
2e9a683aa69db2f8186ce9ac3e6a610fc727390155668b2680a728a6e6c67247

SHA512
c9927edc959272747aad42f9d243119fba2d126ac7e0463b59847e3738fe62fe58c01f666791d66177949e61b6bf36da67d558475382aa71a236794137186e96

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
8af9779906d36b71166a1e286c880d0d

SHA1
deb18c79ab7def1f7ce1b22f90d21b3f6c5d8ef3

SHA256
2e9a683aa69db2f8186ce9ac3e6a610fc727390155668b2680a728a6e6c67247

SHA512
c9927edc959272747aad42f9d243119fba2d126ac7e0463b59847e3738fe62fe58c01f666791d66177949e61b6bf36da67d558475382aa71a236794137186e96

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
11KB

MD5
57a0a074d52e17ce0fec69b4106bceb4

SHA1
f6fbe3fe91884d3aa19ce93156423da55bdd6ced

SHA256
f378ed4e0a68ca5fefff824912a5ec14992a6a8859e088a50a6df6d632611834

SHA512
8878c3bc77e004924e4595e03d0e717c75e44475e3bef923facd8435fbb26d2f7b3e16acb1e0516e0d0a5df502375ef86aa360d7c9cd79a52256b946896a7df3

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
11KB

MD5
57a0a074d52e17ce0fec69b4106bceb4

SHA1
f6fbe3fe91884d3aa19ce93156423da55bdd6ced

SHA256
f378ed4e0a68ca5fefff824912a5ec14992a6a8859e088a50a6df6d632611834

SHA512
8878c3bc77e004924e4595e03d0e717c75e44475e3bef923facd8435fbb26d2f7b3e16acb1e0516e0d0a5df502375ef86aa360d7c9cd79a52256b946896a7df3

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
45578c4fafc6d9d5ab6e78a07827c19e

SHA1
2fdf383c24a697a0cc29231dab4d0a77207a29f1

SHA256
6d298ae58e7651d23b75a4f6cc070794e716574fe497105fb4ef727ce9782779

SHA512
63ce2272ecc03e7e8c60395360fc685b4b144fb1cadc709f15e070e4e7b769ab282e7a652254386e83827d7982936f38a152014848e183fdb0ea38dff92e83bd

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
45578c4fafc6d9d5ab6e78a07827c19e

SHA1
2fdf383c24a697a0cc29231dab4d0a77207a29f1

SHA256
6d298ae58e7651d23b75a4f6cc070794e716574fe497105fb4ef727ce9782779

SHA512
63ce2272ecc03e7e8c60395360fc685b4b144fb1cadc709f15e070e4e7b769ab282e7a652254386e83827d7982936f38a152014848e183fdb0ea38dff92e83bd

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-synch-l1-1-0.dll

Filesize
12KB

MD5
69e1eddc7cd991f9f5db2fc6fdb6f46e

SHA1
6e8a961767f5ac308d569fd57e84b56b145c6c53

SHA256
cc39ce8fe4a38a80c7b316a7191bd319efd99f9f7cb5b97fe8c3d65d2e788070

SHA512
61935e8eab14babb17dc4362e49f06119efde5de0d3b8d0e330b8b8989ffaeacefd23eada19d4747605f9e9f510ed4f11618b047f6c915554162f19e5a138f3f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-synch-l1-1-0.dll

Filesize
12KB

MD5
69e1eddc7cd991f9f5db2fc6fdb6f46e

SHA1
6e8a961767f5ac308d569fd57e84b56b145c6c53

SHA256
cc39ce8fe4a38a80c7b316a7191bd319efd99f9f7cb5b97fe8c3d65d2e788070

SHA512
61935e8eab14babb17dc4362e49f06119efde5de0d3b8d0e330b8b8989ffaeacefd23eada19d4747605f9e9f510ed4f11618b047f6c915554162f19e5a138f3f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\client\jvm.dll

Filesize
3.8MB

MD5
9544b9113212187322433e63957facfb

SHA1
aa6a5404a745a6c683b055b26eccec151234ee68

SHA256
8249bcff9a8d9aa7e580076e2c84147571270eb27c74a7dc8df52a447b123d86

SHA512
c65ba9dd79ed41f92515280c9f87b94b5495daafc614b708d62fee2307fe51293c829651db070ca2cfe8eb0122dff013be815c0cf58770bc75eddbc5d2360fc6

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\client\jvm.dll

Filesize
3.8MB

MD5
9544b9113212187322433e63957facfb

SHA1
aa6a5404a745a6c683b055b26eccec151234ee68

SHA256
8249bcff9a8d9aa7e580076e2c84147571270eb27c74a7dc8df52a447b123d86

SHA512
c65ba9dd79ed41f92515280c9f87b94b5495daafc614b708d62fee2307fe51293c829651db070ca2cfe8eb0122dff013be815c0cf58770bc75eddbc5d2360fc6

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\java.dll

Filesize
139KB

MD5
286bba6f961e7d873d5c84f57cd1118a

SHA1
c659530ae34fabc24dc6fb55f37485a8d0bca2d0

SHA256
4f068301312fab1d1fd3e3ea0bcd87c4f730f69031337decb343b9ecb5028984

SHA512
c03ad585fd3f486448c86831f93118575b3586fac79f55448daa794ba6be95fc2a1595186d6c8b7881303b3cd1226b2eb10b7bdbc59a457384ba1340daabf058

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\java.dll

Filesize
139KB

MD5
286bba6f961e7d873d5c84f57cd1118a

SHA1
c659530ae34fabc24dc6fb55f37485a8d0bca2d0

SHA256
4f068301312fab1d1fd3e3ea0bcd87c4f730f69031337decb343b9ecb5028984

SHA512
c03ad585fd3f486448c86831f93118575b3586fac79f55448daa794ba6be95fc2a1595186d6c8b7881303b3cd1226b2eb10b7bdbc59a457384ba1340daabf058

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\java.exe

Filesize
243KB

MD5
f54d91426b62c8ef31178f71335ef99c

SHA1
9b0f30125443a5c096ac06cc916c15ff2fd66ca1

SHA256
07b0ee9f33ce4a6ff30edd68ff21749b2a0db9c8e857c08026597b15c15b2e6c

SHA512
0fb8bdbe7a3e69951bbee04707b1602707dd179c36c79bd60333e3b75932fe14f81ff28737d04a5297f0340aa52dcbaa007abb4f8ef3327ca7bebfc389c78be0

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javacpl.exe

Filesize
91KB

MD5
0b0c5661fcf66b5869900431bae21414

SHA1
db5c0c1cc89c90f68e78f1691e87482eb4058ee6

SHA256
532a34d89e8edb395040d2abd33c6c7192d599039a4c440c94e6b4440e3c66d4

SHA512
458780fc5967834b0ba4d7a3f26767563766d634253ff5faaf02c2b20048ac4b642126e32b126f1c6fec431edb186a9ecb2ddfba2c62d9e7a1e88428284ea665

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe

Filesize
243KB

MD5
71ac3db0e1d4363ff8695ca610af1ae4

SHA1
35ee53d9c6b541f4e9422875fb5a246d975afc85

SHA256
fbc762cd79977cee061bc9d2bf19c9687856759afec067121cce58e1cc124d2c

SHA512
53a75165d3a4683573f7d16015bda25cbfdabb8981ca8ffd0789105a6cdbf9a02f4e7a71b47efc581c14a90fd54760e4e7dc6e9786abc325a190c945b67cffb8

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe

Filesize
243KB

MD5
71ac3db0e1d4363ff8695ca610af1ae4

SHA1
35ee53d9c6b541f4e9422875fb5a246d975afc85

SHA256
fbc762cd79977cee061bc9d2bf19c9687856759afec067121cce58e1cc124d2c

SHA512
53a75165d3a4683573f7d16015bda25cbfdabb8981ca8ffd0789105a6cdbf9a02f4e7a71b47efc581c14a90fd54760e4e7dc6e9786abc325a190c945b67cffb8

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe

Filesize
381KB

MD5
e6fa604812e871bf51bd401a0874177b

SHA1
60ebd6837aea9e102d8a1b599ab7cd3d2eb29734

SHA256
8b16bf14fbd6b379f3e8cf672b7bfbd08ba772b78d97186565250d292094ab52

SHA512
0b482843c8eb2873672bf7c1bf992ae186650dc5d769a2a159b3da0648181a2de6feb2712808529bb18f00c3a095e2c2180fada16a021dd965518993dbf99c32

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\verify.dll

Filesize
45KB

MD5
1529b8470b734c65adb54c54c10903ec

SHA1
355d47cf1908264d33b9e131c256c8ab22d7430f

SHA256
a70a398cdf172e1f3e3c6a5b059472600d7ab8b13a6884bbf069bf1db80a02fa

SHA512
cafa041639729bf562b5296f560015be0f3f0a73d36468356cc6a4739e50358e7862e1a213ac83005916471fd2c565c670cbb9d685b3df97bc6e27be77d57e2c

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\verify.dll

Filesize
45KB

MD5
1529b8470b734c65adb54c54c10903ec

SHA1
355d47cf1908264d33b9e131c256c8ab22d7430f

SHA256
a70a398cdf172e1f3e3c6a5b059472600d7ab8b13a6884bbf069bf1db80a02fa

SHA512
cafa041639729bf562b5296f560015be0f3f0a73d36468356cc6a4739e50358e7862e1a213ac83005916471fd2c565c670cbb9d685b3df97bc6e27be77d57e2c

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\zip.dll

Filesize
77KB

MD5
c778ab1da82f2410a31e30485e378116

SHA1
ec509f74894ef912cd92e952275d8612c9718bf1

SHA256
d933811b841b5907a8716d9ad964e01f8375cc1f247a85d2a5d341aa190cddf1

SHA512
af3ae5687894bc0ccb3f38b0d74b2fb13a938b0d6326ed26b940e108dfadced3e085679334c527f045985860a50aa3bfae18add12a9ba2e8fe2ff4e2754330c7

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\zip.dll

Filesize
77KB

MD5
c778ab1da82f2410a31e30485e378116

SHA1
ec509f74894ef912cd92e952275d8612c9718bf1

SHA256
d933811b841b5907a8716d9ad964e01f8375cc1f247a85d2a5d341aa190cddf1

SHA512
af3ae5687894bc0ccb3f38b0d74b2fb13a938b0d6326ed26b940e108dfadced3e085679334c527f045985860a50aa3bfae18add12a9ba2e8fe2ff4e2754330c7

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe

Filesize
853KB

MD5
87706ed4a1182eba06403297a4e82b54

SHA1
1dc5a582f3c636ff4b1d584691b79a2efb1bf971

SHA256
409b73823b06416f140d1c77214788eb33873ba7ce9be2e012826c52cd3339e3

SHA512
796d7df635532a1db788f591ad9226d0e63ce84d306662265d30327536dd1318f91e51663bc0ee7df49569d681c36e802c461cedeccc3826b9f68260a243ac4e

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe

Filesize
853KB

MD5
87706ed4a1182eba06403297a4e82b54

SHA1
1dc5a582f3c636ff4b1d584691b79a2efb1bf971

SHA256
409b73823b06416f140d1c77214788eb33873ba7ce9be2e012826c52cd3339e3

SHA512
796d7df635532a1db788f591ad9226d0e63ce84d306662265d30327536dd1318f91e51663bc0ee7df49569d681c36e802c461cedeccc3826b9f68260a243ac4e

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\charsets.jar

Filesize
2.9MB

MD5
d931edec81110a6e8c1e51225bf23587

SHA1
413824475fb5a61f6359a8190f65631989614568

SHA256
13474707a01773a82309ceb2cd7417a2880770c6cfcf07dd659345bb984401e2

SHA512
e218ca85a5ff968bf8b9fe992a7609a68e52b74aa868409d1ab2059684a98e1e241314a070abf9381aeeb0d892b8b5f602aa5233762649b3c30de9b5f321084c

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\classlist

Filesize
82KB

MD5
7fc71a62d85ccf12996680a4080aa44e

SHA1
199dccaa94e9129a3649a09f8667b552803e1d0e

SHA256
01fe24232d0dbefe339f88c44a3fd3d99ff0e17ae03926ccf90b835332f5f89c

SHA512
b0b9b486223cf79ccf9346aaf5c1ca0f9588247a00c826aa9f3d366b7e2ef905af4d179787dcb02b32870500fd63899538cf6fafcdd9b573799b255f658ceb1d

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\i386\jvm.cfg

Filesize
623B

MD5
9aef14a90600cd453c4e472ba83c441f

SHA1
10c53c9fe9970d41a84cb45c883ea6c386482199

SHA256
9e86b24ff2b19d814bbaedd92df9f0e1ae86bf11a86a92989c9f91f959b736e1

SHA512
481562547bf9e37d270d9a2881ac9c86fc8f928b5c176e9baf6b8f7b72fb9827c84ef0c84b60894656a6e82dd141779b8d283c6e7a0e85d2829ea071c6db7d14

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\jce.jar

Filesize
119KB

MD5
1f4d4fc6b33c30c5782c66b80d92c4f9

SHA1
194df32fb23b470dae4929605d18abd041c743c6

SHA256
81b8de0e148ed3601cf5f1bdf2787c5b15213d842bc537af9ede9635d692b904

SHA512
dfde7e03fc106b785887f2a409b3528c5862663f188c95f6a95c739bdfcc8c6205c03b739de1b259e9a8a0360aa4e10e8d4bce1a57445797a214160b8d98a085

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\jfr.jar

Filesize
559KB

MD5
83b10289a40d1a87eb8f80f3f3353845

SHA1
757a8488fb4ad515dee200e6a8be286534d67bfe

SHA256
a4b76d82d3a023157c985bff3fe260783ddc49d8ac11518cc7b892705be5deb3

SHA512
ff501459627c0e6ccd1b3e4389eee366617e20858080812e685b3f84a25bd5234349fec68d1e18bd331df64ce350fdcca839c85755fb6b2aa6f3244fa5968789

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\jsse.jar

Filesize
1.7MB

MD5
2c5922e1ffe6852456056a33782fef87

SHA1
a1ce0aa69665035fe55a83f562d09b9a8db23394

SHA256
7b5eb361498b313d941ac945c9e40d8d11865df2669e7cd0770f1c571ea34e28

SHA512
7922e839dcae3045124b380cd9f5f42923092bd95d74c221e2ffabce9dbc4e32463b1942a187981b5251d01bc17a899e4686c0863f5a3a7080a83f4825169e23

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\meta-index

Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\resources.jar

Filesize
3.4MB

MD5
196257767a2e3a12fd1154400d807109

SHA1
0557d03f281abbc42f9a7d0779fde41df13703cd

SHA256
7ac23eae2f85da33158394602b6a7916057dbb5ea9a3ef2911df033f03a8f13f

SHA512
1739a5c395560fb90331eba36ec18707291182c4e961693c7de1ea15285c48e24a1a606442ed9d586bcd040cd391eb88ac37fafe6b0aa20da5935f95a60ca279

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\rt.jar

Filesize
53.2MB

MD5
32a3259b2753bf46dd1d6db41bfde524

SHA1
c4deb978992124134cf71d6b48af8fd3dfab8072

SHA256
e37b804af67aee09c8852ee666268970a17b71c3da475b3ffd098236d455367b

SHA512
7fd21fe13ce64009a1440f2992ff955f6934cdc5c43914781f0f994c32be9c8da5cae1b73d07355826905eec6a0a0b604163849ff6d3173120a561059b1451c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
363549fc1d6fcd2e997948bdb87ad35f

SHA1
4777ea21ecc80dbce4dae6e54e77419c49961dff

SHA256
caaf59489648e54c45f528db660636bcbccf8b74f3d09d6725b0a72e783ebfa0

SHA512
350bfd21b8658f7b71b67b28e39c1f81ddedc746fb05962e3a75016f0f08385821128969c7c80ba62179dbf9e9796de4bc9504a48a03d6d54912260b5be95d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
727B

MD5
95e20e644584fe0799d91cad0331ec21

SHA1
1c6b776d5ac226362e12c328fd9763de4b0161ad

SHA256
82fc2ac35c8951399dcb46c84486cb9a2cf0eeae0e07cb6451df4ae4069013b0

SHA512
35d99ccfe25c6c13db576c256c492e11b46ea0b9fecd888e5c3d9a1179c09c22b66c9033ea06c7bc19427a1aaf033799764ec5da5f8a0288446224837c051892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
85049f0d877ab7651338cf04fe971297

SHA1
2c8c6061e75d6f4c3bb3675a633a8a8524c96671

SHA256
dbac8125ebb8e59aeaa11b6aa7a54c347872d295ce1e8f5b430a4b748cbbe77a

SHA512
9bc7eb1c84bb71540cd0974c430efbe44f7e020782efa7c99de2874a4edb915f9a8f9090793bc76912a6ff98ddf59d59f1bffb34ac345344ab8b0b7d36742953

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
3349e8f53ed82140a947cac3a1a4631f

SHA1
defe6e3f514165c4c47e4736b7cb03aadb9ec209

SHA256
4ca96536569b0581b2f71298dee0cdf20ddbf6a9e49f036b33a7986d3c45f5d5

SHA512
ddf4748777319187ecacb4b2213911378da381febf79a3087ff5944d0d36275d9894c5754ac6d990bca9c206bb66b69bba740e3b2e2a569ec093ef19e279bd80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
434B

MD5
a2de96adbdaeccda0d633f503449cfc6

SHA1
c236dbc6e9066cb045bfb717224b6abc1e2aeef6

SHA256
d5330b7dc744dfe8ad49d8e2b09f6781f1760a5af8bcad79688e420a8c7410a9

SHA512
20a5d95d502d315e6565fcfc9790bfffc39b598e08c3ebaa500256c6150428ab21dac6ccefbab4da9dbd6d5014a2eb3cb8f15499af43ed079cf75f336b489b82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
e7eed19080853be2236d5fe74acdfde6

SHA1
cc6f19e034f3649e0cd316d1a0b8e84994645600

SHA256
a38cfb9ae19c180aca6a919c8380390b83df5e8f73459a647aab7c6807433a36

SHA512
14b915d8486deeeae437b7de5390c6df80bb0e1cf6fac00abbbb0f58401ac392b273021c21ba9834868018713c453f92723f1b8a5d30ba386faf03d1f378366d

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi

Filesize
843KB

MD5
c95a831719a0a8659911c2d961a9e425

SHA1
84e5db605edecd9976f2a7d45b00c2c5deabe11d

SHA256
bb5d1befb8970ee28066d13727056d54e0ee624564556757c26c75d6faafcc9d

SHA512
073f2e9ce88f18ddf6d5e9d1d47a142b68a4935d73854580ca6d5b619473632965051e398bf5485ff0664d2caf2ed13d4260ab64428c7ea2cce78983feed3069

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi

Filesize
52.6MB

MD5
1aa57a5a04ec43b25937efa2a3f0f0ad

SHA1
6121bef34c9c603e8b03140c05e0418096ac7bb6

SHA256
66a697fe354addb90ae4e3c6b617f9ca0e5a65a439435f674e3f6d8c7db85b6b

SHA512
1461ff7fc5d3a1e3fff20bd42324f0dc6f82bbdb9d35cc425535449a0f8e346599c4012802f0a801cce243eea4d878e6430a02db5b24fe6cc99b24cdad31c4e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp

Filesize
1016KB

MD5
459a51b2e65d53e4e568215e77317cc5

SHA1
f2308f14d1033f79a1d10b392520cb2459b0e737

SHA256
9da5f7bb7d99c3b8d5c9100a0573e928f48452319989ab026af5fcff1119a5d9

SHA512
7e3b8cb97c4c61eb147473d62dc163205ecd85235e6c711b39c4a76b06e8cee7d70f2594e0710df90e1b949c4bdb442a759912afeb72c6b4f0a34750daf17886

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp

Filesize
53.5MB

MD5
c760bc95af603fec0c41cafd82498a5d

SHA1
6bed421c5268fcd02f3d9439a314fffd84b29235

SHA256
c93f2de2ed4d5420671f5d5ba858b841683183aba9248f9890c4b277c39d2995

SHA512
cc9324416d98cd4ca1ec6e607e684336964d74da5f29f3d56d82b56ac0fe225c1420fbe08f9a559bf80307ea740e9140154f136aa9d3bc473baf60d736b7fd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240548375.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240548375.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
268KB

MD5
99ff839a2bed1aa13fb139e6f42564b0

SHA1
2614e0e02eebc3668c02de4db878d983f448700e

SHA256
e45c9489dc9bfcdd995179cb86b7233e3221d0f6e22ce8e2d25b4b28a8b63c93

SHA512
42fb52d8f206bdb1d003e9f871476e920601e36090c41263cbba9e43afe4c1591cf15eff6e89aa686f442d9eafa3185be1c5e2e081e41edb19f5f72e03432f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
305KB

MD5
1a06e7ef61140b7e0330caabd93c435e

SHA1
80cc53f3f74f184bac1381274384c6043ba5c0ec

SHA256
bc23bd5b8e992cb37fc59f8a4c4452fe41f03fe7bc335861c2e5ab889934cd5d

SHA512
7ec734bdf75dc7c2a8c7494d7d78d99afcb160a2e291c23ab45c8ecd031f2507fbab571e3e9d215fda50f0bc99637e4fe2d0c408a2300b37f9079024133f1c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
311KB

MD5
4bea451e5e710a89e0f6e18adcfa5e56

SHA1
522f352ef6c4cb9fcc57ca8df298cb1bda323d43

SHA256
f9b241c4cefdc5971cd85f71d0edeb163ac77ac0ae17e7b3f68e0562e8359799

SHA512
835d0c92f004ed8e5939332484f51f196bfff6c6ab62f6cfa6d04d95987adf51d74a842b4d4c3663c37c6851063f4c1f7fa69ac6fd4c7cb390971667f9b7238b

Download Submit
C:\Windows\Installer\MSIEC39.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSIEC39.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSIEEEA.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSIEEEA.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSIF341.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSIF341.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\e56e76a.msi

Filesize
53.5MB

MD5
c760bc95af603fec0c41cafd82498a5d

SHA1
6bed421c5268fcd02f3d9439a314fffd84b29235

SHA256
c93f2de2ed4d5420671f5d5ba858b841683183aba9248f9890c4b277c39d2995

SHA512
cc9324416d98cd4ca1ec6e607e684336964d74da5f29f3d56d82b56ac0fe225c1420fbe08f9a559bf80307ea740e9140154f136aa9d3bc473baf60d736b7fd52

Download Submit
memory/668-341-0x00000000048F0000-0x00000000058F0000-memory.dmp

Filesize
16.0MB

Download
memory/2452-195-0x0000000002240000-0x0000000004240000-memory.dmp

Filesize
32.0MB

Download
memory/3632-266-0x0000000003480000-0x0000000005480000-memory.dmp

Filesize
32.0MB

Download
memory/3632-267-0x0000000003480000-0x0000000005480000-memory.dmp

Filesize
32.0MB

Download
memory/3632-261-0x0000000003480000-0x0000000005480000-memory.dmp

Filesize
32.0MB

Download
memory/3632-253-0x0000000003480000-0x0000000005480000-memory.dmp

Filesize
32.0MB

Download
memory/3632-248-0x0000000003480000-0x0000000005480000-memory.dmp

Filesize
32.0MB

Download
memory/3632-239-0x0000000003480000-0x0000000005480000-memory.dmp

Filesize
32.0MB

Download
memory/3632-232-0x0000000003480000-0x0000000005480000-memory.dmp

Filesize
32.0MB

Download
memory/3632-326-0x0000000003480000-0x0000000005480000-memory.dmp

Filesize
32.0MB

Download
memory/4008-307-0x0000000003400000-0x0000000005400000-memory.dmp

Filesize
32.0MB

Download
memory/4008-277-0x0000000003400000-0x0000000005400000-memory.dmp

Filesize
32.0MB

Download
memory/4008-320-0x0000000003400000-0x0000000005400000-memory.dmp

Filesize
32.0MB

Download
memory/4008-319-0x0000000003400000-0x0000000005400000-memory.dmp

Filesize
32.0MB

Download
memory/4008-312-0x0000000003400000-0x0000000005400000-memory.dmp

Filesize
32.0MB

Download
memory/4008-327-0x0000000003400000-0x0000000005400000-memory.dmp

Filesize
32.0MB

Download
memory/4008-296-0x0000000003400000-0x0000000005400000-memory.dmp

Filesize
32.0MB

Download
memory/4812-366-0x0000000002A30000-0x0000000004A30000-memory.dmp

Filesize
32.0MB

Download
memory/4812-371-0x0000000002A30000-0x0000000004A30000-memory.dmp

Filesize
32.0MB

Download
memory/4812-382-0x0000000002A30000-0x0000000004A30000-memory.dmp

Filesize
32.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads