bazarbackdoor | 318df7404e6c4d5538a6d31997b95af52bbb8d40caf5553b3cbd9b1bc4f6db96

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exe000.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\S:	000.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe

Drops file in System32 directory 1 IoCs

Processes:

installer.exe

description ioc process

File created C:\Windows\system32\WindowsAccessBridge-64.dll installer.exe
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

000.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\Wallpaper 000.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\Wallpaper	000.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-file-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\libffi.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\jcup.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_sv.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-core-util-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\prism_common.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\glib.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_ko.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java-rmi.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\rmid.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\zip.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\meta-index	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaBrightDemiItalic.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\javafx\jpeg_fx.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\thaidict.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\xmlresolver.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-time-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_ja.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\policy\unlimited\local_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-filesystem-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\sunec.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\cldr.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\LICENSE	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\mesa3d.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\unicode.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\jaccess.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javafx_iio.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\plugin2\npjp2.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\nashorn.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\policy\unlimited\US_export_policy.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\public_suffix_list.dat	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jfr\default.jfc	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\release	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\Welcome.html	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\ktab.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\sRGB.pf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\content-types.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\access-bridge-64.jar	installer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\instrument.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\policytool.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\relaxngcc.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\net.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\plugin.pack	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\README.txt	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jfxmedia.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\images\cursors\cursors.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\plugin2\vcruntime140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\pkcs11cryptotoken.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\deploy.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\dtplugin\deployJava1.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jawt.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jp2ssv.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\plugin2\msvcp140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\jfxrt.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\jsse.jar	unpack200.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-string-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\pkcs11wrapper.md	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\fonts\LucidaBrightItalic.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\management\management.properties	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\wsdetect.dll	installer.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI730A.tmp	msiexec.exe
File created	C:\Windows\Installer\6e730f.msi	msiexec.exe
File created	C:\Windows\Installer\6e7311.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI970A.tmp	msiexec.exe
File created	C:\Windows\Installer\6e7313.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A27.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6e7311.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\6e730f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8ABA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99E8.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1988 1284 WerFault.exe irsetup.exe

pid	pid_target	process	target process
1988	1284	WerFault.exe	irsetup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

852 taskkill.exe
2800 taskkill.exe

pid	process
852	taskkill.exe
2800	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

Processes:

installer.exejre-windows.exeirsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0327-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_30"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0123-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0280-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0106-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0210-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0201-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0001-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_01"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0037-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0124-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0156-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_156"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0252-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0212-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0244-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.0_04"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_21"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0144-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0060-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0139-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0246-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0092-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0173-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0216-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0214-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0264-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0321-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0026-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_26"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0058-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0086-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_86"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0084-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0136-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0166-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0131-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0173-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0297-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_297"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_89"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0172-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0073-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0215-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0278-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0079-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0093-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0097-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_41"	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exessvagent.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0182-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_80"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0220-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0136-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0333-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0090-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0126-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0094-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_94"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0157-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0111-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0190-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_190"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0159-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0186-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_186"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0052-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0338-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_58"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0089-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0241-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0030-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0145-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_06"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0174-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0345-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0128-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0283-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0154-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0360-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 11.351.2"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0170-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0263-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_263"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0322-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0292-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0300-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0205-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0326-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0108-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0150-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0216-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0278-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0008-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0076-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0295-ABCDEFFEDCBA}\InprocServer32	installer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

irsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

chrome.exechrome.exejavaws.exejp2launcher.exechrome.exejavaws.exejp2launcher.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
1760	chrome.exe
1376	chrome.exe
1376	chrome.exe
2444	javaws.exe
2460	jp2launcher.exe
2972	chrome.exe
852	javaws.exe
2120	jp2launcher.exe
2516	chrome.exe
2516	chrome.exe
2672	chrome.exe
2728	chrome.exe
2052	chrome.exe
2516	chrome.exe
2516	chrome.exe
2812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-windows.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1588	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1588	jre-windows.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeSecurityPrivilege	1388	msiexec.exe
Token: SeCreateTokenPrivilege	1588	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	1588	jre-windows.exe
Token: SeLockMemoryPrivilege	1588	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1588	jre-windows.exe
Token: SeMachineAccountPrivilege	1588	jre-windows.exe
Token: SeTcbPrivilege	1588	jre-windows.exe
Token: SeSecurityPrivilege	1588	jre-windows.exe
Token: SeTakeOwnershipPrivilege	1588	jre-windows.exe
Token: SeLoadDriverPrivilege	1588	jre-windows.exe
Token: SeSystemProfilePrivilege	1588	jre-windows.exe
Token: SeSystemtimePrivilege	1588	jre-windows.exe
Token: SeProfSingleProcessPrivilege	1588	jre-windows.exe
Token: SeIncBasePriorityPrivilege	1588	jre-windows.exe
Token: SeCreatePagefilePrivilege	1588	jre-windows.exe
Token: SeCreatePermanentPrivilege	1588	jre-windows.exe
Token: SeBackupPrivilege	1588	jre-windows.exe
Token: SeRestorePrivilege	1588	jre-windows.exe
Token: SeShutdownPrivilege	1588	jre-windows.exe
Token: SeDebugPrivilege	1588	jre-windows.exe
Token: SeAuditPrivilege	1588	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	1588	jre-windows.exe
Token: SeChangeNotifyPrivilege	1588	jre-windows.exe
Token: SeRemoteShutdownPrivilege	1588	jre-windows.exe
Token: SeUndockPrivilege	1588	jre-windows.exe
Token: SeSyncAgentPrivilege	1588	jre-windows.exe
Token: SeEnableDelegationPrivilege	1588	jre-windows.exe
Token: SeManageVolumePrivilege	1588	jre-windows.exe
Token: SeImpersonatePrivilege	1588	jre-windows.exe
Token: SeCreateGlobalPrivilege	1588	jre-windows.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe
Token: SeRestorePrivilege	1388	msiexec.exe
Token: SeTakeOwnershipPrivilege	1388	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

irsetup.exeirsetup.exejre-windows.exejp2launcher.exejp2launcher.exe000.exe

pid	process
1284	irsetup.exe
1284	irsetup.exe
1284	irsetup.exe
1284	irsetup.exe
1284	irsetup.exe
1284	irsetup.exe
776	irsetup.exe
776	irsetup.exe
1588	jre-windows.exe
1588	jre-windows.exe
1588	jre-windows.exe
1588	jre-windows.exe
2460	jp2launcher.exe
2120	jp2launcher.exe
2848	000.exe
2848	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TLauncher-2.871-Installer-1.0.6-global.exeirsetup.exeAdditionalExecuteTL.exejre-windows.exemsiexec.exeinstaller.exe

description	pid	process	target process
PID 1668 wrote to memory of 1284	1668	TLauncher-2.871-Installer-1.0.6-global.exe	irsetup.exe
PID 1668 wrote to memory of 1284	1668	TLauncher-2.871-Installer-1.0.6-global.exe	irsetup.exe
PID 1668 wrote to memory of 1284	1668	TLauncher-2.871-Installer-1.0.6-global.exe	irsetup.exe
PID 1668 wrote to memory of 1284	1668	TLauncher-2.871-Installer-1.0.6-global.exe	irsetup.exe
PID 1668 wrote to memory of 1284	1668	TLauncher-2.871-Installer-1.0.6-global.exe	irsetup.exe
PID 1668 wrote to memory of 1284	1668	TLauncher-2.871-Installer-1.0.6-global.exe	irsetup.exe
PID 1668 wrote to memory of 1284	1668	TLauncher-2.871-Installer-1.0.6-global.exe	irsetup.exe
PID 1284 wrote to memory of 1392	1284	irsetup.exe	AdditionalExecuteTL.exe
PID 1284 wrote to memory of 1392	1284	irsetup.exe	AdditionalExecuteTL.exe
PID 1284 wrote to memory of 1392	1284	irsetup.exe	AdditionalExecuteTL.exe
PID 1284 wrote to memory of 1392	1284	irsetup.exe	AdditionalExecuteTL.exe
PID 1284 wrote to memory of 1392	1284	irsetup.exe	AdditionalExecuteTL.exe
PID 1284 wrote to memory of 1392	1284	irsetup.exe	AdditionalExecuteTL.exe
PID 1284 wrote to memory of 1392	1284	irsetup.exe	AdditionalExecuteTL.exe
PID 1392 wrote to memory of 776	1392	AdditionalExecuteTL.exe	irsetup.exe
PID 1392 wrote to memory of 776	1392	AdditionalExecuteTL.exe	irsetup.exe
PID 1392 wrote to memory of 776	1392	AdditionalExecuteTL.exe	irsetup.exe
PID 1392 wrote to memory of 776	1392	AdditionalExecuteTL.exe	irsetup.exe
PID 1392 wrote to memory of 776	1392	AdditionalExecuteTL.exe	irsetup.exe
PID 1392 wrote to memory of 776	1392	AdditionalExecuteTL.exe	irsetup.exe
PID 1392 wrote to memory of 776	1392	AdditionalExecuteTL.exe	irsetup.exe
PID 1284 wrote to memory of 548	1284	irsetup.exe	jre-windows.exe
PID 1284 wrote to memory of 548	1284	irsetup.exe	jre-windows.exe
PID 1284 wrote to memory of 548	1284	irsetup.exe	jre-windows.exe
PID 1284 wrote to memory of 548	1284	irsetup.exe	jre-windows.exe
PID 548 wrote to memory of 1588	548	jre-windows.exe	jre-windows.exe
PID 548 wrote to memory of 1588	548	jre-windows.exe	jre-windows.exe
PID 548 wrote to memory of 1588	548	jre-windows.exe	jre-windows.exe
PID 1388 wrote to memory of 1800	1388	msiexec.exe	MsiExec.exe
PID 1388 wrote to memory of 1800	1388	msiexec.exe	MsiExec.exe
PID 1388 wrote to memory of 1800	1388	msiexec.exe	MsiExec.exe
PID 1388 wrote to memory of 1800	1388	msiexec.exe	MsiExec.exe
PID 1388 wrote to memory of 1800	1388	msiexec.exe	MsiExec.exe
PID 1388 wrote to memory of 1744	1388	msiexec.exe	installer.exe
PID 1388 wrote to memory of 1744	1388	msiexec.exe	installer.exe
PID 1388 wrote to memory of 1744	1388	msiexec.exe	installer.exe
PID 1744 wrote to memory of 392	1744	installer.exe	bspatch.exe
PID 1744 wrote to memory of 392	1744	installer.exe	bspatch.exe
PID 1744 wrote to memory of 392	1744	installer.exe	bspatch.exe
PID 1744 wrote to memory of 392	1744	installer.exe	bspatch.exe
PID 1744 wrote to memory of 392	1744	installer.exe	bspatch.exe
PID 1744 wrote to memory of 392	1744	installer.exe	bspatch.exe
PID 1744 wrote to memory of 392	1744	installer.exe	bspatch.exe
PID 1744 wrote to memory of 1576	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 1576	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 1576	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 188	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 188	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 188	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 408	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 408	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 408	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 1676	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 1676	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 1676	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 960	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 960	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 960	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 1148	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 1148	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 1148	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 568	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 568	1744	installer.exe	unpack200.exe
PID 1744 wrote to memory of 568	1744	installer.exe	unpack200.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6-global.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6-global.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6-global.exe" "__IRCT:3" "__IRTSS:24771453" "__IRSID:S-1-5-21-3385717845-2518323428-350143044-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-3385717845-2518323428-350143044-1000"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:776

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\jds7151928.tmp\jre-windows.exe
"C:\Users\Admin\AppData\Local\Temp\jds7151928.tmp\jre-windows.exe" "STATIC=1"
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 876
3⤵
- Program crash
PID:1988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 8CF4AD24B24E53710EDD3427F5D7C21C
2⤵
- Loads dropped DLL
PID:1800

C:\Program Files\Java\jre1.8.0_351\installer.exe
"C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744

C:\ProgramData\Oracle\Java\installcache_x64\7256698.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:392

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:188

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
3⤵
- Executes dropped EXE
PID:408

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
3⤵
- Executes dropped EXE
PID:1676

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:960

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
3⤵
- Executes dropped EXE
PID:1148

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
3⤵
- Executes dropped EXE
PID:568

C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
PID:1832

C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe
"C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:2436

C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2444

C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2120

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding BAD0A79F22BBCD0E4C7DF8D0A4B203B6 M Global\MSI0000
2⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69a4f50,0x7fef69a4f60,0x7fef69a4f70
2⤵
PID:1036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1144,11242023144248306066,13733644564961819665,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1312 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1144,11242023144248306066,13733644564961819665,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1148 /prefetch:2
2⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1144,11242023144248306066,13733644564961819665,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1700 /prefetch:8
2⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1144,11242023144248306066,13733644564961819665,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1144,11242023144248306066,13733644564961819665,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1144,11242023144248306066,13733644564961819665,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
2⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1144,11242023144248306066,13733644564961819665,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2412 /prefetch:2
2⤵
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69a4f50,0x7fef69a4f60,0x7fef69a4f70
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69a4f50,0x7fef69a4f60,0x7fef69a4f70
2⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=832,13358182213017381218,8058164899333509330,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1132 /prefetch:2
2⤵
PID:2964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=832,13358182213017381218,8058164899333509330,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1292 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3e94f50,0x7fef3e94f60,0x7fef3e94f70
2⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1112 /prefetch:2
2⤵
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1780 /prefetch:8
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1768 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
2⤵
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1
2⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3344 /prefetch:2
2⤵
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1248 /prefetch:8
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1324 /prefetch:8
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1160 /prefetch:8
2⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1
2⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2352 /prefetch:1
2⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=496 /prefetch:8
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1804 /prefetch:8
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2000 /prefetch:8
2⤵
PID:852

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:1264

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13f94a890,0x13f94a8a0,0x13f94a8b0
3⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4292 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1680 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1800 /prefetch:8
2⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4428 /prefetch:8
2⤵
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3632 /prefetch:8
2⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:1
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:8
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 /prefetch:8
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,6939643441708763716,17372043592587448142,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
2⤵
PID:1264

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0
1⤵
PID:2916

C:\Users\Admin\Downloads\000\000.exe
"C:\Users\Admin\Downloads\000\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
2⤵
PID:960

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
PID:852

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
PID:2800

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
3⤵
PID:1108

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
3⤵
PID:1208

C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
3⤵
PID:3008

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2184

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery