107bb526c374d6fd9f45317c0c16e83ab50076f2bcd630caf3d6794596fae69b

Resubmissions

03/02/2023, 15:51

230203-taw9labe31 7

03/02/2023, 15:47

230203-s8p3habe21 7

03/02/2023, 15:44

230203-s6jgyafh93 8

03/02/2023, 15:40

230203-s4h4dsfh85 8

Analysis

max time kernel
103s
max time network
160s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
03/02/2023, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SKlauncher 3.0.exe
Size

1.2MB
MD5

32c7e3347f8e532e675d154eb07f4ccf
SHA1

5ca004745e2cdab497a7d6ef29c7efb25dc4046d
SHA256

107bb526c374d6fd9f45317c0c16e83ab50076f2bcd630caf3d6794596fae69b
SHA512

c82f3a01719f30cbb876a1395fda713ddba07b570bc188515b1b705e54e15a7cca5f71f741d51763f63aa5f40e00df06f63b341ed4db6b1be87b3ee59460dbe2
SSDEEP

24576:Dh199z42ojP6a7HJlF9eu5XFQZSIZeNGdmEE8H17UBcegl:R9zbgH3euNFQZr/oEE892cfl

Score

8^/10

adware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
980	JavaSetup8u361.exe
1304	JavaSetup8u361.exe
1068	LZMA_EXE
1980	LZMA_EXE
2164	installer.exe
2204	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
980	JavaSetup8u361.exe
1304	JavaSetup8u361.exe
1304	JavaSetup8u361.exe
1304	JavaSetup8u361.exe
1304	JavaSetup8u361.exe
1388	MsiExec.exe
1388	MsiExec.exe
1388	MsiExec.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2204	javaw.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe
2164	installer.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File opened for modification	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\joni.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\directshow.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jdwp.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\mesa3d.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\resources.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\plugin.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-localization-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\fonts\LucidaBrightItalic.ttf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\plugin2\npjp2.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\vcruntime140.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\java-rmi.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\dom.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\policy\limited\US_export_policy.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\java_crw_demo.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\cldrdata.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_it.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\orbd.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\java.policy	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\wsdetect.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\nio.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_ko.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\cacerts	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\calendars.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\jce.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jabswitch.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\pack200.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\lcms.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\COPYRIGHT	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\images\cursors\invalid32x32.gif	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\policy\unlimited\US_export_policy.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\ucrtbase.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\currency.data	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_sv.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\tzmappings	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\jopt-simple.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jpeg.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\management\management.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\glib-lite.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\plugin2\msvcp140.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\gstreamer.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\java.security	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\ffjcext.zip	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\pkcs11cryptotoken.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssv.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\tnameserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\classlist	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\java.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\cmm\GRAY.pf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\jfr\profile.jfc	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\sunpkcs11.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\plugin2\vcruntime140.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2ssv.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\cmm\sRGB.pf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\THIRDPARTYLICENSEREADME.txt	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\javafx_font.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\w2k_lsa_auth.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\webkit.md	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6261.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6e4bd0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI55FF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DDD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6167.tmp	msiexec.exe
File created	C:\Windows\Installer\6e4bd4.msi	msiexec.exe
File created	C:\Windows\Installer\6e4bd0.msi	msiexec.exe
File created	C:\Windows\Installer\6e4bd2.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = c8a97571ee37d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "368"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382207441"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	JavaSetup8u361.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "373"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "373"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "368"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Windows\\SysWOW64"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "266"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "288"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\Policy = "3"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ccfd8223f9a3394e9331449d0c9bdcdc00000000020000000000106600000001000020000000c9d7c3a54fb9115ae6aa5ea59bd41bf282b254c4f86665353c02ea102a3a3c42000000000e800000000200002000000028334e9416fb28d62a9355b363ee1d6c0ea2467f0e83560c0a69dae5531be69d2000000068392bb8eecee4a9a49e78802ce29f664094fb8f4f1350082b69fd56ca1f6b28400000003f9c23fe58c1c7209abb00b5f44f7651ff0d751987c674eae3376808ea65bb6839dcc1c9bade0c4e04955a247f460d270d283689b24791af318ee00ad3fb13db	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "266"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8D2BFA01-A3E1-11ED-847A-763DF7143A59} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ccfd8223f9a3394e9331449d0c9bdcdc00000000020000000000106600000001000020000000a1280ed4344dfe79c00c7201e0a2b79463b96cd6681bd0d70f0da38543548cc4000000000e800000000200002000000005bb294512d9a6e4e2f3f5284313fe7a3b04858c7966a3b45aa3cae2540db0489000000031f064fb0db5e665db6a9094761a74ef04bc0f9dc91dc79102c9cb18ddc14fd334edfb3ece37c2c1046aa836026030b53fe70710917d633ef3b001b6d49706464edc547614cfcc4bb8be070ecfc0a398efd616e4025cb85610ffa0ade1e49c05398157cf90c2413cbdfd0c676f82b5fa417e8ea18c2f0b494153806a04d671f531a9a81d06947f1f73034986b7edb1394000000067b5872afd92d88936202f33644765c6eba48c587b3c099813ae8cf66feb7e87abfec19657e2b0d3ec409ce708baee9db146f5637378987a602bb9198989bbaa	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0098-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.0_02"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_23"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0051-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0071-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_71"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0076-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_11"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0060-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_03"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0076-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0053-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0065-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0076-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0079-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_21"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0097-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0098-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0087-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0049-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0044-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0088-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_07"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_84"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_28"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0049-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0054-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0055-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0077-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0078-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_78"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_14"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_27"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0048-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_48"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0056-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0036-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0084-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0073-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0094-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0034-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0069-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0074-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0049-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_49"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0086-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_86"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0046-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0087-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_08"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0046-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0097-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_15"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0090-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0064-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0060-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0080-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_86"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0088-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_88"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2launcher.exe\" -securejws \"%1\""	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0073-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_73"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0032-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_32"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0092-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_14"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0078-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_85"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0071-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0051-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0014-0002-0051-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_09"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBB}	installer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1404	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1304	JavaSetup8u361.exe
Token: SeIncreaseQuotaPrivilege	1304	JavaSetup8u361.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeSecurityPrivilege	972	msiexec.exe
Token: SeCreateTokenPrivilege	1304	JavaSetup8u361.exe
Token: SeAssignPrimaryTokenPrivilege	1304	JavaSetup8u361.exe
Token: SeLockMemoryPrivilege	1304	JavaSetup8u361.exe
Token: SeIncreaseQuotaPrivilege	1304	JavaSetup8u361.exe
Token: SeMachineAccountPrivilege	1304	JavaSetup8u361.exe
Token: SeTcbPrivilege	1304	JavaSetup8u361.exe
Token: SeSecurityPrivilege	1304	JavaSetup8u361.exe
Token: SeTakeOwnershipPrivilege	1304	JavaSetup8u361.exe
Token: SeLoadDriverPrivilege	1304	JavaSetup8u361.exe
Token: SeSystemProfilePrivilege	1304	JavaSetup8u361.exe
Token: SeSystemtimePrivilege	1304	JavaSetup8u361.exe
Token: SeProfSingleProcessPrivilege	1304	JavaSetup8u361.exe
Token: SeIncBasePriorityPrivilege	1304	JavaSetup8u361.exe
Token: SeCreatePagefilePrivilege	1304	JavaSetup8u361.exe
Token: SeCreatePermanentPrivilege	1304	JavaSetup8u361.exe
Token: SeBackupPrivilege	1304	JavaSetup8u361.exe
Token: SeRestorePrivilege	1304	JavaSetup8u361.exe
Token: SeShutdownPrivilege	1304	JavaSetup8u361.exe
Token: SeDebugPrivilege	1304	JavaSetup8u361.exe
Token: SeAuditPrivilege	1304	JavaSetup8u361.exe
Token: SeSystemEnvironmentPrivilege	1304	JavaSetup8u361.exe
Token: SeChangeNotifyPrivilege	1304	JavaSetup8u361.exe
Token: SeRemoteShutdownPrivilege	1304	JavaSetup8u361.exe
Token: SeUndockPrivilege	1304	JavaSetup8u361.exe
Token: SeSyncAgentPrivilege	1304	JavaSetup8u361.exe
Token: SeEnableDelegationPrivilege	1304	JavaSetup8u361.exe
Token: SeManageVolumePrivilege	1304	JavaSetup8u361.exe
Token: SeImpersonatePrivilege	1304	JavaSetup8u361.exe
Token: SeCreateGlobalPrivilege	1304	JavaSetup8u361.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: 33	1616	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1616	AUDIODG.EXE
Token: 33	1616	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1616	AUDIODG.EXE
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe
Token: SeRestorePrivilege	972	msiexec.exe
Token: SeTakeOwnershipPrivilege	972	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
880	iexplore.exe
880	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
880	iexplore.exe
880	iexplore.exe
1404	IEXPLORE.EXE
1404	IEXPLORE.EXE
1404	IEXPLORE.EXE
1404	IEXPLORE.EXE
880	iexplore.exe
1304	JavaSetup8u361.exe
1304	JavaSetup8u361.exe
1304	JavaSetup8u361.exe
1304	JavaSetup8u361.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 880	1808	SKlauncher 3.0.exe	27
PID 1808 wrote to memory of 880	1808	SKlauncher 3.0.exe	27
PID 1808 wrote to memory of 880	1808	SKlauncher 3.0.exe	27
PID 1808 wrote to memory of 880	1808	SKlauncher 3.0.exe	27
PID 880 wrote to memory of 1404	880	iexplore.exe	29
PID 880 wrote to memory of 1404	880	iexplore.exe	29
PID 880 wrote to memory of 1404	880	iexplore.exe	29
PID 880 wrote to memory of 1404	880	iexplore.exe	29
PID 880 wrote to memory of 1404	880	iexplore.exe	29
PID 880 wrote to memory of 1404	880	iexplore.exe	29
PID 880 wrote to memory of 1404	880	iexplore.exe	29
PID 880 wrote to memory of 980	880	iexplore.exe	31
PID 880 wrote to memory of 980	880	iexplore.exe	31
PID 880 wrote to memory of 980	880	iexplore.exe	31
PID 880 wrote to memory of 980	880	iexplore.exe	31
PID 880 wrote to memory of 980	880	iexplore.exe	31
PID 880 wrote to memory of 980	880	iexplore.exe	31
PID 880 wrote to memory of 980	880	iexplore.exe	31
PID 980 wrote to memory of 1304	980	JavaSetup8u361.exe	32
PID 980 wrote to memory of 1304	980	JavaSetup8u361.exe	32
PID 980 wrote to memory of 1304	980	JavaSetup8u361.exe	32
PID 980 wrote to memory of 1304	980	JavaSetup8u361.exe	32
PID 980 wrote to memory of 1304	980	JavaSetup8u361.exe	32
PID 980 wrote to memory of 1304	980	JavaSetup8u361.exe	32
PID 980 wrote to memory of 1304	980	JavaSetup8u361.exe	32
PID 1304 wrote to memory of 1068	1304	JavaSetup8u361.exe	34
PID 1304 wrote to memory of 1068	1304	JavaSetup8u361.exe	34
PID 1304 wrote to memory of 1068	1304	JavaSetup8u361.exe	34
PID 1304 wrote to memory of 1068	1304	JavaSetup8u361.exe	34
PID 1304 wrote to memory of 1068	1304	JavaSetup8u361.exe	34
PID 1304 wrote to memory of 1068	1304	JavaSetup8u361.exe	34
PID 1304 wrote to memory of 1068	1304	JavaSetup8u361.exe	34
PID 1304 wrote to memory of 1980	1304	JavaSetup8u361.exe	36
PID 1304 wrote to memory of 1980	1304	JavaSetup8u361.exe	36
PID 1304 wrote to memory of 1980	1304	JavaSetup8u361.exe	36
PID 1304 wrote to memory of 1980	1304	JavaSetup8u361.exe	36
PID 1304 wrote to memory of 1980	1304	JavaSetup8u361.exe	36
PID 1304 wrote to memory of 1980	1304	JavaSetup8u361.exe	36
PID 1304 wrote to memory of 1980	1304	JavaSetup8u361.exe	36
PID 972 wrote to memory of 1388	972	msiexec.exe	42
PID 972 wrote to memory of 1388	972	msiexec.exe	42
PID 972 wrote to memory of 1388	972	msiexec.exe	42
PID 972 wrote to memory of 1388	972	msiexec.exe	42
PID 972 wrote to memory of 1388	972	msiexec.exe	42
PID 972 wrote to memory of 1388	972	msiexec.exe	42
PID 972 wrote to memory of 1388	972	msiexec.exe	42
PID 972 wrote to memory of 2164	972	msiexec.exe	43
PID 972 wrote to memory of 2164	972	msiexec.exe	43
PID 972 wrote to memory of 2164	972	msiexec.exe	43
PID 972 wrote to memory of 2164	972	msiexec.exe	43
PID 972 wrote to memory of 2164	972	msiexec.exe	43
PID 972 wrote to memory of 2164	972	msiexec.exe	43
PID 972 wrote to memory of 2164	972	msiexec.exe	43
PID 2164 wrote to memory of 2204	2164	installer.exe	44
PID 2164 wrote to memory of 2204	2164	installer.exe	44
PID 2164 wrote to memory of 2204	2164	installer.exe	44
PID 2164 wrote to memory of 2204	2164	installer.exe	44

C:\Users\Admin\AppData\Local\Temp\SKlauncher 3.0.exe
"C:\Users\Admin\AppData\Local\Temp\SKlauncher 3.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://adoptium.net/
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:880 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1404
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V881MODH\JavaSetup8u361.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V881MODH\JavaSetup8u361.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\AppData\Local\Temp\jds7207058.tmp\JavaSetup8u361.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7207058.tmp\JavaSetup8u361.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
        
        "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
        5⤵
        Executes dropped EXE
        
        PID:1068
    - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
        
        "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
        5⤵
        Executes dropped EXE
        
        PID:1980

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2722B7961824D93262A4B90E17DDA142
  2⤵
  - Loads dropped DLL
  PID:1388
- C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe
  "C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_361\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180361F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2204
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    PID:2468
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:2648
  - - C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_361" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:2668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
21519f4d5f1fea53532a0b152910ef8b

SHA1
7833ac2c20263c8be42f67151f9234eb8e4a5515

SHA256
5fbd69186f414d1d99ac61c9c15a57390ff21fe995e5c01f1c4e14510b6fb9b1

SHA512
97211fad4aae2f6a6b783107938f0635c302445e74fc34a26aa386864509919c3f084e80579d2502105d9256aab9f57ea16137c43344b1c62f64e5bc1125a417

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\client\jvm.dll

Filesize
3.8MB

MD5
9544b9113212187322433e63957facfb

SHA1
aa6a5404a745a6c683b055b26eccec151234ee68

SHA256
8249bcff9a8d9aa7e580076e2c84147571270eb27c74a7dc8df52a447b123d86

SHA512
c65ba9dd79ed41f92515280c9f87b94b5495daafc614b708d62fee2307fe51293c829651db070ca2cfe8eb0122dff013be815c0cf58770bc75eddbc5d2360fc6

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\java.dll

Filesize
139KB

MD5
286bba6f961e7d873d5c84f57cd1118a

SHA1
c659530ae34fabc24dc6fb55f37485a8d0bca2d0

SHA256
4f068301312fab1d1fd3e3ea0bcd87c4f730f69031337decb343b9ecb5028984

SHA512
c03ad585fd3f486448c86831f93118575b3586fac79f55448daa794ba6be95fc2a1595186d6c8b7881303b3cd1226b2eb10b7bdbc59a457384ba1340daabf058

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe

Filesize
243KB

MD5
71ac3db0e1d4363ff8695ca610af1ae4

SHA1
35ee53d9c6b541f4e9422875fb5a246d975afc85

SHA256
fbc762cd79977cee061bc9d2bf19c9687856759afec067121cce58e1cc124d2c

SHA512
53a75165d3a4683573f7d16015bda25cbfdabb8981ca8ffd0789105a6cdbf9a02f4e7a71b47efc581c14a90fd54760e4e7dc6e9786abc325a190c945b67cffb8

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe

Filesize
243KB

MD5
71ac3db0e1d4363ff8695ca610af1ae4

SHA1
35ee53d9c6b541f4e9422875fb5a246d975afc85

SHA256
fbc762cd79977cee061bc9d2bf19c9687856759afec067121cce58e1cc124d2c

SHA512
53a75165d3a4683573f7d16015bda25cbfdabb8981ca8ffd0789105a6cdbf9a02f4e7a71b47efc581c14a90fd54760e4e7dc6e9786abc325a190c945b67cffb8

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\ucrtbase.DLL

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe

Filesize
853KB

MD5
87706ed4a1182eba06403297a4e82b54

SHA1
1dc5a582f3c636ff4b1d584691b79a2efb1bf971

SHA256
409b73823b06416f140d1c77214788eb33873ba7ce9be2e012826c52cd3339e3

SHA512
796d7df635532a1db788f591ad9226d0e63ce84d306662265d30327536dd1318f91e51663bc0ee7df49569d681c36e802c461cedeccc3826b9f68260a243ac4e

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\i386\jvm.cfg

Filesize
623B

MD5
9aef14a90600cd453c4e472ba83c441f

SHA1
10c53c9fe9970d41a84cb45c883ea6c386482199

SHA256
9e86b24ff2b19d814bbaedd92df9f0e1ae86bf11a86a92989c9f91f959b736e1

SHA512
481562547bf9e37d270d9a2881ac9c86fc8f928b5c176e9baf6b8f7b72fb9827c84ef0c84b60894656a6e82dd141779b8d283c6e7a0e85d2829ea071c6db7d14

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\rt.jar

Filesize
53.2MB

MD5
32a3259b2753bf46dd1d6db41bfde524

SHA1
c4deb978992124134cf71d6b48af8fd3dfab8072

SHA256
e37b804af67aee09c8852ee666268970a17b71c3da475b3ffd098236d455367b

SHA512
7fd21fe13ce64009a1440f2992ff955f6934cdc5c43914781f0f994c32be9c8da5cae1b73d07355826905eec6a0a0b604163849ff6d3173120a561059b1451c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
6c477c577f83f9afd14b13d0380ba99e

SHA1
adfa25a471a70f4972366c642462708a144f39ad

SHA256
ab23ea2811144999226026e5c9697cc94d19817b3508b8516017eec0998b88ae

SHA512
fcc10f0066e374935dcde376c9d13351dfeaa094eefbebd5d018378d3c572f970cb517b1e915383ec8f4c58c3fdfe3889169d9c9bf76a1568c5d912d24ee7690

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
20b5aa34e9119ec51cb0601caf0e11da

SHA1
4734e8c52f486e9e9258a7ca5cb11a8a275b4367

SHA256
afacf7b892b52baab57ad6882a1a728316bc3acd5058cc3df09a24a4667d5bd9

SHA512
4297047787ebd075a2b6a2455b7b010a9cd93a7c7e6632e5192fd278b88eec4d623ca168dc63b8f0e98439358beba035e5df82046a30bd4dc191fdf4960c3b72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
727B

MD5
95e20e644584fe0799d91cad0331ec21

SHA1
1c6b776d5ac226362e12c328fd9763de4b0161ad

SHA256
82fc2ac35c8951399dcb46c84486cb9a2cf0eeae0e07cb6451df4ae4069013b0

SHA512
35d99ccfe25c6c13db576c256c492e11b46ea0b9fecd888e5c3d9a1179c09c22b66c9033ea06c7bc19427a1aaf033799764ec5da5f8a0288446224837c051892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
dfe513d54b6e0521ac2adb089eceef04

SHA1
a149214a46b7909c36edb90527de69de4f70d9a8

SHA256
7cb878b60608be35a23719e78e10c1270c908f724fde44d812e3fc703037298b

SHA512
58aac2ce5ec39ef906477a79017259fe0e922c6672b64dd9df0ba977e46b98cfb4633b0886084e17e5304988f29854679b5c56a622121c473b2b6440bcabe0bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
85049f0d877ab7651338cf04fe971297

SHA1
2c8c6061e75d6f4c3bb3675a633a8a8524c96671

SHA256
dbac8125ebb8e59aeaa11b6aa7a54c347872d295ce1e8f5b430a4b748cbbe77a

SHA512
9bc7eb1c84bb71540cd0974c430efbe44f7e020782efa7c99de2874a4edb915f9a8f9090793bc76912a6ff98ddf59d59f1bffb34ac345344ab8b0b7d36742953

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
430B

MD5
624cab47c5e778fde8b4ab36fad2e9fa

SHA1
899fc1b110e8d935f2d5e6c7f6145cb0daf077a1

SHA256
99f1ce398bf9499eb09af4d3c923ec91cbf14ee4eb9391824c58c41130f64278

SHA512
220767420f509355418c41caf373ebe8be76e0b8eb76098ece4dfc3adad02f71258b57d3add8ed77f03fda9e0affa19534e36bd35172b8ff716a4f21ccc26f75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
446B

MD5
a3ec0a29555400e408da90bf864e81e0

SHA1
bf0edec02b981285f95cd1645c2fb2e755db806e

SHA256
028dfa4bbe6fb9c110bebcba979652543e8b7797797bbfff54772836b3e7b894

SHA512
e69177700475a94caf6920ea4e3476b85d17a681b1ee6bd4d52bfa07fce97072b9b7f996703279d174d6263c815c5551ffb04621a407753f2444c77e2611e294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63

Filesize
434B

MD5
1e4052051513fc7224f2f3b7b6b0d582

SHA1
b02165b4a604428c5dd2b665d6f239d04d37ee6d

SHA256
8a8cdbce326271eb3044d0230b638aba8ad76d00cd107f967b181965e175182f

SHA512
30730fe53a3896c157745d5188f87e717c25e65e530882d795b650ebddb4aa0772785b032eb648362ea9104f3aae52c4f0308785658862e625e1f9f858ca8e1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d957ea7bf2470551fdd034895cb5f94c

SHA1
ad7d235a19e30a768ca683ce1810672e2828e08c

SHA256
b106845cfcbcf2482fd712f11ef2785e61247703f3d0360b89aa4aed8c089a99

SHA512
22ff08c913b7f84a3980a0b1df4a81f75ea0f411d32a8d07b8bd4aa6a64b116f0d022533445c38e6a55b573ffb387abb6bca004f270488e1a091b33e412db313

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3895dc1528d362c3e8f1c59a4f0c92c8

SHA1
7de44cae0cb66dd483151ddf0786fd6a14f19ece

SHA256
d1ee28d551a5f28b7802fe0cf9ec5e7d5c9ea2f96e43659a42ca8d33ed46e740

SHA512
c747dab9ec501a8fa51f35ef09ceec4ab5888d8b1ab1ae409f134e2e497886c93ef4332876b365dcade7721fd153d7c57d55016ce591a89fcc3abb6168cbd714

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
030ccdf7d02a569cca75f5520b08a7fa

SHA1
99739d472ade7603cc8cfc1278397451e511f6bc

SHA256
39721905c8e5bcd137d6b6644f8fba30fd95e43716fc5cd03b734dc35c2ac329

SHA512
6d12682fd3b4a5afa7563537746cc006b97f55ef5be25a1bfdfdaad7ba7b3ddea50e502547ccbb2ba9a22242cc3df465875ede34fca7205c78d185c8170cd395

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
aa30a238f1ed54173a8c797d2b43e4e2

SHA1
6707a650b923024c20e00bd4d1db9a8025e8a323

SHA256
ef17f6e6f757c07639c0653a6868539ceef8ba387dfbad3272d2994076d2dc3d

SHA512
a697a6f07a23bb905afc2511a955974e0e768d294696be672776dec0bd70fc1e03da55512f95a586f8480dc6da51a01b7f06be78b3bba0462a8735a7d63870b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
acf16085422a5045b41cc678676c153d

SHA1
4c20fb704138d5493f8ab7142efd5f2eddaf93b7

SHA256
8f6b2cc14779b3d26343e685514959808087dce70fdc58878c85c89a582509b1

SHA512
84e58b2ac3851c212ff9b91e7b7c7e3b406a5e7e61a39e6aa9a0e23415ca2c9890bcae29c80f621945d145088dc3bdf5c4e1db1975bab9915a5a2f8577ab5680

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi

Filesize
843KB

MD5
c95a831719a0a8659911c2d961a9e425

SHA1
84e5db605edecd9976f2a7d45b00c2c5deabe11d

SHA256
bb5d1befb8970ee28066d13727056d54e0ee624564556757c26c75d6faafcc9d

SHA512
073f2e9ce88f18ddf6d5e9d1d47a142b68a4935d73854580ca6d5b619473632965051e398bf5485ff0664d2caf2ed13d4260ab64428c7ea2cce78983feed3069

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi

Filesize
52.6MB

MD5
1aa57a5a04ec43b25937efa2a3f0f0ad

SHA1
6121bef34c9c603e8b03140c05e0418096ac7bb6

SHA256
66a697fe354addb90ae4e3c6b617f9ca0e5a65a439435f674e3f6d8c7db85b6b

SHA512
1461ff7fc5d3a1e3fff20bd42324f0dc6f82bbdb9d35cc425535449a0f8e346599c4012802f0a801cce243eea4d878e6430a02db5b24fe6cc99b24cdad31c4e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp

Filesize
1016KB

MD5
459a51b2e65d53e4e568215e77317cc5

SHA1
f2308f14d1033f79a1d10b392520cb2459b0e737

SHA256
9da5f7bb7d99c3b8d5c9100a0573e928f48452319989ab026af5fcff1119a5d9

SHA512
7e3b8cb97c4c61eb147473d62dc163205ecd85235e6c711b39c4a76b06e8cee7d70f2594e0710df90e1b949c4bdb442a759912afeb72c6b4f0a34750daf17886

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp

Filesize
53.5MB

MD5
c760bc95af603fec0c41cafd82498a5d

SHA1
6bed421c5268fcd02f3d9439a314fffd84b29235

SHA256
c93f2de2ed4d5420671f5d5ba858b841683183aba9248f9890c4b277c39d2995

SHA512
cc9324416d98cd4ca1ec6e607e684336964d74da5f29f3d56d82b56ac0fe225c1420fbe08f9a559bf80307ea740e9140154f136aa9d3bc473baf60d736b7fd52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
7KB

MD5
8975e46a48942341bcf0ce34a8436e5b

SHA1
095bec56cb7df27732e64c0787d3ea15db880569

SHA256
cc2281478f7eabcbeaec4747cb5d6fdbe0e550b30b1ea7fa7ed0286e3df352cd

SHA512
4587e2f8e72bd582ee840c1f0aa5dca201ab910846ce46c1474466e21c8555a42fd2257e557fc3fdea39fef7bbf7da54591e489d419bae29c235c5078846db9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
15KB

MD5
78f84f0d4b548baeefbe0cd34c0bc19f

SHA1
e65d046a1ca77c39754662de3a179b27e9dc9d1e

SHA256
cbd93d29b8673c0081decfb6bcb231af90e3dc754c7d50a4da6853787f5e3a0d

SHA512
a62973531f389291da1ed2a1c3c09a40410d239b0b687c9600a4d4380523608907deefabf3a1250575263ec9e0128d0fb8c3d0d7af7427e24980e75aea9dc34b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
15KB

MD5
78f84f0d4b548baeefbe0cd34c0bc19f

SHA1
e65d046a1ca77c39754662de3a179b27e9dc9d1e

SHA256
cbd93d29b8673c0081decfb6bcb231af90e3dc754c7d50a4da6853787f5e3a0d

SHA512
a62973531f389291da1ed2a1c3c09a40410d239b0b687c9600a4d4380523608907deefabf3a1250575263ec9e0128d0fb8c3d0d7af7427e24980e75aea9dc34b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
16KB

MD5
34e8e444d47f4e4232362b6ded5064fd

SHA1
246afe8fd7790ee05451aa49df53d502962a324b

SHA256
32a5201bd914a9e8311127bdb9c66afa40a5cdbe5dfdb0ff51f986676df19aa6

SHA512
848eb90171ad867f2db82c2a69e1e930cb579ddf84aad49e56174629c23e848f6123e0e9a8a051bc13895c620f839307a0c2a5f816fb465aac192d4f73679c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\favicon[1].ico

Filesize
1KB

MD5
8e39f067cc4f41898ef342843171d58a

SHA1
ab19e81ce8ccb35b81bf2600d85c659e78e5c880

SHA256
872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd

SHA512
47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V881MODH\JavaSetup8u361.exe

Filesize
2.2MB

MD5
d3809baddaf7b1e7d94484160043328b

SHA1
e1979f5248d3b20858b11386ce22b1ccb0a9bfb5

SHA256
e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079

SHA512
96350ef6c81a1bc7d3c6b29c2a66ffaa1cf4f86172d3f52d39bcbf3886da41208b75cfe16bbf4ea23e04b2e0616637083eeacdefb8c0edc3ce6d0f2f89f881c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V881MODH\JavaSetup8u361.exe.z535e90.partial

Filesize
2.2MB

MD5
d3809baddaf7b1e7d94484160043328b

SHA1
e1979f5248d3b20858b11386ce22b1ccb0a9bfb5

SHA256
e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079

SHA512
96350ef6c81a1bc7d3c6b29c2a66ffaa1cf4f86172d3f52d39bcbf3886da41208b75cfe16bbf4ea23e04b2e0616637083eeacdefb8c0edc3ce6d0f2f89f881c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7207058.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7207058.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
40KB

MD5
5c89a941a6befa5659d684f0bbd16d14

SHA1
29c5c8c126750858209fe098ba8c110a8b0fd681

SHA256
b753fe86c0fa5cffe5869eb7c9d781316c5b57298f9814d0a6d6bd429ae8ea7f

SHA512
a73833301f382b904faa96f2e353d5d1ec93294590fd4ccf7e0b9bc20ab7b5ce8e7190aa2ebc7305edfcbae6fe9b5f67a631e2c6871b8189c0f8dd563b04cfd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
54KB

MD5
6c7e1f442af87636929ae32b1cbab019

SHA1
ce629fedd1ac3d4246a840a11a705bb9c3332f8b

SHA256
5b671c78860f4483a2bc9988a7f818d4b65a928f18223075a3e156cb31730db5

SHA512
18e597128aed577522296e279131d6d311f1bac090e91fcf8752bb0439a61ab3c9691abfaaf6737f46844032948ff181e40a05d43f2d074923bb61ab0af85bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
5ae05d6cf82c6e4db96fc588a9b17821

SHA1
ecbca9ebbed5cd681aa415e97321ac408c601e63

SHA256
003cd78252daf4c06cda98f10561b9ce728b6dbca95ada040abcb3de200aad4b

SHA512
1535ea21efbbdcb9442bdd53cb9f855694760b2d5aac194b950a20db5777885ed7d0b043c5583c507019bf84dc2aa5554517fcc1021b4e0185b330fb7d0246cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\066L2MJG.txt

Filesize
512B

MD5
237caca18761f79caa35b0e55af5b1f8

SHA1
93c9d625db7b257839ae1c5be81b2d32a01841f3

SHA256
0cfbde768887c77ac1ef1e6e76a7e66521a5d958ee87979e72d77bc0ac87d52a

SHA512
7a61f08b616d737370e49d54891ab95babb5d976a05f092c6dd599f720344b6da2b71648808b5ab82b49b6386fcbababec6d8b4d66bd5bcb04f0be7f1bb0ab0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WVHN6M1U.txt

Filesize
602B

MD5
a8f956e6d09dc7f7f799a3fb728d110d

SHA1
fb898ba5ad31cb770174d7b34d17f7571323290e

SHA256
d00f2f49c5a530e702a0ddfcd3441d45265f150754082263178bfb995a3b873f

SHA512
1b09197c67723d17094c08874c3d52d62eace1ac7b3ceefba19678d34cf6971e57aec4409394606bc62c116d6151f6049e6e58ac6c6e2c5261a627b87c618881

Download Submit
C:\Windows\Installer\6e4bd4.msi

Filesize
53.5MB

MD5
c760bc95af603fec0c41cafd82498a5d

SHA1
6bed421c5268fcd02f3d9439a314fffd84b29235

SHA256
c93f2de2ed4d5420671f5d5ba858b841683183aba9248f9890c4b277c39d2995

SHA512
cc9324416d98cd4ca1ec6e607e684336964d74da5f29f3d56d82b56ac0fe225c1420fbe08f9a559bf80307ea740e9140154f136aa9d3bc473baf60d736b7fd52

Download Submit
C:\Windows\Installer\MSI55FF.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSI5DDD.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSI6261.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
4f06da894ea013a5e18b8b84a9836d5a

SHA1
40cf36e07b738aa8bba58bc5587643326ff412a9

SHA256
876bd768c8605056579dd8962e2fd7cc96306fab5759d904e8a24e46c25bd732

SHA512
1d7c0682d343416e6942547e6a449be4654158d6a70d78ad3c7e8c2b39c296c9406013a3cfe84d1ae8608f19bee1d4f346d26576d7ed56456eea39d5d7200f79

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\java.dll

Filesize
139KB

MD5
286bba6f961e7d873d5c84f57cd1118a

SHA1
c659530ae34fabc24dc6fb55f37485a8d0bca2d0

SHA256
4f068301312fab1d1fd3e3ea0bcd87c4f730f69031337decb343b9ecb5028984

SHA512
c03ad585fd3f486448c86831f93118575b3586fac79f55448daa794ba6be95fc2a1595186d6c8b7881303b3cd1226b2eb10b7bdbc59a457384ba1340daabf058

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\java.dll

Filesize
139KB

MD5
286bba6f961e7d873d5c84f57cd1118a

SHA1
c659530ae34fabc24dc6fb55f37485a8d0bca2d0

SHA256
4f068301312fab1d1fd3e3ea0bcd87c4f730f69031337decb343b9ecb5028984

SHA512
c03ad585fd3f486448c86831f93118575b3586fac79f55448daa794ba6be95fc2a1595186d6c8b7881303b3cd1226b2eb10b7bdbc59a457384ba1340daabf058

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe

Filesize
243KB

MD5
71ac3db0e1d4363ff8695ca610af1ae4

SHA1
35ee53d9c6b541f4e9422875fb5a246d975afc85

SHA256
fbc762cd79977cee061bc9d2bf19c9687856759afec067121cce58e1cc124d2c

SHA512
53a75165d3a4683573f7d16015bda25cbfdabb8981ca8ffd0789105a6cdbf9a02f4e7a71b47efc581c14a90fd54760e4e7dc6e9786abc325a190c945b67cffb8

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Program Files (x86)\Java\jre1.8.0_361\bin\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\Local\Temp\jds7207058.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
\Windows\Installer\MSI55FF.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
\Windows\Installer\MSI5DDD.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
\Windows\Installer\MSI6261.tmp

Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
memory/540-106-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download
memory/1808-54-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/2668-203-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/2668-173-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/2668-196-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/2668-206-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/2668-207-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/2668-208-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/2668-209-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/2668-211-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/2668-212-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/2668-213-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/2668-214-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download
memory/2668-215-0x0000000002720000-0x0000000004720000-memory.dmp

Filesize
32.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads