bazarbackdoor | 7e49e00be1992fbc4ac14f2e5e3c05dccadf8fba3c3936357d8df7f146f5f0a3

Analysis

max time kernel
363s
max time network
331s
platform
windows7_x64
resource
win7-20221111-es
resource tags

arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
submitted
05/02/2023, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.871-Installer-1.0.6.exe
Size

23.7MB
MD5

49fb0f13cdb8d7cad1487889b6becced
SHA1

b71d98ec45e6f7314f0e33106485beef99b2ee7c
SHA256

7e49e00be1992fbc4ac14f2e5e3c05dccadf8fba3c3936357d8df7f146f5f0a3
SHA512

639fa23294556bf77080d420e7e1b5b7c07a8b1e93897c36a4f8e398c1c58de9b91636420102e68f6957c768793797728664e32dc38aa68315746882b4ebe1d9
SSDEEP

393216:XX921sp/n85Pfs/dQETVlOBbpFEj9GZ1GphRqV56Hpk7IXOzDnKI17fyV5:XN8s18hHExiTI3qqHp6zvKcfyV5

Score

10^/10

bazarbackdoor adware backdoor discovery persistence stealer upx

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000600000001d9fd-102.dat	BazarBackdoorVar3
behavioral1/files/0x000600000001d9fd-104.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001da1e-105.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001da1e-107.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001da1e-113.dat	BazarBackdoorVar3
behavioral1/files/0x000400000001da1e-116.dat	BazarBackdoorVar3
behavioral1/files/0x000200000000f6f7-118.dat	BazarBackdoorVar3
behavioral1/files/0x000500000001dabf-134.dat	BazarBackdoorVar3

Blocklisted process makes network request 1 IoCs

flow	pid	Process
31	1004	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 31 IoCs

pid	Process
2040	irsetup.exe
1300	AdditionalExecuteTL.exe
2032	irsetup.exe
392	jre-windows.exe
1908	jre-windows.exe
1424	installer.exe
1744	bspatch.exe
268	unpack200.exe
340	unpack200.exe
1848	unpack200.exe
1356	unpack200.exe
1516	unpack200.exe
1684	unpack200.exe
560	unpack200.exe
1696	javaw.exe
2012	ssvagent.exe
1536	javaws.exe
1828	jp2launcher.exe
864	javaws.exe
1780	jp2launcher.exe
1696	MSIA65E.tmp
896	javaw.exe
1076	javaw.exe
1336	TLauncher.exe
1036	javaw.exe
1676	TLauncher.exe
820	javaw.exe
1076	TLauncher.exe
1812	javaw.exe
108	TLauncher.exe
1272	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
1628	TLauncher-2.871-Installer-1.0.6.exe
1628	TLauncher-2.871-Installer-1.0.6.exe
1628	TLauncher-2.871-Installer-1.0.6.exe
1628	TLauncher-2.871-Installer-1.0.6.exe
2040	irsetup.exe
2040	irsetup.exe
2040	irsetup.exe
2040	irsetup.exe
2040	irsetup.exe
2040	irsetup.exe
2040	irsetup.exe
2040	irsetup.exe
1300	AdditionalExecuteTL.exe
1300	AdditionalExecuteTL.exe
1300	AdditionalExecuteTL.exe
1300	AdditionalExecuteTL.exe
2032	irsetup.exe
2032	irsetup.exe
2032	irsetup.exe
2040	irsetup.exe
392	jre-windows.exe
1208	Process not Found
844	MsiExec.exe
844	MsiExec.exe
844	MsiExec.exe
1004	msiexec.exe
1744	bspatch.exe
1744	bspatch.exe
1744	bspatch.exe
1424	installer.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
268	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe
340	unpack200.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1696	icacls.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0050-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0247-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0123-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0233-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0151-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0308-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0181-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0181-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0193-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0200-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0331-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0070-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0158-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0162-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0257-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0253-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0214-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0193-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0300-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0316-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0192-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0197-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0219-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0241-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0120-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0208-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0076-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0305-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0019-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0164-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0088-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0146-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0076-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0134-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0159-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0250-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0318-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0284-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0167-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0226-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0285-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122f4-55.dat	upx
behavioral1/files/0x000a0000000122f4-56.dat	upx
behavioral1/files/0x000a0000000122f4-58.dat	upx
behavioral1/files/0x000a0000000122f4-57.dat	upx
behavioral1/files/0x000a0000000122f4-60.dat	upx
behavioral1/files/0x000a0000000122f4-64.dat	upx
behavioral1/memory/2040-67-0x0000000001190000-0x0000000001578000-memory.dmp	upx
behavioral1/memory/2040-72-0x0000000001190000-0x0000000001578000-memory.dmp	upx
behavioral1/files/0x000a0000000122f4-73.dat	upx
behavioral1/files/0x000500000001c88c-83.dat	upx
behavioral1/files/0x000500000001c88c-85.dat	upx
behavioral1/files/0x000500000001c88c-84.dat	upx
behavioral1/files/0x000500000001c88c-82.dat	upx
behavioral1/files/0x000500000001c88c-88.dat	upx
behavioral1/files/0x000500000001c88c-94.dat	upx
behavioral1/memory/2032-99-0x0000000001170000-0x0000000001558000-memory.dmp	upx
behavioral1/files/0x000400000001dad6-136.dat	upx
behavioral1/memory/1744-137-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x000400000001dad6-138.dat	upx
behavioral1/files/0x000400000001dad6-142.dat	upx
behavioral1/files/0x000400000001dad6-141.dat	upx
behavioral1/files/0x000400000001dad6-140.dat	upx
behavioral1/memory/1744-143-0x0000000000230000-0x0000000000247000-memory.dmp	upx
behavioral1/memory/1744-149-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/1744-150-0x0000000000230000-0x0000000000247000-memory.dmp	upx
behavioral1/memory/1744-153-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2040-240-0x0000000001190000-0x0000000001578000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 12 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\javaws.exe	rundll32.exe
File created	C:\Windows\system32\java.exe	rundll32.exe
File created	C:\Windows\system32\javaw.exe	rundll32.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Metlakatla	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy.pack	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Chagos	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-utility-l1-1-0.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssv.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\LICENSE	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santiago	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Athens	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\ext\nashorn.jar	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.bfc	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\installer.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\javafx_font.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tijuana	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\java.exe	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\jvm.cfg	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\bci.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\cacerts	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Bissau	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Lima	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Thule	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\jp2iexp.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\content-types.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\java.policy	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\legal\jdk\relaxngom.md	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Darwin	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\server\jvm.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jsound.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\api-ms-win-crt-math-l1-1-0.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Hobart	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jpeg.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Swift_Current	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\security\policy\unlimited\local_policy.jar	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kamchatka	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\deploy\messages_zh_CN.properties	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Algiers	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_351\bin\msvcp140.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_351\lib\cmm\LINEAR_RGB.pf	installer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sitka	msiexec.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6d9f4e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\6d9f52.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA65E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6d9f52.ipi	msiexec.exe
File created	C:\Windows\Installer\6d9f4c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8694.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8703.tmp	msiexec.exe
File created	C:\Windows\Installer\6da197.msi	msiexec.exe
File created	C:\Windows\Installer\6da199.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA94.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6da199.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE0C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA64E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C47.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6da197.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8339.tmp	msiexec.exe
File created	C:\Windows\Installer\6da19b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDCC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6d9f4e.ipi	msiexec.exe
File created	C:\Windows\Installer\6d9f50.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CC3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6d9f4c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD20.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	jre-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "19"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_351\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_92"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0341-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_341"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0139-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_73"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0096-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0239-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0347-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0097-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0236-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0147-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0207-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0289-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0203-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	jp2launcher.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0153-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0059-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0110-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0302-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_302"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0060-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0139-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0165-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ = "Java Plug-in 11.351.2"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0087-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0169-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0106-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_106"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0081-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_81"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0276-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_276"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0071-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0052-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0093-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0102-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0053-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_53"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0325-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0176-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0219-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0183-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0198-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_198"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0264-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0290-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0106-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0164-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0182-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0333-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0223-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0309-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0268-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0340-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0070-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0157-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0211-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0120-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0150-ABCDEFFEDCBC}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0197-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_197"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0202-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0169-ABCDEFFEDCBB}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0082-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0288-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0137-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0267-ABCDEFFEDCBC}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0300-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0194-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_194"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0043-ABCDEFFEDCBC}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0213-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0294-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0044-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_40"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0218-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_218"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0274-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_274"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_27"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0191-ABCDEFFEDCBC}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0097-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0339-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0160-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0324-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0351-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0357-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_357"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0100-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file\Extension = ".jnlp"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_59"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0067-ABCDEFFEDCBC}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0195-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0160-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0137-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0046-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_46"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0028-ABCDEFFEDCBA}\InprocServer32	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0261-ABCDEFFEDCBB}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0323-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0331-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0355-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_355"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0345-ABCDEFFEDCBC}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0152-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_152"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0018-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0054-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBC}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0311-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_351\\bin\\jp2iexp.dll"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0095-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_95"	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	irsetup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1536	javaws.exe
864	javaws.exe
1780	jp2launcher.exe
1696	MSIA65E.tmp
1004	msiexec.exe
1004	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1908	jre-windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1908	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1908	jre-windows.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeSecurityPrivilege	1004	msiexec.exe
Token: SeCreateTokenPrivilege	1908	jre-windows.exe
Token: SeAssignPrimaryTokenPrivilege	1908	jre-windows.exe
Token: SeLockMemoryPrivilege	1908	jre-windows.exe
Token: SeIncreaseQuotaPrivilege	1908	jre-windows.exe
Token: SeMachineAccountPrivilege	1908	jre-windows.exe
Token: SeTcbPrivilege	1908	jre-windows.exe
Token: SeSecurityPrivilege	1908	jre-windows.exe
Token: SeTakeOwnershipPrivilege	1908	jre-windows.exe
Token: SeLoadDriverPrivilege	1908	jre-windows.exe
Token: SeSystemProfilePrivilege	1908	jre-windows.exe
Token: SeSystemtimePrivilege	1908	jre-windows.exe
Token: SeProfSingleProcessPrivilege	1908	jre-windows.exe
Token: SeIncBasePriorityPrivilege	1908	jre-windows.exe
Token: SeCreatePagefilePrivilege	1908	jre-windows.exe
Token: SeCreatePermanentPrivilege	1908	jre-windows.exe
Token: SeBackupPrivilege	1908	jre-windows.exe
Token: SeRestorePrivilege	1908	jre-windows.exe
Token: SeShutdownPrivilege	1908	jre-windows.exe
Token: SeDebugPrivilege	1908	jre-windows.exe
Token: SeAuditPrivilege	1908	jre-windows.exe
Token: SeSystemEnvironmentPrivilege	1908	jre-windows.exe
Token: SeChangeNotifyPrivilege	1908	jre-windows.exe
Token: SeRemoteShutdownPrivilege	1908	jre-windows.exe
Token: SeUndockPrivilege	1908	jre-windows.exe
Token: SeSyncAgentPrivilege	1908	jre-windows.exe
Token: SeEnableDelegationPrivilege	1908	jre-windows.exe
Token: SeManageVolumePrivilege	1908	jre-windows.exe
Token: SeImpersonatePrivilege	1908	jre-windows.exe
Token: SeCreateGlobalPrivilege	1908	jre-windows.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe
Token: SeRestorePrivilege	1004	msiexec.exe
Token: SeTakeOwnershipPrivilege	1004	msiexec.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2040	irsetup.exe
2040	irsetup.exe
2040	irsetup.exe
2040	irsetup.exe
2040	irsetup.exe
2040	irsetup.exe
2032	irsetup.exe
2032	irsetup.exe
1908	jre-windows.exe
1908	jre-windows.exe
1908	jre-windows.exe
1908	jre-windows.exe
1780	jp2launcher.exe
1036	javaw.exe
820	javaw.exe
1812	javaw.exe
820	javaw.exe
820	javaw.exe
820	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2040	1628	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1628 wrote to memory of 2040	1628	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1628 wrote to memory of 2040	1628	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1628 wrote to memory of 2040	1628	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1628 wrote to memory of 2040	1628	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1628 wrote to memory of 2040	1628	TLauncher-2.871-Installer-1.0.6.exe	28
PID 1628 wrote to memory of 2040	1628	TLauncher-2.871-Installer-1.0.6.exe	28
PID 2040 wrote to memory of 1300	2040	irsetup.exe	31
PID 2040 wrote to memory of 1300	2040	irsetup.exe	31
PID 2040 wrote to memory of 1300	2040	irsetup.exe	31
PID 2040 wrote to memory of 1300	2040	irsetup.exe	31
PID 2040 wrote to memory of 1300	2040	irsetup.exe	31
PID 2040 wrote to memory of 1300	2040	irsetup.exe	31
PID 2040 wrote to memory of 1300	2040	irsetup.exe	31
PID 1300 wrote to memory of 2032	1300	AdditionalExecuteTL.exe	32
PID 1300 wrote to memory of 2032	1300	AdditionalExecuteTL.exe	32
PID 1300 wrote to memory of 2032	1300	AdditionalExecuteTL.exe	32
PID 1300 wrote to memory of 2032	1300	AdditionalExecuteTL.exe	32
PID 1300 wrote to memory of 2032	1300	AdditionalExecuteTL.exe	32
PID 1300 wrote to memory of 2032	1300	AdditionalExecuteTL.exe	32
PID 1300 wrote to memory of 2032	1300	AdditionalExecuteTL.exe	32
PID 2040 wrote to memory of 392	2040	irsetup.exe	34
PID 2040 wrote to memory of 392	2040	irsetup.exe	34
PID 2040 wrote to memory of 392	2040	irsetup.exe	34
PID 2040 wrote to memory of 392	2040	irsetup.exe	34
PID 392 wrote to memory of 1908	392	jre-windows.exe	35
PID 392 wrote to memory of 1908	392	jre-windows.exe	35
PID 392 wrote to memory of 1908	392	jre-windows.exe	35
PID 1004 wrote to memory of 844	1004	msiexec.exe	39
PID 1004 wrote to memory of 844	1004	msiexec.exe	39
PID 1004 wrote to memory of 844	1004	msiexec.exe	39
PID 1004 wrote to memory of 844	1004	msiexec.exe	39
PID 1004 wrote to memory of 844	1004	msiexec.exe	39
PID 1004 wrote to memory of 1424	1004	msiexec.exe	40
PID 1004 wrote to memory of 1424	1004	msiexec.exe	40
PID 1004 wrote to memory of 1424	1004	msiexec.exe	40
PID 1424 wrote to memory of 1744	1424	installer.exe	41
PID 1424 wrote to memory of 1744	1424	installer.exe	41
PID 1424 wrote to memory of 1744	1424	installer.exe	41
PID 1424 wrote to memory of 1744	1424	installer.exe	41
PID 1424 wrote to memory of 1744	1424	installer.exe	41
PID 1424 wrote to memory of 1744	1424	installer.exe	41
PID 1424 wrote to memory of 1744	1424	installer.exe	41
PID 1424 wrote to memory of 268	1424	installer.exe	43
PID 1424 wrote to memory of 268	1424	installer.exe	43
PID 1424 wrote to memory of 268	1424	installer.exe	43
PID 1424 wrote to memory of 340	1424	installer.exe	45
PID 1424 wrote to memory of 340	1424	installer.exe	45
PID 1424 wrote to memory of 340	1424	installer.exe	45
PID 1424 wrote to memory of 1848	1424	installer.exe	47
PID 1424 wrote to memory of 1848	1424	installer.exe	47
PID 1424 wrote to memory of 1848	1424	installer.exe	47
PID 1424 wrote to memory of 1356	1424	installer.exe	49
PID 1424 wrote to memory of 1356	1424	installer.exe	49
PID 1424 wrote to memory of 1356	1424	installer.exe	49
PID 1424 wrote to memory of 1516	1424	installer.exe	51
PID 1424 wrote to memory of 1516	1424	installer.exe	51
PID 1424 wrote to memory of 1516	1424	installer.exe	51
PID 1424 wrote to memory of 1684	1424	installer.exe	53
PID 1424 wrote to memory of 1684	1424	installer.exe	53
PID 1424 wrote to memory of 1684	1424	installer.exe	53
PID 1424 wrote to memory of 560	1424	installer.exe	55
PID 1424 wrote to memory of 560	1424	installer.exe	55
PID 1424 wrote to memory of 560	1424	installer.exe	55

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.871-Installer-1.0.6.exe" "__IRCT:3" "__IRTSS:24870711" "__IRSID:S-1-5-21-1214520366-621468234-4062160515-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-1214520366-621468234-4062160515-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Users\Admin\AppData\Local\Temp\jds7148121.tmp\jre-windows.exe
      "C:\Users\Admin\AppData\Local\Temp\jds7148121.tmp\jre-windows.exe" "STATIC=1"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1908
    - - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_351\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
        5⤵
        Executes dropped EXE
        
        PID:896
    - - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
        
        -Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_351\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
        5⤵
        Executes dropped EXE
        
        PID:1076
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    PID:1336
  - - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1036
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:1696

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 471CA0BAC76E5E01DC20C203DDA5B3B1
  2⤵
  - Loads dropped DLL
  PID:844
- C:\Program Files\Java\jre1.8.0_351\installer.exe
  "C:\Program Files\Java\jre1.8.0_351\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_351\\" STATIC=1 INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180351F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\ProgramData\Oracle\Java\installcache_x64\7193642.tmp\bspatch.exe
    "bspatch.exe" baseimagefam8 newimage diff
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1744
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_351\lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:268
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_351\lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:340
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_351\lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    PID:1848
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_351\lib/rt.jar"
    3⤵
    - Executes dropped EXE
    PID:1356
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_351\lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    PID:1516
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_351\lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    PID:1684
- - C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_351\lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    PID:560
- - C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    PID:2012
- - C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1536
  - - C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:1828
- - C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_351\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:864
  - - C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_351\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_351" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM1MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzUxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1780
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 320EF8DF99A85EFC83FCAD8146D09F03 M Global\MSI0000
  2⤵
  PID:1288
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 4D4E71175F53E771A1595646C1E92EA3
  2⤵
  PID:1284
- C:\Windows\Installer\MSIA65E.tmp
  "C:\Windows\Installer\MSIA65E.tmp" C:\Program Files\Java\jre7\;C;2
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint
  2⤵
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1816
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 680EA7918CDB742934A4367DF7D5F175
  2⤵
  PID:484
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86523127DCBBD91515AD938EB6997F9F M Global\MSI0000
  2⤵
  PID:1496

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:1676
- C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:820

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:1076
- C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1812

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:108
- C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
C:\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7193642.tmp\baseimagefam8

Filesize
78.7MB

MD5
22646919b87d1a6dfc371464405b373b

SHA1
2296c69b12c3e0244fc59586f794457a4735e692

SHA256
0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11

SHA512
b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7193642.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7193642.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7193642.tmp\diff

Filesize
50.4MB

MD5
926bc57fb311cc95bcefa1e1ad0ce459

SHA1
8c43b4d7aa223eaf9c73c789072545da0b2c55df

SHA256
9ccf1e30069b4781362f85c4a30993d86da99f211c2aaad4447ad051cc61600a

SHA512
216cb6483598960f5aea83beeb37fa700d047352d0b3c6c2405a7ee668554e0ab15358c178a6a2fc8c067f4177a0452cde93783797c15fccf224e640715f0743

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\7193642.tmp\newimage

Filesize
144.2MB

MD5
42f911bd9577dba41abfec153b50afdc

SHA1
e75303e84e59c81105db4aeb0e09ba92c0edfaa5

SHA256
a81763f447f212a42eddeecc63c58e580f1e4fb695480d24fba0bc43aa8c17e0

SHA512
40e22192db53eb84a117fbf729f83cbc79ff168509149b2281357295b72770816f260c9320cb7c5559f2242d7f7362dd7af4fa80d99a5db327cb2b690c9b6c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
53ff7c25d0bdddbc23667b1c7d18039b

SHA1
ff9163d718a4efe595395e90b6a089591c7c782c

SHA256
8c5b987f8c4be76a85ad2bb027a0b821e29b4814813bb97b43490d661355470f

SHA512
206282931c0326e74bcbdd0a3a6c55eabdb064dc57cf7a0e600e71463dd6265046ea6bd9d1742ac7f8b2a254ab7c5845fb7c23b84caa500aaf4e09112089f9fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5e546daef48f4dc50a789274af7801d

SHA1
1ac7f9736fcc25b0ef6f4f5f42c2b9c23a4847b8

SHA256
cef284ebf9cb2051ba82173c014410f84bb78312c29b646603153c723c1ec40a

SHA512
3996e486c0dd571057b4fc55f1e7fdaf41f2be0723fbca095d6012bc2a18fac460f04cd295edd7b100fe72e1a467b1020555f5cd8b17df9e6d52054d3ae65db8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
dca903bd69d14f246d83bce939aeffe4

SHA1
c55fd47fe5b848825644af66413909d4fa100fcf

SHA256
a22b90a0de1d4070dea849520cbbda238babb0321ee67d4299deec083396caf1

SHA512
abcb79f58773ce4e49c72f2a001f94a1f198c38ecc2d0fb4e5a4223b2262b52da60f53c39ca0fae479befffe30e1c8623f4a92d955e3da6aba35282b9a9d129a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1878026db40ccbed4c2d67588fd4b8b1

SHA1
bad0be8df9ddd1aafc8aa6cbde8eb0f5394db2a0

SHA256
2f5c3b6610618f1a71b2d8e878a629606396276692d63944d1971cf1c8f2b4f3

SHA512
ea7f787f4dbedfb56de8c54794575d0f33ce56276a10398c8fdc2b55641fa71f32fbf386aaf8d0734c156928baba97c703c7dacc797e526e89efac0304621209

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_351_x64\jre1.8.0_35164.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7148121.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7148121.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
d5e68b8fb785df23ba4c025e446d3531

SHA1
ea753d07a95923303321754d70b4243ecc477f26

SHA256
0072874b96dfd042dcd84026047a1106398376ccf68e697c3e10631fe36f2f47

SHA512
a759aaee1d344bf0d4f75227458603269443ecabfc959f30c956c6e216d9037a174d0356020f59a998595d95761d359ea43caca6484666c1dff3b44812f32bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
28KB

MD5
9f0cc95b21bd806d13b0708d2f962754

SHA1
82e2b8e41a0a20bf248054d008a87de8ad01cb65

SHA256
613b0ffdfa993966e3f4bc57227d210a8bc2cd77f342f5573928560f28977809

SHA512
4b1468a6028328b915e68de9f25ea3448a3de1a72f37322093db6c431f7f5575bfb65b09293990462c61741e1c7f3f7440b30d55bd55321c749b97bf9593b0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
41KB

MD5
8945f2bd0e79b79f0a208fdfc864c758

SHA1
5275fee3546c93655c4fa6b57688cfe5d600a74a

SHA256
dd6e08ec9e107228b1c965fc71ed6efeca1b4b69038cae295be5b5933825203d

SHA512
cdabc052567a65d050d4fa94d5c59a2f3a64718c924319c7353d30bee03998f23a99983b5c73470d86dba2a4f5a5645c4764dbf2268990ad0b4f85871e986bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
603B

MD5
e43c02cfa1d511d20cde1ff59c87e071

SHA1
2999b1df8bdb069db750d9e0ab4e77efdd804f62

SHA256
7539600bf458767a3d76d932cd0d19c9f7ca349ea8ed87092b60e2147456591e

SHA512
af30141ed9da9b9dc65fd17860f6608a2529506b535976130fbfeb159777b8b2d469be45a6aa58d718f5ae5cf05c00e0fc89c94e9051df47f3dedef401216ecc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OFJBZMPB.txt

Filesize
867B

MD5
1148836a60ca86383ed56c46df4df4c1

SHA1
3ac16b5372e2ff1db25d09737e1488a5b9b2086f

SHA256
4dbb5b902f77a6c4d3459bdfaae31334827c7acffaeb22bb481bcd8774cddb60

SHA512
c84807bc78cd43e020e6adf35a5ff69086d203b36378f57f89ec8bc9672478cd72d8e1de502800ed22945f56cccc27c359ab06fddc14985f116012f2bfe1e765

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WJBGW8UY.txt

Filesize
879B

MD5
05be6d52e61159deb1ba298ef9ef8535

SHA1
1986c3afdffd021f7aa40eca3748f5b04340a992

SHA256
45d3b3edacdf2902a869cd21c1610540df6f2a42dd75ae841cf54b9aaea93622

SHA512
53e58671ed4a6ea1f621908880e7079fb3fb5eca616f8a87282486b63bb0105c4f01df2b009d06c6381b81c4d8e675565811877974eb4b17d25870cf06233415

Download Submit
C:\Windows\Installer\6d9f50.msi

Filesize
81.0MB

MD5
1794aaa17d114a315a95473c9780fc8b

SHA1
7f250c022b916b88e22254985e7552bc3ac8db04

SHA256
7682233d155e6d19f30cf61b185a02055be0dbcacd2c9accf90a99de21547eb4

SHA512
fb9defdf73786528e82ffc7e1ccfa03cfb687365ec740e9620993da785414306f03a7e1fa523192a9d690a882b012d1e426afd1757639f3ef5f1e612c01e6516

Download Submit
C:\Windows\Installer\MSIBAFD.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIBD20.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
C:\Windows\Installer\MSIBE0C.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Program Files\Java\jre1.8.0_351\bin\unpack200.exe

Filesize
216KB

MD5
691f68efcd902bfdfb60b556a3e11c2c

SHA1
c279fa09293185bddfd73d1170b6a73bd266cf07

SHA256
471d70ebf91bdc762dcacbea9f6ca883f97921938e83269fef911dbf83598a70

SHA512
a4816ae0654f41bd130d56e44839d9f29ab48bd2f99c3d6db38ce3358ac46c1cef09da09184c6291dd378018a49f9e56173c35d780d3eaefcce459592c75de3f

Download Submit
\Program Files\Java\jre1.8.0_351\installer.exe

Filesize
130.3MB

MD5
1b7d3a2eb4a3893ea7fec68dbcc09a81

SHA1
5abe3f871f41d9226f6b330e0d76f4aeb4987891

SHA256
75fe10b94b9570bff04d8440340bead917ce46fc20f0a9795bca73053c3aa5d5

SHA512
b834ec60c4fba13e1065d248bede905f386e92207d91a2e1c7465eddc9767a5b0d27f49b19cdf64b241dcb7664ef5976f9367c90b10ff2ea7adb281e6aaf7953

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7193642.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7193642.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\ProgramData\Oracle\Java\installcache_x64\7193642.tmp\bspatch.exe

Filesize
34KB

MD5
2e7543a4deec9620c101771ca9b45d85

SHA1
fa33f3098c511a1192111f0b29a09064a7568029

SHA256
32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1

SHA512
8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ec4efe0ebb80b619737bd26180cc76cc

SHA1
7fd72c0eb6bee289e4b2714cf1fb8c197754811b

SHA256
b1501df2280c557ad1535a504bd43c25611c168fd543008b7949c03b29e70547

SHA512
384ae150773cf07322c614459db9db98e1995f6b185579c7b56763ed0352e043f51d0e840f94ac3e832a1378452f090b68ee281c437b16da3762974723e64e1a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\jds7148121.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7148121.tmp\jre-windows.exe

Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
\Users\Admin\AppData\Local\Temp\jre-windows.exe

Filesize
84.5MB

MD5
7542ec421a2f6e90751e8b64c22e0542

SHA1
d207d221a28ede5c2c8415f82c555989aa7068ba

SHA256
188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

SHA512
8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

Download Submit
\Windows\Installer\MSIBAFD.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIBD20.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
\Windows\Installer\MSIBE0C.tmp

Filesize
757KB

MD5
62cfeb86f117ad91b8bb52f1dda6f473

SHA1
c753b488938b3e08f7f47df209359c7b78764448

SHA256
f06cba20bd40e9d841add1877cf8d3b406f0acfa4800b80ae041ed3cc374eb7e

SHA512
c1b0e76cee4e2c3ca604dcc8f5665e72e70008acc824e20d89404f139d7e7e789e99dff131dafd76409f6ea0a813aa136f96089fbdadcf90d6485b1807762e4e

Download Submit
memory/820-272-0x0000000002210000-0x0000000003210000-memory.dmp

Filesize
16.0MB

Download
memory/820-293-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/820-296-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/820-264-0x0000000002210000-0x0000000003210000-memory.dmp

Filesize
16.0MB

Download
memory/820-292-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/896-215-0x00000000021D0000-0x00000000031D0000-memory.dmp

Filesize
16.0MB

Download
memory/896-283-0x00000000021D0000-0x00000000031D0000-memory.dmp

Filesize
16.0MB

Download
memory/1036-308-0x00000000021D0000-0x00000000031D0000-memory.dmp

Filesize
16.0MB

Download
memory/1036-309-0x00000000021D0000-0x00000000031D0000-memory.dmp

Filesize
16.0MB

Download
memory/1036-286-0x00000000021D0000-0x00000000031D0000-memory.dmp

Filesize
16.0MB

Download
memory/1036-249-0x00000000021D0000-0x00000000031D0000-memory.dmp

Filesize
16.0MB

Download
memory/1036-304-0x00000000021D0000-0x00000000031D0000-memory.dmp

Filesize
16.0MB

Download
memory/1036-291-0x00000000021D0000-0x00000000031D0000-memory.dmp

Filesize
16.0MB

Download
memory/1036-303-0x00000000021D0000-0x00000000031D0000-memory.dmp

Filesize
16.0MB

Download
memory/1036-285-0x00000000021D0000-0x00000000031D0000-memory.dmp

Filesize
16.0MB

Download
memory/1036-284-0x00000000021D0000-0x00000000031D0000-memory.dmp

Filesize
16.0MB

Download
memory/1076-228-0x00000000022C0000-0x00000000032C0000-memory.dmp

Filesize
16.0MB

Download
memory/1272-297-0x0000000002150000-0x0000000003150000-memory.dmp

Filesize
16.0MB

Download
memory/1300-90-0x0000000002DF0000-0x00000000031D8000-memory.dmp

Filesize
3.9MB

Download
memory/1300-93-0x0000000002DF0000-0x00000000031D8000-memory.dmp

Filesize
3.9MB

Download
memory/1300-98-0x0000000002DF0000-0x00000000031D8000-memory.dmp

Filesize
3.9MB

Download
memory/1628-65-0x0000000002CB0000-0x0000000003098000-memory.dmp

Filesize
3.9MB

Download
memory/1628-66-0x0000000002CB0000-0x0000000003098000-memory.dmp

Filesize
3.9MB

Download
memory/1628-54-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/1744-144-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1744-143-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1744-152-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1744-137-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1744-147-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1744-151-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1744-150-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1744-149-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1744-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1780-197-0x0000000002390000-0x0000000003390000-memory.dmp

Filesize
16.0MB

Download
memory/1780-205-0x0000000002390000-0x0000000003390000-memory.dmp

Filesize
16.0MB

Download
memory/1780-195-0x0000000002390000-0x0000000003390000-memory.dmp

Filesize
16.0MB

Download
memory/1780-183-0x0000000002390000-0x0000000003390000-memory.dmp

Filesize
16.0MB

Download
memory/1780-196-0x0000000002390000-0x0000000003390000-memory.dmp

Filesize
16.0MB

Download
memory/1812-275-0x0000000002230000-0x0000000003230000-memory.dmp

Filesize
16.0MB

Download
memory/1812-298-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/1812-274-0x0000000002230000-0x0000000003230000-memory.dmp

Filesize
16.0MB

Download
memory/1812-302-0x0000000002230000-0x0000000003230000-memory.dmp

Filesize
16.0MB

Download
memory/1812-301-0x0000000002230000-0x0000000003230000-memory.dmp

Filesize
16.0MB

Download
memory/1908-108-0x000007FEFBE31000-0x000007FEFBE33000-memory.dmp

Filesize
8KB

Download
memory/2032-99-0x0000000001170000-0x0000000001558000-memory.dmp

Filesize
3.9MB

Download
memory/2040-148-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2040-70-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2040-71-0x00000000004D0000-0x00000000004D3000-memory.dmp

Filesize
12KB

Download
memory/2040-72-0x0000000001190000-0x0000000001578000-memory.dmp

Filesize
3.9MB

Download
memory/2040-87-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/2040-67-0x0000000001190000-0x0000000001578000-memory.dmp

Filesize
3.9MB

Download
memory/2040-101-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/2040-240-0x0000000001190000-0x0000000001578000-memory.dmp

Filesize
3.9MB

Download