f897ccfbeba62f5e1abb3f0d7a72ab83b4b9ae3e9b2d5c4eac0b79cabd4036fd

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File opened for modification	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\glib-lite.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\THIRDPARTYLICENSEREADME.txt	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\rmiregistry.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-profile-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\msvcp140_2.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jjs.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\fontconfig.properties.src	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\verify.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\charsets.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\javaws.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\w2k_lsa_auth.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\localedata.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\tzdb.dat	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\client\Xusage.txt	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\Welcome.html	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\libxml2.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\management.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\sunjce_provider.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\bcel.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\npt.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\cldrdata.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\prism_d3d.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\asm.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\directshow.md	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_241112875\java.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\accessibility.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_zh_TW.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_de.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\cacerts	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-localization-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\trusted.libraries	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\cmm\LINEAR_RGB.pf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\lcms.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\net.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\tnameserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\java_crw_demo.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-processenvironment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_241112875\javaws.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\prism_common.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\images\cursors\invalid32x32.gif	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\fontmanager.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\jpeg_fx.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssv.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\splashscreen.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\ffjcext.zip	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\santuario.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\dtplugin\deployJava1.dll	msiexec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI422.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5efb20.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4843.tmp	msiexec.exe
File created	C:\Windows\Installer\e5efb23.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38A0.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}	msiexec.exe
File created	C:\Windows\Installer\e5efb17.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B0.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F32180361F0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3822.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5efb17.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI191E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3419.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4311.tmp	msiexec.exe
File created	C:\Windows\Installer\e5efb1a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI364D.tmp	msiexec.exe
File created	C:\Windows\Installer\e5efb20.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4583.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0054-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0027-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0213-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0193-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0049-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_49"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0201-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0140-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0077-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0158-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_57"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0188-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_188"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0046-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_46"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0345-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ = "Java Plug-in 11.361.2"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0098-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0128-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0276-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_276"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0216-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0145-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0213-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_213"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0121-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0345-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0050-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_50"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0220-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0171-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0044-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0214-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0236-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0115-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0142-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0036-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0112-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0168-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0170-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_170"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0271-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0104-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0268-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0292-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0250-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0338-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_338"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0143-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0113-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0302-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\EUDC	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_16"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0129-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_129"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0221-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0023-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0059-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0264-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0088-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0027-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0349-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0099-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0149-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_149"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0068-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_68"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0125-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0157-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0082-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_82"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0303-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0353-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_353"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0115-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0194-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0350-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0138-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0112-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0127-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0296-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0158-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0140-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0177-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0315-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0100-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_72"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0218-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0178-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_178"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0341-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0211-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0302-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0066-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_66"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0147-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0243-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_243"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0125-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0269-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0290-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_290"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0192-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_65"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0306-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0271-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0056-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_56"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0095-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_95"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0202-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0278-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_278"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0348-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0365-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0073-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0124-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0213-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.1_03"	installer.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	JavaSetup8u361.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
2680	chrome.exe
2680	chrome.exe
2888	chrome.exe
2888	chrome.exe
2908	chrome.exe
2908	chrome.exe
2972	chrome.exe
2972	chrome.exe
1524	chrome.exe
1524	chrome.exe
3312	chrome.exe
3312	chrome.exe
4164	chrome.exe
4164	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
2808	chrome.exe
2808	chrome.exe
2804	chrome.exe
2804	chrome.exe
2912	chrome.exe
2912	chrome.exe
1604	chrome.exe
1604	chrome.exe
3336	javaws.exe
3336	javaws.exe
2532	jp2launcher.exe
2532	jp2launcher.exe
1732	javaws.exe
1732	javaws.exe
4284	jp2launcher.exe
4284	jp2launcher.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 40 IoCs

pid	Process
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1888	JavaSetup8u361.exe
Token: SeIncreaseQuotaPrivilege	1888	JavaSetup8u361.exe
Token: SeSecurityPrivilege	2528	msiexec.exe
Token: SeCreateTokenPrivilege	1888	JavaSetup8u361.exe
Token: SeAssignPrimaryTokenPrivilege	1888	JavaSetup8u361.exe
Token: SeLockMemoryPrivilege	1888	JavaSetup8u361.exe
Token: SeIncreaseQuotaPrivilege	1888	JavaSetup8u361.exe
Token: SeMachineAccountPrivilege	1888	JavaSetup8u361.exe
Token: SeTcbPrivilege	1888	JavaSetup8u361.exe
Token: SeSecurityPrivilege	1888	JavaSetup8u361.exe
Token: SeTakeOwnershipPrivilege	1888	JavaSetup8u361.exe
Token: SeLoadDriverPrivilege	1888	JavaSetup8u361.exe
Token: SeSystemProfilePrivilege	1888	JavaSetup8u361.exe
Token: SeSystemtimePrivilege	1888	JavaSetup8u361.exe
Token: SeProfSingleProcessPrivilege	1888	JavaSetup8u361.exe
Token: SeIncBasePriorityPrivilege	1888	JavaSetup8u361.exe
Token: SeCreatePagefilePrivilege	1888	JavaSetup8u361.exe
Token: SeCreatePermanentPrivilege	1888	JavaSetup8u361.exe
Token: SeBackupPrivilege	1888	JavaSetup8u361.exe
Token: SeRestorePrivilege	1888	JavaSetup8u361.exe
Token: SeShutdownPrivilege	1888	JavaSetup8u361.exe
Token: SeDebugPrivilege	1888	JavaSetup8u361.exe
Token: SeAuditPrivilege	1888	JavaSetup8u361.exe
Token: SeSystemEnvironmentPrivilege	1888	JavaSetup8u361.exe
Token: SeChangeNotifyPrivilege	1888	JavaSetup8u361.exe
Token: SeRemoteShutdownPrivilege	1888	JavaSetup8u361.exe
Token: SeUndockPrivilege	1888	JavaSetup8u361.exe
Token: SeSyncAgentPrivilege	1888	JavaSetup8u361.exe
Token: SeEnableDelegationPrivilege	1888	JavaSetup8u361.exe
Token: SeManageVolumePrivilege	1888	JavaSetup8u361.exe
Token: SeImpersonatePrivilege	1888	JavaSetup8u361.exe
Token: SeCreateGlobalPrivilege	1888	JavaSetup8u361.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe
2680	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2516	javaw.exe
1888	JavaSetup8u361.exe
1888	JavaSetup8u361.exe
1888	JavaSetup8u361.exe
1888	JavaSetup8u361.exe
2532	jp2launcher.exe
4284	jp2launcher.exe
4900	javaw.exe
844	javaw.exe
844	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2516	2104	TechnicLauncher.exe	80
PID 2104 wrote to memory of 2516	2104	TechnicLauncher.exe	80
PID 2680 wrote to memory of 3984	2680	chrome.exe	92
PID 2680 wrote to memory of 3984	2680	chrome.exe	92
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 4696	2680	chrome.exe	95
PID 2680 wrote to memory of 3028	2680	chrome.exe	96
PID 2680 wrote to memory of 3028	2680	chrome.exe	96
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97
PID 2680 wrote to memory of 1108	2680	chrome.exe	97

C:\Users\Admin\AppData\Local\Temp\TechnicLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\TechnicLauncher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Djava.net.preferIPv4Stack=true -Dawt.useSystemAAFontSettings=lcd -Dswing.aatext=true -classpath "C:\Users\Admin\AppData\Local\Temp\TechnicLauncher.exe;anything" net.technicpack.launcher.LauncherMain
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8b6f64f50,0x7ff8b6f64f60,0x7ff8b6f64f70
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:2
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3580 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2560 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:3472
- C:\Users\Admin\Downloads\JavaSetup8u361.exe
  "C:\Users\Admin\Downloads\JavaSetup8u361.exe"
  2⤵
  - Executes dropped EXE
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\jds241073703.tmp\JavaSetup8u361.exe
    "C:\Users\Admin\AppData\Local\Temp\jds241073703.tmp\JavaSetup8u361.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1888
  - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
      "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
      4⤵
      Executes dropped EXE
      PID:5004
  - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
      "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
      4⤵
      Executes dropped EXE
      PID:2296
  - - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe
      -Djdk.disableLastUsageTracking -cp "C:\Program Files (x86)\Java\jre1.8.0_361\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
      4⤵
      Executes dropped EXE
      PID:2520
  - - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe
      -Djdk.disableLastUsageTracking -cp "C:\Program Files (x86)\Java\jre1.8.0_361\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
      4⤵
      Executes dropped EXE
      PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1488 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1584 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8536 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8524 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8104 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:1
  2⤵
  PID:176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8180 /prefetch:1
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9744 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9428 /prefetch:8
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9548 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9468 /prefetch:8
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,1120196302970409689,11732548004862628453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 708C28F650C8D53463B087E920625CA8
  2⤵
  - Loads dropped DLL
  PID:4860
- C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe
  "C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_361\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180361F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:2316
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3544
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2172
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3336
  - - C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_361" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2532
- - C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe
    "C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1732
  - - C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe
      "C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_361" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D12A2FF8DF5551A0C12A4535CB5A8A8C E Global\MSI0000
  2⤵
  PID:4800
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 85F9D484E77C0EB389A637EAFB9871BB
  2⤵
  PID:2860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 675D4506115E4F959693928E4FE1BBC0 E Global\MSI0000
  2⤵
  PID:4988
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BE5044DDC09C018EE518CC141A9558B2
  2⤵
  PID:3836
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 614CD7F211B600495FC1AAEAC7C57353 E Global\MSI0000
  2⤵
  PID:3228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:404

C:\Users\Admin\Downloads\TechnicLauncher.exe
"C:\Users\Admin\Downloads\TechnicLauncher.exe"
1⤵
- Executes dropped EXE
PID:2448
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Djava.net.preferIPv4Stack=true -Dawt.useSystemAAFontSettings=lcd -Dswing.aatext=true -classpath "C:\Users\Admin\Downloads\TechnicLauncher.exe;anything" net.technicpack.launcher.LauncherMain
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4900

C:\Users\Admin\Downloads\TechnicLauncher.exe
"C:\Users\Admin\Downloads\TechnicLauncher.exe"
1⤵
- Executes dropped EXE
PID:3112
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Djava.net.preferIPv4Stack=true -Dawt.useSystemAAFontSettings=lcd -Dswing.aatext=true -classpath "C:\Users\Admin\Downloads\TechnicLauncher.exe;anything" net.technicpack.launcher.LauncherMain
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery