a1773235dcd9c9f815793b7509f91b959b450c4bf90b6c26794c9f59458f9050

Analysis

max time kernel
115s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230220-es
resource tags

arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
05-03-2023 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

5.9MB
MD5

d0ffcc482ce53b386a30199dab65f6e0
SHA1

00ef2852b530749fbcb8c40099bdc68151780bb6
SHA256

a1773235dcd9c9f815793b7509f91b959b450c4bf90b6c26794c9f59458f9050
SHA512

09a4b86a7b77d08daf0668e6e9f7eac66ac0368b2f4a08d4404a10b8b45a1b929c9402ff36369780015728fb7d371fce59b43ce518214ba011b3f0248cdc8b63
SSDEEP

98304:7RRxywgpOB5q7fgMamWcXU3KUvLp73YxRfSjhFvucBaM6stwpINm5wbCKHB3:7xy5ABA7fgxlp3YxRwduqgsEEm5nQB

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
159	2228	msiexec.exe
160	2228	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1760	jre-8u361-windows-x64.exe
4692	jre-8u361-windows-x64.exe
4656	installer.exe
3264	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
2188	MsiExec.exe
2188	MsiExec.exe
2188	MsiExec.exe
3264	javaw.exe
3264	javaw.exe
3264	javaw.exe
3264	javaw.exe
3264	javaw.exe
3264	javaw.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe
4656	installer.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\wsdetect.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_361\bin\api-ms-win-core-processenvironment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\gstreamer-lite.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\management-agent.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\pkcs11wrapper.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\classlist	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\javafx\libxslt.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\ktab.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\management\jmxremote.password.template	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\lcms.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\ext\sunpkcs11.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\tnameserv.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\security\cacerts	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\security\policy\unlimited\US_export_policy.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\javafx\public_suffix.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\ext\nashorn.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\cmm\PYCC.pf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\WindowsAccessBridge-64.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\libpng.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\security\public_suffix_list.dat	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath	installer.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\zip.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\xalan.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\fonts\LucidaSansRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\deploy\messages_ko.properties	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\meta-index	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\psfont.properties.ja	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\xmlresolver.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\api-ms-win-core-sysinfo-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\jfr\default.jfc	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\fontmanager.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\deploy\messages_ja.properties	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\plugin.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\flavormap.properties	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\xerces.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\java.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\ucrtbase.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\ext\zipfs.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\dt_socket.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\plugin2\vcruntime140.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\images\cursors\win32_CopyNoDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\jli.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\images\cursors\win32_CopyDrop32x32.gif	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\prism_d3d.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\splashscreen.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\deploy\messages_zh_TW.properties	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\fonts\LucidaSansDemiBold.ttf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\fonts\LucidaBrightDemiBold.ttf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\javafx\libxml2.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\cmm\CIEXYZ.pf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\resource.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\prism_common.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\pkcs11cryptotoken.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\tzmappings	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\rt.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\giflib.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\hprof.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\jp2launcher.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\policytool.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\jvm.hprof.txt	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\relaxngdatatype.md	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F64180361F0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID68C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b8d0.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2F1.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b8d3.msi	msiexec.exe
File created	C:\Windows\Installer\e57b8d0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEAA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7C5.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_361\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_21"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_02"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\System	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds	installer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_https = "1"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.0_05"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_15"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Environment	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_17"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_31"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_34"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_27"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_02"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_03"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_06"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_22"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\EUDC	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_16"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\TypeLib\ = "{5852F5E0-8BF4-11D4-A245-0080C6F74284}"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jnlp\Shell\Open\Command\ = "\"C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2launcher.exe\" -securejws \"%1\""	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jnlps\Shell\Open	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_30"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\ = "0"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_10"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_21"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\ProgID	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130160F\ProductName = "Java 8 Update 361 (64-bit)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.0_05"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_07"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\1\ = "384"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IMPLEMENTED CATEGORIES\{59FB2056-D625-48D0-A944-1A85B5AB2640}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{DBC80044-A445-435B-BC74-9C25C1C588A9}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0034-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_34"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_25"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_31"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_11"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled.1.8.0.0\CLSID\ = "{5852F5ED-8BF4-11D4-A245-0080C6F74284}"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\wsdetect.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0033-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ = "Java(tm) Plug-In SSV Helper"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}	installer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3712	Loader.exe
3712	Loader.exe
3712	Loader.exe
3712	Loader.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe
Token: SeShutdownPrivilege	4952	chrome.exe
Token: SeCreatePagefilePrivilege	4952	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
3712	Loader.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4692	jre-8u361-windows-x64.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe
4952	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3712	Loader.exe
4692	jre-8u361-windows-x64.exe
4692	jre-8u361-windows-x64.exe
4692	jre-8u361-windows-x64.exe
4692	jre-8u361-windows-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 1460	4952	chrome.exe	68
PID 4952 wrote to memory of 1460	4952	chrome.exe	68
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4140	4952	chrome.exe	70
PID 4952 wrote to memory of 4760	4952	chrome.exe	71
PID 4952 wrote to memory of 4760	4952	chrome.exe	71
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72
PID 4952 wrote to memory of 1252	4952	chrome.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ffd83a69758,0x7ffd83a69768,0x7ffd83a69778
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:2
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1968 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4824 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3360 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4812 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5028 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3200 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5720 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5756 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5912 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5580 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5792 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3180 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4720 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4840 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4608 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4820 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1516 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5284 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4732 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:660
- C:\Users\Admin\Downloads\jre-8u361-windows-x64.exe
  "C:\Users\Admin\Downloads\jre-8u361-windows-x64.exe"
  2⤵
  - Executes dropped EXE
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\jds240603031.tmp\jre-8u361-windows-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\jds240603031.tmp\jre-8u361-windows-x64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2396 --field-trial-handle=1784,i,3863361445974900659,10716499391057345571,131072 /prefetch:2
  2⤵
  PID:2508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4436

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
PID:2228
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 8D400237F79BD55980E585C8C35BCF8A
  2⤵
  - Loads dropped DLL
  PID:2188
- C:\Program Files\Java\jre1.8.0_361\installer.exe
  "C:\Program Files\Java\jre1.8.0_361\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_361\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180361F0}
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:4656
- - C:\Program Files\Java\jre1.8.0_361\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_361\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3264
- - C:\Program Files\Java\jre1.8.0_361\bin\ssvagent.exe
    "C:\Program Files\Java\jre1.8.0_361\bin\ssvagent.exe" -doHKCUSSVSetup
    3⤵
    PID:368
- - C:\Program Files\Java\jre1.8.0_361\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_361\bin\javaws.exe" -wait -fix -permissions -silent
    3⤵
    PID:3348
  - - C:\Program Files\Java\jre1.8.0_361\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_361\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_361" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM2MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM2MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:5112
- - C:\Program Files\Java\jre1.8.0_361\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_361\bin\javaws.exe" -wait -fix -shortcut -silent
    3⤵
    PID:4412
  - - C:\Program Files\Java\jre1.8.0_361\bin\jp2launcher.exe
      "C:\Program Files\Java\jre1.8.0_361\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_361" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM2MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM2MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
      4⤵
      PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre1.8.0_361\bin\java.dll

Filesize
163KB

MD5
db081a9968bb0c37a57725cdb66a0c7b

SHA1
d5fed172d82111d1f3bcb46ab3bd8b412f3ee003

SHA256
5b9b01f1ec06ad559285201cf0907e1c31473f6fb91aa09813dd8f076f94afe3

SHA512
8a3717be2bdc1d2e628a069a61ac5b504467c52c7b52496c14050cd0fbc3e1023c791ca8b5c3270579e1cc725a8a0cff62c427dc1c25c2ec74725d1dacc621d5

Download Submit
C:\Program Files\Java\jre1.8.0_361\bin\javaw.exe

Filesize
273KB

MD5
dc1ddfa9036cd403e17fb7134aff000f

SHA1
0183543dd2fbb2ff7d0997c56ac624e6b2ebff40

SHA256
9bb8aaa6673ec46e5e9cff88fedefad4b33941b0831f4a7047433a24399e9692

SHA512
ecb7603a5f07a95ce3506ecaf38cb07ee089070cc041ce0c92722cafe8c3545b73dd5bf59f06115291b774d3c034c6e677f6fec2780208fa73e387d7c379cb9f

Download Submit
C:\Program Files\Java\jre1.8.0_361\bin\msvcp140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Program Files\Java\jre1.8.0_361\bin\server\jvm.dll

Filesize
8.2MB

MD5
a5b5e313919826735b73731252a2bc2e

SHA1
090054f0aeeaaac570130ef5a03c26970cdb050c

SHA256
86765f3558ffbb2cf28fb683ee17c288967e636b5cb4fe0422ade39591f6abf4

SHA512
2e0199624f91f9c952ea4fb81a01096febe8dde6fba85f66e7978c98ba749da3cd53cb6d986260e357c19a1d3b5411d6716548ef57e31ec75d55f4d3a3420c3f

Download Submit
C:\Program Files\Java\jre1.8.0_361\bin\vcruntime140.dll

Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\Program Files\Java\jre1.8.0_361\bin\verify.dll

Filesize
54KB

MD5
c15088054d639475e51b88251369c226

SHA1
8849a9ee53e6bc7d1618103b674a6f481b72f3aa

SHA256
a7e7890ec2e238b3108fe2d9b4796898b2fff30ce07957f60689975d7460098c

SHA512
81ae70caf0304c63adadc3437e592ea9540db59ac7bd7417b769b5702a2aa012bec79aab8ce01187ebbd78555b7824fc4434a113dd9be5b667ce693b293122c4

Download Submit
C:\Program Files\Java\jre1.8.0_361\bin\zip.dll

Filesize
84KB

MD5
7c7a8adce66eeb67a96ca617c8286d72

SHA1
da1f100637f0b94aaea4e3999ef96a32a63bfc2b

SHA256
d15be64cc05ae14db69b5a3558cd57767eda91e708c74d3dccdc4958c42cb5d9

SHA512
00d3c1145b8c8ea246f456000c2fcfe1e978d148ad69ddabdf9e5f332db4e44025211916c6452b5030f8326d523d6e72de8aebd9e41d83afccb8713e88782f31

Download Submit
C:\Program Files\Java\jre1.8.0_361\installer.exe

Filesize
1.1MB

MD5
dcb07febfc873261ae0c351d327027a0

SHA1
b3855001990bb500212f4f8b421594e91f45d5f3

SHA256
e9d0623547dd40d5ccc42e4718d4e307241fcf2d4a5df93d1ec0fdc9925aafac

SHA512
374d8d4d39e344cc050ea0cde3a51db801ba77b18c85934820e6d1f37101922878b4107dc506f5be7ab3e0f2badbf0ace87bb0ab5713f5bdc27df00731f84dff

Download Submit
C:\Program Files\Java\jre1.8.0_361\installer.exe

Filesize
1.1MB

MD5
dcb07febfc873261ae0c351d327027a0

SHA1
b3855001990bb500212f4f8b421594e91f45d5f3

SHA256
e9d0623547dd40d5ccc42e4718d4e307241fcf2d4a5df93d1ec0fdc9925aafac

SHA512
374d8d4d39e344cc050ea0cde3a51db801ba77b18c85934820e6d1f37101922878b4107dc506f5be7ab3e0f2badbf0ace87bb0ab5713f5bdc27df00731f84dff

Download Submit
C:\Program Files\Java\jre1.8.0_361\lib\amd64\jvm.cfg

Filesize
634B

MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Program Files\Java\jre1.8.0_361\lib\rt.jar

Filesize
53.2MB

MD5
f9067274f870f513dee2284e9089d2b9

SHA1
6aab77a3bf6c208adf805432f407dea41833e70f

SHA256
9016dc6f643af8b411d38fb6189f6af0e6bb39210e3ca379c8313f666c94aac1

SHA512
510a34d46b0187f8360373df3e023eda6b98c1187e35b24bf4bd9e5fc3774532e1e96d93ee08bb3b7e130404855a3704918038f5df4a614d4f520ea896df52c2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url

Filesize
197B

MD5
faded0d5bdcbad42d8f4826cc3c620fd

SHA1
c49c34f2d2160297b1c0c71c327180ed52ff673e

SHA256
d869d1b0c391cd9ce8f0c633cb8e5731c5073c33f875b32a2a61006a3c1bb24a

SHA512
bc60186037724353460a0f7af8b207ccabe64d80aaff796d9ee082c6cb6573ff214dedc22080fdf23664ce79f7604276e1bab746dcf2407a46e40ff38b7119cb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url

Filesize
182B

MD5
472d99cc0c3c745e9d794af2495e1073

SHA1
c1fbb2d17fbcea3d8d76d4516cb099ef89c3d6ce

SHA256
0a07df0e4ca2361cbd92c5c56068d8ea51cf0cfcc755d015cd1034c250cf1f9a

SHA512
bed250fb803323ebef7c6af71912572767a6e36e4ed54886d773758e3470c906ca9995dd54c64b43f297c7de676fc47936ced5c81cdf3fa8ee9688d9c96a6e27

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url

Filesize
178B

MD5
629c2e7a4d9e24406873fe2fa7543be7

SHA1
d6c48edc07e35c1b84fc2bf5f74367edcd2bd3d2

SHA256
cf23fccf15c640cda1a383a09246a5a1213ebd5c9a1c077ad5cddb785f4700dd

SHA512
00cd51c0377e9c058c3cafcf4ba03ffbdad37711b4bafe054eba978fb3dc4c178cfec0d292d4fee27aea42a8b39ba8187866ad4d304f8b74662bf1accfaae8e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361_x64\jre1.8.0_36164.msi

Filesize
58.7MB

MD5
407d36101348022e67342b44292d2b39

SHA1
1811ab3993672a9f329868622d96014043bd5f4a

SHA256
213e9fa760dfa2af22a4ac94a10c7f21f4b482aa04e8cf3706264e4c17d2481e

SHA512
cd78f2d3d8057467f87c846fd2252cc2632de822b2c5d37a9f2bcd0c68fafe598bdc4bc69760cd7e84037a5b28b3f11a4385684962857e3ce572ec9b302f0c0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.8.0_361\Java3BillDevices.png

Filesize
11KB

MD5
b3c9f084b052e95aa3014e492d16bfa6

SHA1
0e33962b2191e7b1a5d85102cdf3c74fcd1254e4

SHA256
a68ddd67f6fcb0bbf1defa0778ee543e92c1074c442197ab623f733cc6285948

SHA512
06f51ac2962a0ec5f05ad6c90a2ba85b851d1fa2f0c079dc264fe930316cead959f68f6e34ff591b131867b482c266ac42400b06385dae712637ff0a90f902d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\40374843-3530-4a93-b16b-c74cabc5556b.tmp

Filesize
72KB

MD5
c4043ec5fe3dc912e65b81ef9904d81a

SHA1
eecd0e1cb6c973b96074dc52ba8e8be108f3955a

SHA256
9b26c30de0752b03ec4b12bbc4cb9239db7f7606673c602eb3de1c99399d94a7

SHA512
4f094a6dafe51e4590466044c24e441f4e28318fa5f6f5cfdc5a8409347fb3d93af62c87c8c1ba8f0dab9d33b8f92a639ae61c584011c817de66d51b1743f92f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
37KB

MD5
d90cb261f4a509d886611473296e188e

SHA1
23551f9039c8b855b496f017c8f75b32f6e56671

SHA256
ca6c7cdd1e68e9f251fbf58e0b0ad9e883b38979e264c3cf4125f603b21c8bb4

SHA512
1cca6c9490c8f7adca7441ffea3e7445309d0c52fbaf7252e4c3c73525e00233a8173536c031747a55343bb86e96618d9c96afc6e4f8d25b0106729cca5c8031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7c6406b0aac7c710b5e61c8b6e1b8a53

SHA1
2a0a9edef44b387803594b068e43512f6f675aff

SHA256
93957d2a489f2b450119f3c0778c302570e8dc23388f2ed4e655d464708098b0

SHA512
90e33118ad70924292dd310c8a94d2ec4c1bd0648913fdbcc64948ba0a5785e47b436691ad04d1bf5b3c5fe4792d0b01328a485ae2bed29897f9816276793ee3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
2d7fcb2800bba8d1ecce503b4cd01c82

SHA1
7e991021a87eac8f015eecbe5db6c1f42a2ed145

SHA256
7b2fb36c40ab8a5d69811d19ebfb5a4ffa279819c1807623d0c382d18ef227da

SHA512
65404260f6f4b24c7846068f148eaaf226fb78bc252112b6134e89a7d0eb3d8808fd98f08f7ef859dd79da32690434d089e54cf0bf96787e4b61dff28e13950a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
6495c571155b0a7ce090499aebb61950

SHA1
155dea48835482a20312c0cb3e5dfdcdb8877bc6

SHA256
a58a214edca7e0be7f08c337aed05fcea3370e31548736eaea3cd8304e1ec8fa

SHA512
48386be572fd92a741227a5123d1649cee761b737bcac2272fa572d78ffb7c0baba91db044af6e09ebde6be8cb71bd15fd3c6fcaa9fafc15e809424c886442df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ce8feb096ed7f18d27896f4d04beca80

SHA1
a570fd16144fc44ce5827f35292f2f38ebc98d45

SHA256
c28e5ff1ee9087209b9ead62e9b997d933cc9cb6b7dad76d14a58dadff7431b2

SHA512
b1419e33fe401aa5f9b0b9d640efd2d0c8c186768b50a7619bfab2cc2e57c9017c88d8ffae570b733dcabd537ce6c6cc771c7f45c6e5a6055e1f84be08c5236a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3ddbe09c5602540715f4cc9022ea13c7

SHA1
92b32d678180801f7e6a5cc5bec4167579e5ba24

SHA256
81f424f49c8c5a11127b060977588ca4c12d216386b3a6c0e9984dafbc592f76

SHA512
7b26ba8267dbca74700a3b9ed22e8485989696de7aba93289afabf61ba0640b13611961f085f738df63241942e1129c8833ca0844d285d62ac0b27fa09c5f09d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a07c1b2c0d0974a5d2ab48925a97a4a8

SHA1
5fc26c1c979511b7fe3ce6abcd04aedd4a20189c

SHA256
7a2fa35b83504353a4054c6766e0c8d69d77ba4e2b0ff1a8317e13aa180d4fc4

SHA512
9e65aa3b794614ff208abe5122d4aab01bdbe05792b57a638e3ded0d8a931c2056a13c9f7d079118f9b32b660cf3f986ede271d57b3c5a840c33abf3f993618d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
785865043d4a13e423d72bfeab976906

SHA1
54fd69eb21db4a21724f34c621763ba468c6a010

SHA256
8b6fd7883eebac8597d141930d7532ea142548b571e790211da6003dbb3cf541

SHA512
f1542521894eb05c2085122009b600eb6c0014d067d8472abafa694832ea5bd4e11884f6c82eb13e6a48b2b179410b33c170d71626ff5dccaadaf722207faf55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8535317ffb9c2aec846055856000080c

SHA1
499641839a7d4d4762ca68f9012c997a67fe2a13

SHA256
bf53b8f97057b04784b1e3b5935bb224317f9ed91bd66baddd3b1615cc32886b

SHA512
c4ed8cb46ead905a1c29f649d698444b7b5a5c3f53bf6890b0203fd9b77c222bf8f2d8eaf6f4fcff54b0da2972c7c66aa400da80c0e169e2e66487fbc503305f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1ba23d107339568c511d5a946285ec1f

SHA1
c7fa35eeec4c41795a3f2df207f7e287fee4f030

SHA256
a0ce95884b325c832da11917b82c7fa3b2b64ec4add6d79d062e540ada46dc45

SHA512
fad4abec3d8913c6aab93198a82b8f1e1ae38d6f03d6501c9e0ae7bfbcd3c423ac26278bdc770aa77898207028184d773173b7c2ac07dac11d388d4f0cdddaff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f558539a0216908ba54f1fe0674fcb9d

SHA1
0854431b355dfe0b96bd0a051b0cf2cd50a51da1

SHA256
ae9f59b9330f4944668152abb92458a47337300775c6a5337dd30f26e0863d9e

SHA512
9a32f9e08319a651159c5c23656d722513b7b6ba8a4398cc16bcbe04f7d5da1b9b842255194693b2291a40b3b9c03d1e316b9d432408bedfe6346b2b25020986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b79f2509235092920d4145bb15bfbaab

SHA1
c9d36be8d942b651bd11b1f130fe82acfece813a

SHA256
22c2899e65fe1354aba13c2d9d2b7fc89d50bb50e2df6b133f1b687059b4bd8b

SHA512
d7f27d2d9c11e3356a02ebb6298e3f449bd1e83c55b27161051c6b10affe0352516912691502e8e5fdb98a8cdce1c0f65041a2dc2b4b2033392863c3c76bf435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
846f3d3b4b6c3e3c8f0a5bb24322a62a

SHA1
8e46bc7821b85da4759fbfb72aedc56fa5928fdc

SHA256
a917773196da4d1b60bcda38b4ec999257910cbd3b9b77e48ce67deb765c73cb

SHA512
e0eabc4adbfe9c219b1c7c2b8029a4467848cc14debd33e5584188941a43bb3fcd55c836a442d3fe27793c64b02b4ff5549f25aa5078841762011a0b27ee82c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
4f6c2c8d2371ffa47490338ef01dcff5

SHA1
136580daadc8f50eadb87dc0635aa58d752b94c7

SHA256
69019c580c9467cbce91353efc6ee40c35a94de7f0935ae19470bd824fc66b58

SHA512
e69fbad6bf446b3cbdfae4ea80386c6c06ec1c567a645b46a818f383261753e294bae323153033a783e141aa3e263e770cc6a5bce69804755d0d0f2234578315

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
115KB

MD5
eb91b203f5f98d668fead004d36d50cf

SHA1
8a47410662a020f7533f5ae17a26fd476447074e

SHA256
8deb2ca8c11f5fc135e3aeebcb08be082f1b22a0b2d1e148817a7a1dd74c2d8e

SHA512
8eb07159d7e49862932cea039e301c692699914a5ac87f8e4c5459c137944cbee70b255528b1daa80716bb45f8b641c0ac13e66b6abba1a2b939721eae5f33d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe579654.TMP

Filesize
109KB

MD5
b184aeb56cf661e654767e92a5236c4f

SHA1
ce035d359fcefa0a68f744a4cb65a6ce5244af43

SHA256
801bb5de7f1ddcd7124db94b025d815ed53c650b9266b4a4fe6aa125520d0884

SHA512
8ac527bd2cd9cde72506799db2827fb5c7c5940fe900d5ea6517071f3ea93ad83bb8ba0b55278026a7b6b03feb444af1e2f1861ee57a5f7e56e24393b933c52d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240603031.tmp\jre-8u361-windows-x64.exe

Filesize
61.7MB

MD5
e920cf3e63612868ed4b6cd9612bae77

SHA1
ef64fb46f8e955430d6fbd3778ff03e4c1f0e1b0

SHA256
a45104f8bf9a356b538f74aec9c7d25b92bef2d8e97cc27ed6d7232294a8ed82

SHA512
b02af44d9a87e06b0309e842d550b54b92575ba36a3ea74184bba40d4665751d91c8547ddd9c1c009d413f56829f7fcc604592ba51118c916cd1e039930571b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240603031.tmp\jre-8u361-windows-x64.exe

Filesize
61.7MB

MD5
e920cf3e63612868ed4b6cd9612bae77

SHA1
ef64fb46f8e955430d6fbd3778ff03e4c1f0e1b0

SHA256
a45104f8bf9a356b538f74aec9c7d25b92bef2d8e97cc27ed6d7232294a8ed82

SHA512
b02af44d9a87e06b0309e842d550b54b92575ba36a3ea74184bba40d4665751d91c8547ddd9c1c009d413f56829f7fcc604592ba51118c916cd1e039930571b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
296KB

MD5
dc9e076e153e9c2c9fd574587a42273f

SHA1
7e26b1f6aeb521a098d6b26121d38f3c12ad6131

SHA256
9e9607e2a3e755b4b65d15dafcbbd980122f3fdf623695c7572d82805e850422

SHA512
c61038879d8eacb40f09207fe7c07e184f4e580e7ed89dad8e23a08f49aabe4a3fe4476177c834456de4c7ccaa0248ad28e670f8f87bb17c52bfa015c9591832

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
267KB

MD5
5d54c66de0747d248c1374f8d22e3f22

SHA1
7ed6ebe0a3c170c50d3e60fe5feaf984d87eaa2d

SHA256
fe4677ce5e6db6f6229f5c978c76003eb84922e1878dcc0e517b3aa58ebdeccf

SHA512
61c841e718ed9e7b167e3de730506bbe505d4217ef42573ec39a8808fba9fe351a0f0248587611d890f376df40894168f7fd339326dc896db0243abbb768733a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
267KB

MD5
affd014d4b6dd6dfee403c3466e74c62

SHA1
bc7830defc6a2d7f857015a0784c6d71c9b9cea5

SHA256
6d2b1db990e92a4855dbf575d87ed5b48e0b390ed17f796af839e8c7884bdba9

SHA512
42ab185680c465cb355afff0af3b4ae98d786992a2f1e81c4f18a13e228cc484d1f467cc59af6c290699948b64f96342197465f71db083d39ae785eb10432471

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
293KB

MD5
f20bef4ce919914d3696c8c5eb00957e

SHA1
e08c1d3d627281006a6187c5dfc5890ca2b284ba

SHA256
945b47ad060a201e680ceb37759e4b1018be3dafbe7364894792aadcfc3f4cf2

SHA512
7a44aa768703502c8be6d2022f5d07878c3ed7251e4b1009f032c74228007b8f666f516359327a2932ce800f14ba75f65eaeb1f79e779f76be6c690b53beb211

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.876-Installer-1.0.6-global.exe

Filesize
22.6MB

MD5
2c46460b0b6c89f4993db4ab214fc9ee

SHA1
0a8b0696a59d2635f2303a4f2302cd97ea6d835a

SHA256
7efd1055ea05a8fb0e8dab395b68017720d468d3ffb3ef3baeb501f809528827

SHA512
e79fc7a3bdea24e2425f56b94399b7b732436bec6dc5de3e416a0e0e43ddd8044fc83992f4a1d7a1f86397957f808ce93a40c58c1101566af77a0f62e85a7c44

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.876.zip.crdownload

Filesize
5.9MB

MD5
e0f5a62dd39e22ab95a9429ef55bf14a

SHA1
cf6b438109ef195ddb6bc07988ab25ab03a83125

SHA256
1a91bf186dccdc834269501cb855a85330f83252228fd4833899694492341648

SHA512
791eb4bd5baa8e9eb6168d57ac92217c61f4d0f10773445d55bd4e6e75740c7776bdb125fc602c8caaaca1e4f11f24235fb2800804717715ce2cb13e6ab829dc

Download Submit
C:\Users\Admin\Downloads\jre-8u361-windows-x64.exe

Filesize
62.1MB

MD5
e70de386ebc763932a181fc37a2ad042

SHA1
18e76e452b289ae2fc167667b55a81b11ec2693f

SHA256
419328f3a2325b1dc27f710abd73e232e9deac47915b4dba61a697b925b5b83d

SHA512
a45cb9c665a867042d0d52f085d095ac774c3f9b10febd858b26d2c899f7c2b5024586156ec572be384b226a8efc44d6757bbbc920843ce58119345bea155a0d

Download Submit
C:\Users\Admin\Downloads\jre-8u361-windows-x64.exe

Filesize
62.1MB

MD5
e70de386ebc763932a181fc37a2ad042

SHA1
18e76e452b289ae2fc167667b55a81b11ec2693f

SHA256
419328f3a2325b1dc27f710abd73e232e9deac47915b4dba61a697b925b5b83d

SHA512
a45cb9c665a867042d0d52f085d095ac774c3f9b10febd858b26d2c899f7c2b5024586156ec572be384b226a8efc44d6757bbbc920843ce58119345bea155a0d

Download Submit
C:\Users\Admin\Downloads\jre-8u361-windows-x64.exe

Filesize
62.1MB

MD5
e70de386ebc763932a181fc37a2ad042

SHA1
18e76e452b289ae2fc167667b55a81b11ec2693f

SHA256
419328f3a2325b1dc27f710abd73e232e9deac47915b4dba61a697b925b5b83d

SHA512
a45cb9c665a867042d0d52f085d095ac774c3f9b10febd858b26d2c899f7c2b5024586156ec572be384b226a8efc44d6757bbbc920843ce58119345bea155a0d

Download Submit
C:\Windows\Installer\MSICEAA.tmp

Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
C:\Windows\Installer\MSID2F1.tmp

Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
C:\Windows\Installer\MSID7C5.tmp

Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
C:\Windows\Installer\MSID7C5.tmp

Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
C:\Windows\Installer\e57b8d0.msi

Filesize
58.7MB

MD5
407d36101348022e67342b44292d2b39

SHA1
1811ab3993672a9f329868622d96014043bd5f4a

SHA256
213e9fa760dfa2af22a4ac94a10c7f21f4b482aa04e8cf3706264e4c17d2481e

SHA512
cd78f2d3d8057467f87c846fd2252cc2632de822b2c5d37a9f2bcd0c68fafe598bdc4bc69760cd7e84037a5b28b3f11a4385684962857e3ce572ec9b302f0c0c

Download Submit
C:\Windows\Installer\e57b8d3.msi

Filesize
58.7MB

MD5
407d36101348022e67342b44292d2b39

SHA1
1811ab3993672a9f329868622d96014043bd5f4a

SHA256
213e9fa760dfa2af22a4ac94a10c7f21f4b482aa04e8cf3706264e4c17d2481e

SHA512
cd78f2d3d8057467f87c846fd2252cc2632de822b2c5d37a9f2bcd0c68fafe598bdc4bc69760cd7e84037a5b28b3f11a4385684962857e3ce572ec9b302f0c0c

Download Submit
\Program Files\Java\jre1.8.0_361\bin\java.dll

Filesize
163KB

MD5
db081a9968bb0c37a57725cdb66a0c7b

SHA1
d5fed172d82111d1f3bcb46ab3bd8b412f3ee003

SHA256
5b9b01f1ec06ad559285201cf0907e1c31473f6fb91aa09813dd8f076f94afe3

SHA512
8a3717be2bdc1d2e628a069a61ac5b504467c52c7b52496c14050cd0fbc3e1023c791ca8b5c3270579e1cc725a8a0cff62c427dc1c25c2ec74725d1dacc621d5

Download Submit
\Program Files\Java\jre1.8.0_361\bin\msvcp140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
\Program Files\Java\jre1.8.0_361\bin\server\jvm.dll

Filesize
8.2MB

MD5
a5b5e313919826735b73731252a2bc2e

SHA1
090054f0aeeaaac570130ef5a03c26970cdb050c

SHA256
86765f3558ffbb2cf28fb683ee17c288967e636b5cb4fe0422ade39591f6abf4

SHA512
2e0199624f91f9c952ea4fb81a01096febe8dde6fba85f66e7978c98ba749da3cd53cb6d986260e357c19a1d3b5411d6716548ef57e31ec75d55f4d3a3420c3f

Download Submit
\Program Files\Java\jre1.8.0_361\bin\vcruntime140.dll

Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
\Program Files\Java\jre1.8.0_361\bin\verify.dll

Filesize
54KB

MD5
c15088054d639475e51b88251369c226

SHA1
8849a9ee53e6bc7d1618103b674a6f481b72f3aa

SHA256
a7e7890ec2e238b3108fe2d9b4796898b2fff30ce07957f60689975d7460098c

SHA512
81ae70caf0304c63adadc3437e592ea9540db59ac7bd7417b769b5702a2aa012bec79aab8ce01187ebbd78555b7824fc4434a113dd9be5b667ce693b293122c4

Download Submit
\Windows\Installer\MSICEAA.tmp

Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
\Windows\Installer\MSID2F1.tmp

Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
\Windows\Installer\MSID7C5.tmp

Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
memory/3264-1421-0x000001A872B50000-0x000001A872B51000-memory.dmp

Filesize
4KB

Download
memory/3712-118-0x00007FFD90460000-0x00007FFD90462000-memory.dmp

Filesize
8KB

Download
memory/3712-120-0x00007FFD8E820000-0x00007FFD8E822000-memory.dmp

Filesize
8KB

Download
memory/3712-119-0x00007FFD8E810000-0x00007FFD8E812000-memory.dmp

Filesize
8KB

Download
memory/3712-123-0x0000000140000000-0x0000000140AD4000-memory.dmp

Filesize
10.8MB

Download
memory/3712-122-0x00007FFD8CEE0000-0x00007FFD8CEE2000-memory.dmp

Filesize
8KB

Download
memory/3712-121-0x00007FFD8CED0000-0x00007FFD8CED2000-memory.dmp

Filesize
8KB

Download
memory/3712-117-0x00007FFD90450000-0x00007FFD90452000-memory.dmp

Filesize
8KB

Download
memory/4140-140-0x00007FFD8D8A0000-0x00007FFD8D8A1000-memory.dmp

Filesize
4KB

Download
memory/4168-185-0x00007FFD8FFE0000-0x00007FFD8FFE1000-memory.dmp

Filesize
4KB

Download
memory/4168-186-0x00007FFD8E810000-0x00007FFD8E811000-memory.dmp

Filesize
4KB

Download
memory/5020-1648-0x000001A5129E0000-0x000001A5129E1000-memory.dmp

Filesize
4KB

Download
memory/5112-1586-0x000002B39CCC0000-0x000002B39CCC1000-memory.dmp

Filesize
4KB

Download
memory/5112-1599-0x000002B39CCC0000-0x000002B39CCC1000-memory.dmp

Filesize
4KB

Download
memory/5112-1620-0x000002B39CCC0000-0x000002B39CCC1000-memory.dmp

Filesize
4KB

Download