e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2023 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JavaSetup8u361.exe
Size

2.2MB
MD5

d3809baddaf7b1e7d94484160043328b
SHA1

e1979f5248d3b20858b11386ce22b1ccb0a9bfb5
SHA256

e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079
SHA512

96350ef6c81a1bc7d3c6b29c2a66ffaa1cf4f86172d3f52d39bcbf3886da41208b75cfe16bbf4ea23e04b2e0616637083eeacdefb8c0edc3ce6d0f2f89f881c6
SSDEEP

49152:OOt2ad8mKKue2/8cTs0HFTPO86O3jUfkptVx41inlc8z+o2:OOt2yMT/8cTs09RjUu54Ai

Score

7^/10

adware persistence stealer

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

JavaSetup8u361.exeLZMA_EXELZMA_EXEinstaller.exejavaw.exessvagent.exejavaws.exejp2launcher.exe

pid process

3540 JavaSetup8u361.exe
1924 LZMA_EXE
3912 LZMA_EXE
1784 installer.exe
1176 javaw.exe
2180 ssvagent.exe
1624 javaws.exe
3852 jp2launcher.exe

pid	process
3540	JavaSetup8u361.exe
1924	LZMA_EXE
3912	LZMA_EXE
1784	installer.exe
1176	javaw.exe
2180	ssvagent.exe
1624	javaws.exe
3852	jp2launcher.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exejavaw.exeinstaller.exessvagent.exejp2launcher.exe

pid	process
1620	MsiExec.exe
1620	MsiExec.exe
1620	MsiExec.exe
1176	javaw.exe
1176	javaw.exe
1176	javaw.exe
1176	javaw.exe
1176	javaw.exe
1176	javaw.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
1784	installer.exe
2180	ssvagent.exe
2180	ssvagent.exe
3852	jp2launcher.exe
3852	jp2launcher.exe
3852	jp2launcher.exe
3852	jp2launcher.exe
3852	jp2launcher.exe
3852	jp2launcher.exe
3852	jp2launcher.exe
3852	jp2launcher.exe
3852	jp2launcher.exe
3852	jp2launcher.exe
3852	jp2launcher.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

ssvagent.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0268-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0162-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0168-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0200-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0078-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0200-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0259-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0274-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0346-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0304-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0123-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0306-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0361-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0217-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0237-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0257-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0269-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0320-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0283-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0075-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0106-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0103-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0211-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0147-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0136-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0176-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0190-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0268-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0361-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0076-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0110-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0156-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0312-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0132-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0147-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0353-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0165-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0316-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0058-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0100-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0360-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0007-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0341-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0325-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0241-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0265-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe

Drops file in System32 directory 3 IoCs

Processes:

installer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File opened for modification	C:\Windows\SysWOW64\WindowsAccessBridge-32.dll	installer.exe
File created	C:\Windows\SysWOW64\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeinstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\libpng.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_fr.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\joni.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\relaxngdatatype.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\sunjce_provider.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\dtplugin\deployJava1.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\java.policy	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\localedata.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\images\cursors\invalid32x32.gif	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\unicode.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_ja.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jsdt.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\unpack.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\meta-index	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_zh_HK.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\charsets.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\relaxngcc.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\icu.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\API-MS-Win-core-xstate-l2-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-file-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\sound.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_zh_CN.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\dnsns.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\jfr\profile.jfc	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\javafx.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\jfxswt.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\management-agent.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\images\cursors\win32_MoveDrop32x32.gif	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\xalan.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\JAWTAccessBridge-32.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\zipfs.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\libxml2.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\zip.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\management\jmxremote.password.template	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jli.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_240602015\javaws.exe	installer.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\gstreamer-lite.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\prism_sw.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\santuario.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\security\public_suffix_list.dat	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-util-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\fontconfig.properties.src	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\ecc.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\javafx_iio.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\msvcp140_1.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\client\Xusage.txt	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\fonts\LucidaSansRegular.ttf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\msvcp140_2.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_es.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-file-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\dynalink.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2iexp.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\access-bridge-32.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\javafx\mesa3d.md	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\j2pcsc.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jsoundds.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\fonts\LucidaBrightRegular.ttf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\rt.jar	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e56f85f.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI149.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F32180361F0}	msiexec.exe
File opened for modification	C:\Windows\Installer\e56f85f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD8F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI37C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41A.tmp	msiexec.exe
File created	C:\Windows\Installer\e56f862.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9167671E-7E42-49E1-97FC-4F4712EB4CEE}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0083-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_83"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0103-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0253-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0086-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0049-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0165-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0182-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0162-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0165-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0011-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0134-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0081-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_81"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0121-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0249-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0204-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_43"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0136-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0187-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_187"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0169-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_169"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0273-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0084-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0318-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0127-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0306-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0110-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0166-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0055-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0109-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0154-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0184-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0100-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0235-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_235"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0097-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_97"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0306-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0174-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0293-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_293"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0055-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0191-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_191"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0219-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0088-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0182-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0071-ABCDEFFEDCBA}	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exessvagent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0099-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_99"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0236-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0121-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0021-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0222-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_222"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0237-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0158-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0326-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0182-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0359-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0036-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_36"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0132-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0348-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0050-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0158-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0273-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_273"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBA}\ = "Java Plug-in 1.5.0_55"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0067-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0273-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0011-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0200-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_200"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0098-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_16"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0359-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_359"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0216-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_216"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0098-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0115-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\ = "Java Plug-in 1.3.0_02"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0043-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0098-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0056-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0171-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0090-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_90"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0091-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_80"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0362-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_127"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0212-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0091-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_91"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0086-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0151-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0130-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0018-0000-0295-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0306-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0145-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0048-ABCDEFFEDCBB}\InprocServer32	installer.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

JavaSetup8u361.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

javaws.exejp2launcher.exe

pid process

1624 javaws.exe
1624 javaws.exe
3852 jp2launcher.exe
3852 jp2launcher.exe

pid	process
1624	javaws.exe
1624	javaws.exe
3852	jp2launcher.exe
3852	jp2launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

JavaSetup8u361.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3540	JavaSetup8u361.exe
Token: SeIncreaseQuotaPrivilege	3540	JavaSetup8u361.exe
Token: SeSecurityPrivilege	3724	msiexec.exe
Token: SeCreateTokenPrivilege	3540	JavaSetup8u361.exe
Token: SeAssignPrimaryTokenPrivilege	3540	JavaSetup8u361.exe
Token: SeLockMemoryPrivilege	3540	JavaSetup8u361.exe
Token: SeIncreaseQuotaPrivilege	3540	JavaSetup8u361.exe
Token: SeMachineAccountPrivilege	3540	JavaSetup8u361.exe
Token: SeTcbPrivilege	3540	JavaSetup8u361.exe
Token: SeSecurityPrivilege	3540	JavaSetup8u361.exe
Token: SeTakeOwnershipPrivilege	3540	JavaSetup8u361.exe
Token: SeLoadDriverPrivilege	3540	JavaSetup8u361.exe
Token: SeSystemProfilePrivilege	3540	JavaSetup8u361.exe
Token: SeSystemtimePrivilege	3540	JavaSetup8u361.exe
Token: SeProfSingleProcessPrivilege	3540	JavaSetup8u361.exe
Token: SeIncBasePriorityPrivilege	3540	JavaSetup8u361.exe
Token: SeCreatePagefilePrivilege	3540	JavaSetup8u361.exe
Token: SeCreatePermanentPrivilege	3540	JavaSetup8u361.exe
Token: SeBackupPrivilege	3540	JavaSetup8u361.exe
Token: SeRestorePrivilege	3540	JavaSetup8u361.exe
Token: SeShutdownPrivilege	3540	JavaSetup8u361.exe
Token: SeDebugPrivilege	3540	JavaSetup8u361.exe
Token: SeAuditPrivilege	3540	JavaSetup8u361.exe
Token: SeSystemEnvironmentPrivilege	3540	JavaSetup8u361.exe
Token: SeChangeNotifyPrivilege	3540	JavaSetup8u361.exe
Token: SeRemoteShutdownPrivilege	3540	JavaSetup8u361.exe
Token: SeUndockPrivilege	3540	JavaSetup8u361.exe
Token: SeSyncAgentPrivilege	3540	JavaSetup8u361.exe
Token: SeEnableDelegationPrivilege	3540	JavaSetup8u361.exe
Token: SeManageVolumePrivilege	3540	JavaSetup8u361.exe
Token: SeImpersonatePrivilege	3540	JavaSetup8u361.exe
Token: SeCreateGlobalPrivilege	3540	JavaSetup8u361.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe
Token: SeRestorePrivilege	3724	msiexec.exe
Token: SeTakeOwnershipPrivilege	3724	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

JavaSetup8u361.exejp2launcher.exe

pid process

3540 JavaSetup8u361.exe
3540 JavaSetup8u361.exe
3540 JavaSetup8u361.exe
3540 JavaSetup8u361.exe
3852 jp2launcher.exe

pid	process
3540	JavaSetup8u361.exe
3540	JavaSetup8u361.exe
3540	JavaSetup8u361.exe
3540	JavaSetup8u361.exe
3852	jp2launcher.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

JavaSetup8u361.exeJavaSetup8u361.exemsiexec.exeinstaller.exejavaws.exe

description	pid	process	target process
PID 4480 wrote to memory of 3540	4480	JavaSetup8u361.exe	JavaSetup8u361.exe
PID 4480 wrote to memory of 3540	4480	JavaSetup8u361.exe	JavaSetup8u361.exe
PID 4480 wrote to memory of 3540	4480	JavaSetup8u361.exe	JavaSetup8u361.exe
PID 3540 wrote to memory of 1924	3540	JavaSetup8u361.exe	LZMA_EXE
PID 3540 wrote to memory of 1924	3540	JavaSetup8u361.exe	LZMA_EXE
PID 3540 wrote to memory of 1924	3540	JavaSetup8u361.exe	LZMA_EXE
PID 3540 wrote to memory of 3912	3540	JavaSetup8u361.exe	LZMA_EXE
PID 3540 wrote to memory of 3912	3540	JavaSetup8u361.exe	LZMA_EXE
PID 3540 wrote to memory of 3912	3540	JavaSetup8u361.exe	LZMA_EXE
PID 3724 wrote to memory of 1620	3724	msiexec.exe	MsiExec.exe
PID 3724 wrote to memory of 1620	3724	msiexec.exe	MsiExec.exe
PID 3724 wrote to memory of 1620	3724	msiexec.exe	MsiExec.exe
PID 3724 wrote to memory of 1784	3724	msiexec.exe	installer.exe
PID 3724 wrote to memory of 1784	3724	msiexec.exe	installer.exe
PID 3724 wrote to memory of 1784	3724	msiexec.exe	installer.exe
PID 1784 wrote to memory of 1176	1784	installer.exe	javaw.exe
PID 1784 wrote to memory of 1176	1784	installer.exe	javaw.exe
PID 1784 wrote to memory of 1176	1784	installer.exe	javaw.exe
PID 1784 wrote to memory of 1624	1784	installer.exe	javaws.exe
PID 1784 wrote to memory of 1624	1784	installer.exe	javaws.exe
PID 1784 wrote to memory of 1624	1784	installer.exe	javaws.exe
PID 1624 wrote to memory of 3852	1624	javaws.exe	jp2launcher.exe
PID 1624 wrote to memory of 3852	1624	javaws.exe	jp2launcher.exe
PID 1624 wrote to memory of 3852	1624	javaws.exe	jp2launcher.exe

C:\Users\Admin\AppData\Local\Temp\JavaSetup8u361.exe
"C:\Users\Admin\AppData\Local\Temp\JavaSetup8u361.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\jds240542937.tmp\JavaSetup8u361.exe
"C:\Users\Admin\AppData\Local\Temp\jds240542937.tmp\JavaSetup8u361.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
3⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
3⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 57FBC52BAD666F51EB3B9AA7E8666E54
2⤵
- Loads dropped DLL
PID:1620

C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe
"C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe" /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_361\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F32180361F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784

C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe
"C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1176

C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe
"C:\Program Files (x86)\Java\jre1.8.0_361\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2180

C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe
"C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624

C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe
"C:\Program Files (x86)\Java\jre1.8.0_361\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre1.8.0_361" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF8zNjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzM2MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfMzYxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre1.8.0_361\bin\WindowsAccessBridge-32.dll
Filesize
164KB

MD5
2d71f962c98788eaec762f02a74db260

SHA1
60a8feb42981d09017892a58e0f429c12c3cb5d0

SHA256
7c750610c77c11232f7f057a8fab36c8335871a18575a5891812bde1798e8010

SHA512
f0cdfd21b84c3a2df0bc41fb485d9135688f471d22e6c4e54ff8cea3478d0659aa0ef86c82f980a57159f7145a851358fe07779af3e94a3df90ce2689da57446

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize
10KB

MD5
801750157960c928af876c3ec8dd4651

SHA1
1cb405eb7339ef121df51f5eba44e0b0177a76d3

SHA256
be330de7aa8f2f33bcdabf0cec2551399b4ea0f22335a0277ea9c3a7aa405bdd

SHA512
70d84b12ec65f497720dd3ee2c634a67d2f0011c9ea825bdbf20343f3572a99432a843cb178f705d923649694cd38aea9ed97b7162138e56374cd369d158d2b0

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize
10KB

MD5
801750157960c928af876c3ec8dd4651

SHA1
1cb405eb7339ef121df51f5eba44e0b0177a76d3

SHA256
be330de7aa8f2f33bcdabf0cec2551399b4ea0f22335a0277ea9c3a7aa405bdd

SHA512
70d84b12ec65f497720dd3ee2c634a67d2f0011c9ea825bdbf20343f3572a99432a843cb178f705d923649694cd38aea9ed97b7162138e56374cd369d158d2b0

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-heap-l1-1-0.dll
Filesize
11KB

MD5
8af9779906d36b71166a1e286c880d0d

SHA1
deb18c79ab7def1f7ce1b22f90d21b3f6c5d8ef3

SHA256
2e9a683aa69db2f8186ce9ac3e6a610fc727390155668b2680a728a6e6c67247

SHA512
c9927edc959272747aad42f9d243119fba2d126ac7e0463b59847e3738fe62fe58c01f666791d66177949e61b6bf36da67d558475382aa71a236794137186e96

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-heap-l1-1-0.dll
Filesize
11KB

MD5
8af9779906d36b71166a1e286c880d0d

SHA1
deb18c79ab7def1f7ce1b22f90d21b3f6c5d8ef3

SHA256
2e9a683aa69db2f8186ce9ac3e6a610fc727390155668b2680a728a6e6c67247

SHA512
c9927edc959272747aad42f9d243119fba2d126ac7e0463b59847e3738fe62fe58c01f666791d66177949e61b6bf36da67d558475382aa71a236794137186e96

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize
11KB

MD5
57a0a074d52e17ce0fec69b4106bceb4

SHA1
f6fbe3fe91884d3aa19ce93156423da55bdd6ced

SHA256
f378ed4e0a68ca5fefff824912a5ec14992a6a8859e088a50a6df6d632611834

SHA512
8878c3bc77e004924e4595e03d0e717c75e44475e3bef923facd8435fbb26d2f7b3e16acb1e0516e0d0a5df502375ef86aa360d7c9cd79a52256b946896a7df3

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize
11KB

MD5
57a0a074d52e17ce0fec69b4106bceb4

SHA1
f6fbe3fe91884d3aa19ce93156423da55bdd6ced

SHA256
f378ed4e0a68ca5fefff824912a5ec14992a6a8859e088a50a6df6d632611834

SHA512
8878c3bc77e004924e4595e03d0e717c75e44475e3bef923facd8435fbb26d2f7b3e16acb1e0516e0d0a5df502375ef86aa360d7c9cd79a52256b946896a7df3

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-processthreads-l1-1-0.dll
Filesize
13KB

MD5
45578c4fafc6d9d5ab6e78a07827c19e

SHA1
2fdf383c24a697a0cc29231dab4d0a77207a29f1

SHA256
6d298ae58e7651d23b75a4f6cc070794e716574fe497105fb4ef727ce9782779

SHA512
63ce2272ecc03e7e8c60395360fc685b4b144fb1cadc709f15e070e4e7b769ab282e7a652254386e83827d7982936f38a152014848e183fdb0ea38dff92e83bd

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-processthreads-l1-1-0.dll
Filesize
13KB

MD5
45578c4fafc6d9d5ab6e78a07827c19e

SHA1
2fdf383c24a697a0cc29231dab4d0a77207a29f1

SHA256
6d298ae58e7651d23b75a4f6cc070794e716574fe497105fb4ef727ce9782779

SHA512
63ce2272ecc03e7e8c60395360fc685b4b144fb1cadc709f15e070e4e7b769ab282e7a652254386e83827d7982936f38a152014848e183fdb0ea38dff92e83bd

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-synch-l1-1-0.dll
Filesize
12KB

MD5
69e1eddc7cd991f9f5db2fc6fdb6f46e

SHA1
6e8a961767f5ac308d569fd57e84b56b145c6c53

SHA256
cc39ce8fe4a38a80c7b316a7191bd319efd99f9f7cb5b97fe8c3d65d2e788070

SHA512
61935e8eab14babb17dc4362e49f06119efde5de0d3b8d0e330b8b8989ffaeacefd23eada19d4747605f9e9f510ed4f11618b047f6c915554162f19e5a138f3f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-synch-l1-1-0.dll
Filesize
12KB

MD5
69e1eddc7cd991f9f5db2fc6fdb6f46e

SHA1
6e8a961767f5ac308d569fd57e84b56b145c6c53

SHA256
cc39ce8fe4a38a80c7b316a7191bd319efd99f9f7cb5b97fe8c3d65d2e788070

SHA512
61935e8eab14babb17dc4362e49f06119efde5de0d3b8d0e330b8b8989ffaeacefd23eada19d4747605f9e9f510ed4f11618b047f6c915554162f19e5a138f3f

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\client\jvm.dll
Filesize
3.8MB

MD5
9544b9113212187322433e63957facfb

SHA1
aa6a5404a745a6c683b055b26eccec151234ee68

SHA256
8249bcff9a8d9aa7e580076e2c84147571270eb27c74a7dc8df52a447b123d86

SHA512
c65ba9dd79ed41f92515280c9f87b94b5495daafc614b708d62fee2307fe51293c829651db070ca2cfe8eb0122dff013be815c0cf58770bc75eddbc5d2360fc6

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\client\jvm.dll
Filesize
3.8MB

MD5
9544b9113212187322433e63957facfb

SHA1
aa6a5404a745a6c683b055b26eccec151234ee68

SHA256
8249bcff9a8d9aa7e580076e2c84147571270eb27c74a7dc8df52a447b123d86

SHA512
c65ba9dd79ed41f92515280c9f87b94b5495daafc614b708d62fee2307fe51293c829651db070ca2cfe8eb0122dff013be815c0cf58770bc75eddbc5d2360fc6

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\java.dll
Filesize
139KB

MD5
286bba6f961e7d873d5c84f57cd1118a

SHA1
c659530ae34fabc24dc6fb55f37485a8d0bca2d0

SHA256
4f068301312fab1d1fd3e3ea0bcd87c4f730f69031337decb343b9ecb5028984

SHA512
c03ad585fd3f486448c86831f93118575b3586fac79f55448daa794ba6be95fc2a1595186d6c8b7881303b3cd1226b2eb10b7bdbc59a457384ba1340daabf058

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\java.dll
Filesize
139KB

MD5
286bba6f961e7d873d5c84f57cd1118a

SHA1
c659530ae34fabc24dc6fb55f37485a8d0bca2d0

SHA256
4f068301312fab1d1fd3e3ea0bcd87c4f730f69031337decb343b9ecb5028984

SHA512
c03ad585fd3f486448c86831f93118575b3586fac79f55448daa794ba6be95fc2a1595186d6c8b7881303b3cd1226b2eb10b7bdbc59a457384ba1340daabf058

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\java.exe
Filesize
243KB

MD5
f54d91426b62c8ef31178f71335ef99c

SHA1
9b0f30125443a5c096ac06cc916c15ff2fd66ca1

SHA256
07b0ee9f33ce4a6ff30edd68ff21749b2a0db9c8e857c08026597b15c15b2e6c

SHA512
0fb8bdbe7a3e69951bbee04707b1602707dd179c36c79bd60333e3b75932fe14f81ff28737d04a5297f0340aa52dcbaa007abb4f8ef3327ca7bebfc389c78be0

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javacpl.exe
Filesize
91KB

MD5
0b0c5661fcf66b5869900431bae21414

SHA1
db5c0c1cc89c90f68e78f1691e87482eb4058ee6

SHA256
532a34d89e8edb395040d2abd33c6c7192d599039a4c440c94e6b4440e3c66d4

SHA512
458780fc5967834b0ba4d7a3f26767563766d634253ff5faaf02c2b20048ac4b642126e32b126f1c6fec431edb186a9ecb2ddfba2c62d9e7a1e88428284ea665

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe
Filesize
243KB

MD5
71ac3db0e1d4363ff8695ca610af1ae4

SHA1
35ee53d9c6b541f4e9422875fb5a246d975afc85

SHA256
fbc762cd79977cee061bc9d2bf19c9687856759afec067121cce58e1cc124d2c

SHA512
53a75165d3a4683573f7d16015bda25cbfdabb8981ca8ffd0789105a6cdbf9a02f4e7a71b47efc581c14a90fd54760e4e7dc6e9786abc325a190c945b67cffb8

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaw.exe
Filesize
243KB

MD5
71ac3db0e1d4363ff8695ca610af1ae4

SHA1
35ee53d9c6b541f4e9422875fb5a246d975afc85

SHA256
fbc762cd79977cee061bc9d2bf19c9687856759afec067121cce58e1cc124d2c

SHA512
53a75165d3a4683573f7d16015bda25cbfdabb8981ca8ffd0789105a6cdbf9a02f4e7a71b47efc581c14a90fd54760e4e7dc6e9786abc325a190c945b67cffb8

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\javaws.exe
Filesize
381KB

MD5
e6fa604812e871bf51bd401a0874177b

SHA1
60ebd6837aea9e102d8a1b599ab7cd3d2eb29734

SHA256
8b16bf14fbd6b379f3e8cf672b7bfbd08ba772b78d97186565250d292094ab52

SHA512
0b482843c8eb2873672bf7c1bf992ae186650dc5d769a2a159b3da0648181a2de6feb2712808529bb18f00c3a095e2c2180fada16a021dd965518993dbf99c32

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\msvcp140.dll
Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\msvcp140.dll
Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\vcruntime140.dll
Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\vcruntime140.dll
Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\verify.dll
Filesize
45KB

MD5
1529b8470b734c65adb54c54c10903ec

SHA1
355d47cf1908264d33b9e131c256c8ab22d7430f

SHA256
a70a398cdf172e1f3e3c6a5b059472600d7ab8b13a6884bbf069bf1db80a02fa

SHA512
cafa041639729bf562b5296f560015be0f3f0a73d36468356cc6a4739e50358e7862e1a213ac83005916471fd2c565c670cbb9d685b3df97bc6e27be77d57e2c

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\verify.dll
Filesize
45KB

MD5
1529b8470b734c65adb54c54c10903ec

SHA1
355d47cf1908264d33b9e131c256c8ab22d7430f

SHA256
a70a398cdf172e1f3e3c6a5b059472600d7ab8b13a6884bbf069bf1db80a02fa

SHA512
cafa041639729bf562b5296f560015be0f3f0a73d36468356cc6a4739e50358e7862e1a213ac83005916471fd2c565c670cbb9d685b3df97bc6e27be77d57e2c

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\zip.dll
Filesize
77KB

MD5
c778ab1da82f2410a31e30485e378116

SHA1
ec509f74894ef912cd92e952275d8612c9718bf1

SHA256
d933811b841b5907a8716d9ad964e01f8375cc1f247a85d2a5d341aa190cddf1

SHA512
af3ae5687894bc0ccb3f38b0d74b2fb13a938b0d6326ed26b940e108dfadced3e085679334c527f045985860a50aa3bfae18add12a9ba2e8fe2ff4e2754330c7

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\bin\zip.dll
Filesize
77KB

MD5
c778ab1da82f2410a31e30485e378116

SHA1
ec509f74894ef912cd92e952275d8612c9718bf1

SHA256
d933811b841b5907a8716d9ad964e01f8375cc1f247a85d2a5d341aa190cddf1

SHA512
af3ae5687894bc0ccb3f38b0d74b2fb13a938b0d6326ed26b940e108dfadced3e085679334c527f045985860a50aa3bfae18add12a9ba2e8fe2ff4e2754330c7

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe
Filesize
853KB

MD5
87706ed4a1182eba06403297a4e82b54

SHA1
1dc5a582f3c636ff4b1d584691b79a2efb1bf971

SHA256
409b73823b06416f140d1c77214788eb33873ba7ce9be2e012826c52cd3339e3

SHA512
796d7df635532a1db788f591ad9226d0e63ce84d306662265d30327536dd1318f91e51663bc0ee7df49569d681c36e802c461cedeccc3826b9f68260a243ac4e

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\installer.exe
Filesize
853KB

MD5
87706ed4a1182eba06403297a4e82b54

SHA1
1dc5a582f3c636ff4b1d584691b79a2efb1bf971

SHA256
409b73823b06416f140d1c77214788eb33873ba7ce9be2e012826c52cd3339e3

SHA512
796d7df635532a1db788f591ad9226d0e63ce84d306662265d30327536dd1318f91e51663bc0ee7df49569d681c36e802c461cedeccc3826b9f68260a243ac4e

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\charsets.jar
Filesize
2.9MB

MD5
d931edec81110a6e8c1e51225bf23587

SHA1
413824475fb5a61f6359a8190f65631989614568

SHA256
13474707a01773a82309ceb2cd7417a2880770c6cfcf07dd659345bb984401e2

SHA512
e218ca85a5ff968bf8b9fe992a7609a68e52b74aa868409d1ab2059684a98e1e241314a070abf9381aeeb0d892b8b5f602aa5233762649b3c30de9b5f321084c

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\classlist
Filesize
82KB

MD5
7fc71a62d85ccf12996680a4080aa44e

SHA1
199dccaa94e9129a3649a09f8667b552803e1d0e

SHA256
01fe24232d0dbefe339f88c44a3fd3d99ff0e17ae03926ccf90b835332f5f89c

SHA512
b0b9b486223cf79ccf9346aaf5c1ca0f9588247a00c826aa9f3d366b7e2ef905af4d179787dcb02b32870500fd63899538cf6fafcdd9b573799b255f658ceb1d

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\i386\jvm.cfg
Filesize
623B

MD5
9aef14a90600cd453c4e472ba83c441f

SHA1
10c53c9fe9970d41a84cb45c883ea6c386482199

SHA256
9e86b24ff2b19d814bbaedd92df9f0e1ae86bf11a86a92989c9f91f959b736e1

SHA512
481562547bf9e37d270d9a2881ac9c86fc8f928b5c176e9baf6b8f7b72fb9827c84ef0c84b60894656a6e82dd141779b8d283c6e7a0e85d2829ea071c6db7d14

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\jce.jar
Filesize
119KB

MD5
1f4d4fc6b33c30c5782c66b80d92c4f9

SHA1
194df32fb23b470dae4929605d18abd041c743c6

SHA256
81b8de0e148ed3601cf5f1bdf2787c5b15213d842bc537af9ede9635d692b904

SHA512
dfde7e03fc106b785887f2a409b3528c5862663f188c95f6a95c739bdfcc8c6205c03b739de1b259e9a8a0360aa4e10e8d4bce1a57445797a214160b8d98a085

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\jfr.jar
Filesize
559KB

MD5
83b10289a40d1a87eb8f80f3f3353845

SHA1
757a8488fb4ad515dee200e6a8be286534d67bfe

SHA256
a4b76d82d3a023157c985bff3fe260783ddc49d8ac11518cc7b892705be5deb3

SHA512
ff501459627c0e6ccd1b3e4389eee366617e20858080812e685b3f84a25bd5234349fec68d1e18bd331df64ce350fdcca839c85755fb6b2aa6f3244fa5968789

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\jsse.jar
Filesize
1.7MB

MD5
2c5922e1ffe6852456056a33782fef87

SHA1
a1ce0aa69665035fe55a83f562d09b9a8db23394

SHA256
7b5eb361498b313d941ac945c9e40d8d11865df2669e7cd0770f1c571ea34e28

SHA512
7922e839dcae3045124b380cd9f5f42923092bd95d74c221e2ffabce9dbc4e32463b1942a187981b5251d01bc17a899e4686c0863f5a3a7080a83f4825169e23

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\meta-index
Filesize
2KB

MD5
91aa6ea7320140f30379f758d626e59d

SHA1
3be2febe28723b1033ccdaa110eaf59bbd6d1f96

SHA256
4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

SHA512
03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\resources.jar
Filesize
3.4MB

MD5
196257767a2e3a12fd1154400d807109

SHA1
0557d03f281abbc42f9a7d0779fde41df13703cd

SHA256
7ac23eae2f85da33158394602b6a7916057dbb5ea9a3ef2911df033f03a8f13f

SHA512
1739a5c395560fb90331eba36ec18707291182c4e961693c7de1ea15285c48e24a1a606442ed9d586bcd040cd391eb88ac37fafe6b0aa20da5935f95a60ca279

Download Submit
C:\Program Files (x86)\Java\jre1.8.0_361\lib\rt.jar
Filesize
53.2MB

MD5
32a3259b2753bf46dd1d6db41bfde524

SHA1
c4deb978992124134cf71d6b48af8fd3dfab8072

SHA256
e37b804af67aee09c8852ee666268970a17b71c3da475b3ffd098236d455367b

SHA512
7fd21fe13ce64009a1440f2992ff955f6934cdc5c43914781f0f994c32be9c8da5cae1b73d07355826905eec6a0a0b604163849ff6d3173120a561059b1451c5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url
Filesize
197B

MD5
faded0d5bdcbad42d8f4826cc3c620fd

SHA1
c49c34f2d2160297b1c0c71c327180ed52ff673e

SHA256
d869d1b0c391cd9ce8f0c633cb8e5731c5073c33f875b32a2a61006a3c1bb24a

SHA512
bc60186037724353460a0f7af8b207ccabe64d80aaff796d9ee082c6cb6573ff214dedc22080fdf23664ce79f7604276e1bab746dcf2407a46e40ff38b7119cb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url
Filesize
188B

MD5
684333e26e94b3db4d1971c01f83d030

SHA1
21d61ea4ab5954241d4fe0c3353f4673be3dfff7

SHA256
89321d2dadfbb526104998111361d2207536b7967ea130775389b486cd9b6fce

SHA512
0322d1b37a82b155ce9cf432254d47dde2dd74807f759e39c48b321bb68e73ba50dbe3dbef7b2280f5f6858b44a8d177de027b35ff59493e18cc97743b67765f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize
471B

MD5
86e0fb39e93059eddd61d47b8741a220

SHA1
103ba93d82f85dc8b1599759f678eefadf0f081b

SHA256
0889e894623a6aa66df69e82da6b8cbe844aec12971c9433eba44e1edb5dd414

SHA512
90863ee6e2150c741c6ace68cb1e59700033a80050f0fa5eec46c587f50a2c977b328567b57794e0cc78a502a8106a812850461d5aff1c0c48ac2c2935fdbbb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63
Filesize
727B

MD5
cdb8fdb25f21418609a0a49f467722ac

SHA1
c07d090cc8320e2807acbf6a4b225b5d7257437c

SHA256
e54f35517ed1f5472585579c55b0cba1bebf90ee1f0ee9237ed8b01cbf791dde

SHA512
ba91d76a98cece8b6828f464707c00d9c9795e0168c38ba2094ed3d7d2a7a191ed17dfe89272dd471923f12ed154cf602b036ace67a57da0576e7fc8aab45404

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
727B

MD5
85b5e4cf88c522811769333ba2784b93

SHA1
05a4b115dab115072470441778e2e22a932ce43a

SHA256
ac0426bbb31daf5805c6206bb5e5f06a89e899485a8100faa69e9c3b3c2b0898

SHA512
24af969e51f0a3ffb7b7c4db727b6910bae1a75a73d45899e87c76b7482fb5e7135108e6408730761b2e7baf2aa16b69fd9a5869f6ea2030582d56be3dd2c497

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize
400B

MD5
fdd55b585251a245534d44517280c584

SHA1
815b7de8696bb963df9f927bacd1a23d4ca433f9

SHA256
7985ce939203a5b03783f0e4ace88ef039aefd74fa3d2c1fad0deea806da811b

SHA512
e77cf5fc2e659b2542b8bfbf1ec027ae3fb0e6cdaac74a541157339d72f386db0b9976efe0aca92e3714c2a569156e4329c07dfd116bf6635c7745338ca4fe9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63
Filesize
404B

MD5
647cd6b40a6e8290e6883ee6f255ca97

SHA1
e9f85b3f04abf06e56895feb341c36b4a8c39c65

SHA256
0625c4c99d0ca8a8ea43914e59973b4089370156960dc0dfa7fd6266f6ad74a9

SHA512
37d2c0cef79fb2abcad59b2fc8d9300322b8d2c385284787131558184834d0d53bdb011956b100e11445dd8913b212d6f2cbb9648b146c69600c69f2bb6061af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
412B

MD5
c0ba2589e1c659ed9135061595b29213

SHA1
08e9f00c6ad7c76878b16e40b67134fd932d268a

SHA256
484b5ad7499fdd7161a6634524c0c6f4ae403da896ebf8a331389a47c15ac18f

SHA512
5cbbee4b9010910cba27cbfae6384f919ec7d04f11a7bad1ea8cb28729e881aa0cc49fde0ba0ca864507ebd1cfff2d840cc2ec93bff258cace0020b6b658b22c

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi
Filesize
843KB

MD5
c95a831719a0a8659911c2d961a9e425

SHA1
84e5db605edecd9976f2a7d45b00c2c5deabe11d

SHA256
bb5d1befb8970ee28066d13727056d54e0ee624564556757c26c75d6faafcc9d

SHA512
073f2e9ce88f18ddf6d5e9d1d47a142b68a4935d73854580ca6d5b619473632965051e398bf5485ff0664d2caf2ed13d4260ab64428c7ea2cce78983feed3069

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi
Filesize
843KB

MD5
c95a831719a0a8659911c2d961a9e425

SHA1
84e5db605edecd9976f2a7d45b00c2c5deabe11d

SHA256
bb5d1befb8970ee28066d13727056d54e0ee624564556757c26c75d6faafcc9d

SHA512
073f2e9ce88f18ddf6d5e9d1d47a142b68a4935d73854580ca6d5b619473632965051e398bf5485ff0664d2caf2ed13d4260ab64428c7ea2cce78983feed3069

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi
Filesize
52.6MB

MD5
1aa57a5a04ec43b25937efa2a3f0f0ad

SHA1
6121bef34c9c603e8b03140c05e0418096ac7bb6

SHA256
66a697fe354addb90ae4e3c6b617f9ca0e5a65a439435f674e3f6d8c7db85b6b

SHA512
1461ff7fc5d3a1e3fff20bd42324f0dc6f82bbdb9d35cc425535449a0f8e346599c4012802f0a801cce243eea4d878e6430a02db5b24fe6cc99b24cdad31c4e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi
Filesize
52.6MB

MD5
1aa57a5a04ec43b25937efa2a3f0f0ad

SHA1
6121bef34c9c603e8b03140c05e0418096ac7bb6

SHA256
66a697fe354addb90ae4e3c6b617f9ca0e5a65a439435f674e3f6d8c7db85b6b

SHA512
1461ff7fc5d3a1e3fff20bd42324f0dc6f82bbdb9d35cc425535449a0f8e346599c4012802f0a801cce243eea4d878e6430a02db5b24fe6cc99b24cdad31c4e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp
Filesize
1016KB

MD5
459a51b2e65d53e4e568215e77317cc5

SHA1
f2308f14d1033f79a1d10b392520cb2459b0e737

SHA256
9da5f7bb7d99c3b8d5c9100a0573e928f48452319989ab026af5fcff1119a5d9

SHA512
7e3b8cb97c4c61eb147473d62dc163205ecd85235e6c711b39c4a76b06e8cee7d70f2594e0710df90e1b949c4bdb442a759912afeb72c6b4f0a34750daf17886

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp
Filesize
53.5MB

MD5
c760bc95af603fec0c41cafd82498a5d

SHA1
6bed421c5268fcd02f3d9439a314fffd84b29235

SHA256
c93f2de2ed4d5420671f5d5ba858b841683183aba9248f9890c4b277c39d2995

SHA512
cc9324416d98cd4ca1ec6e607e684336964d74da5f29f3d56d82b56ac0fe225c1420fbe08f9a559bf80307ea740e9140154f136aa9d3bc473baf60d736b7fd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240542937.tmp\JavaSetup8u361.exe
Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240542937.tmp\JavaSetup8u361.exe
Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
267KB

MD5
0ac5647a39875faf5726d3ece696ec9c

SHA1
2d0589ba028e59f36360e1f2d866ac7e37d752e1

SHA256
8bace09a3d51705a443f4a6ae41dabcb24313b86d36889a2184df80581577052

SHA512
865696fa08cccfbea875399e00828fc4de0781ab1a9e0360eb4840cb1936881f5f4b088943343ec5057739df644e161e94e819369bd3e432d4a49b0ca1fb1e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
267KB

MD5
a8b6efc23ebe3528c3be5dcd94a1acc3

SHA1
290f162d26390cb0921eb861ad6f349c8ad5b4b2

SHA256
458df8357d6de7494b1f7d83a0febe0ef5d15b60e0ef31356a5a8c768f459ce4

SHA512
f8ba7678aa2076b0e2590298a596a421e96314ee7200ad460f6cb3f178f6f7c8095a9827119e6dee3fa428b1ea2e9a0bb31c5e573d0aa25875bea9cc293bf513

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
300KB

MD5
db87ab1bfb322930f22a19645bc1b33d

SHA1
636340a514aef75214ac7905f175831cc2f5fe5e

SHA256
5e235114dd6846065749d988d3aeca5f0e01d3e9e92b64aa5f6f48f77823685e

SHA512
b241a733ebe84504e02f83162ebe5b9b74cb4da177a81950488c817c559b2fe3145187441fcfd36e6389850612d6ff4074e56c500ceb21add08952788ae888fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
312KB

MD5
b0fe0b881cecfb9dc02a616a03631a17

SHA1
5eb8083c5e82e6b11f4b9fb5d28f1e86e96a886f

SHA256
52d8cb64b2fa40d5d27840f61b9c130bae8153ae22aaa9c5310518a8d58bbd5c

SHA512
111cd2d8794ef97fb4e4fb887b0195df98b9bf9b95f9e4effbfc29af6a035a538eaf3490ad61a6f2fdd3427ac38e1714235013ef3d6eb44f64958f272ebb24ae

Download Submit
C:\Windows\Installer\MSI149.tmp
Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSI149.tmp
Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSI41A.tmp
Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSI41A.tmp
Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSI41A.tmp
Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSIFD8F.tmp
Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\MSIFD8F.tmp
Filesize
602KB

MD5
dbaf31f37c583df88814c6edbfe7f884

SHA1
dc3b941933ebe79301b8a2949316c8bb47e27ccd

SHA256
32ce5f4ea52b3c172a91df18d15bc75b57fc229ede28f408d13d74f50786eeca

SHA512
6303a7bcb88819898cb170a872e10986889382053a91f369c2a77efd0c5970310ef0512ac3ed46d38004e4381c7e191943ff266d7d9a45694923462e869773cb

Download Submit
C:\Windows\Installer\e56f862.msi
Filesize
53.5MB

MD5
c760bc95af603fec0c41cafd82498a5d

SHA1
6bed421c5268fcd02f3d9439a314fffd84b29235

SHA256
c93f2de2ed4d5420671f5d5ba858b841683183aba9248f9890c4b277c39d2995

SHA512
cc9324416d98cd4ca1ec6e607e684336964d74da5f29f3d56d82b56ac0fe225c1420fbe08f9a559bf80307ea740e9140154f136aa9d3bc473baf60d736b7fd52

Download Submit
C:\Windows\Installer\e56f862.msi
Filesize
53.5MB

MD5
c760bc95af603fec0c41cafd82498a5d

SHA1
6bed421c5268fcd02f3d9439a314fffd84b29235

SHA256
c93f2de2ed4d5420671f5d5ba858b841683183aba9248f9890c4b277c39d2995

SHA512
cc9324416d98cd4ca1ec6e607e684336964d74da5f29f3d56d82b56ac0fe225c1420fbe08f9a559bf80307ea740e9140154f136aa9d3bc473baf60d736b7fd52

Download Submit
memory/1176-811-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3852-1031-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download