f0dbf35b026acb481bb42d8fc6155d952c521792ebc1bdd52e3152342a317f92

System Information Discovery

Processes:

prismlauncher.exeprismlauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	prismlauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	prismlauncher.exe

Executes dropped EXE 13 IoCs

Processes:

prismlauncher.exeprismlauncher.exeJavaSetup8u361.exeJavaSetup8u361.exeJavaSetup8u361.exeJavaSetup8u361.exeJavaSetup8u361.exeJavaSetup8u361.exeMSIA110.tmpJavaSetup8u361.exeJavaSetup8u361.exeLZMA_EXELZMA_EXE

pid	process
4292	prismlauncher.exe
4560	prismlauncher.exe
1764	JavaSetup8u361.exe
4328	JavaSetup8u361.exe
1248	JavaSetup8u361.exe
816	JavaSetup8u361.exe
5100	JavaSetup8u361.exe
2252	JavaSetup8u361.exe
2448	MSIA110.tmp
1852	JavaSetup8u361.exe
1920	JavaSetup8u361.exe
2824	LZMA_EXE
1992	LZMA_EXE

Loads dropped DLL 40 IoCs

Processes:

PrismLauncher-Windows-MSVC-Setup-6.3.exeprismlauncher.exeprismlauncher.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid	process
1536	PrismLauncher-Windows-MSVC-Setup-6.3.exe
1536	PrismLauncher-Windows-MSVC-Setup-6.3.exe
1536	PrismLauncher-Windows-MSVC-Setup-6.3.exe
4292	prismlauncher.exe
4292	prismlauncher.exe
4292	prismlauncher.exe
4292	prismlauncher.exe
4292	prismlauncher.exe
4292	prismlauncher.exe
4292	prismlauncher.exe
4292	prismlauncher.exe
4292	prismlauncher.exe
4292	prismlauncher.exe
4292	prismlauncher.exe
4292	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4560	prismlauncher.exe
4388	MsiExec.exe
3080	MsiExec.exe
3080	MsiExec.exe
2720	MsiExec.exe
2720	MsiExec.exe
2720	MsiExec.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

MSIA110.tmp

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0034-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0051-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0091-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0047-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0030-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0091-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0017-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0070-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0037-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0058-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0030-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0090-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0038-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0071-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0017-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

MSIA110.tmp

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MSIA110.tmp

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\jfr.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.cpl	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jfxmedia.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jfr\profile.jfc	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.access	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\snmp.acl.template	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\rmiregistry.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\jfxrt.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\cmm\sRGB.pf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\wsdetect.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\release	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\resources.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\splash.gif	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javafx_font_t2k.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\nio.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\javafx.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jfxswt.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\msvcr100.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\LINEAR_RGB.pf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\eula.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jfxwebkit.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveNoDrop32x32.gif	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_zh_HK.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\sunec.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\lcms.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\keytool.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\jfr.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_TW.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash@2x.gif	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-private-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\management\snmp.acl.template	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\sunpkcs11.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-core-file-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\sunmscapi.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\JAWTAccessBridge-64.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\amd64\jvm.cfg	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\accessibility.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\rt.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\jfxswt.jar	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\verify.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\prism_common.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\legal\jdk\relaxngdatatype.md	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\plugin.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\access-bridge-64.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\nashorn.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightDemiItalic.ttf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\charsets.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\LICENSE	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\calendars.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\bin\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\deploy\messages_sv.properties	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\rt.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\fxplugins.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\sRGB.pf	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.8.0_361\lib\ext\localedata.jar	msiexec.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F32180361F0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI220.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD93.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC73A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA110.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE26.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI30B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5eef0f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e5eef0f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB93D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC092.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF02B.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

TaskKill.exe

pid process

3544 TaskKill.exe

pid	process
3544	TaskKill.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

Processes:

MSIA110.tmp

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MSIA110.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MSIA110.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	MSIA110.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	MSIA110.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MSIA110.tmp

Modifies data under HKEY_USERS 7 IoCs

Processes:

chrome.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133241615108955245"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe

Modifies registry class 64 IoCs

Processes:

MSIA110.tmp

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBA}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0090-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0081-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0038-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0061-ABCDEFFEDCBA}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBA}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0014-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBA}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBA}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0048-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0040-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0001-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBC}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBA}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0094-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBA}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0039-ABCDEFFEDCBA}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBB}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0048-ABCDEFFEDCBC}	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0062-ABCDEFFEDCBC}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}\INPROCSERVER32	MSIA110.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0040-ABCDEFFEDCBC}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0056-ABCDEFFEDCBC}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBB}	MSIA110.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}	MSIA110.tmp

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

JavaSetup8u361.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	JavaSetup8u361.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

prismlauncher.exeprismlauncher.exe

pid process

4292 prismlauncher.exe
4560 prismlauncher.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exeMSIA110.tmpjp2launcher.exemsiexec.exe

pid process

1176 chrome.exe
1176 chrome.exe
2448 MSIA110.tmp
2448 MSIA110.tmp
1640 jp2launcher.exe
1640 jp2launcher.exe
1972 msiexec.exe
1972 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

prismlauncher.exeprismlauncher.exe

pid process

4292 prismlauncher.exe
4560 prismlauncher.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

1176 chrome.exe
1176 chrome.exe
1176 chrome.exe
1176 chrome.exe
1176 chrome.exe
1176 chrome.exe
1176 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TaskKill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3544	TaskKill.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe
Token: SeCreatePagefilePrivilege	1176	chrome.exe
Token: SeShutdownPrivilege	1176	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe
1176	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

JavaSetup8u361.exeJavaSetup8u361.exejp2launcher.exeJavaSetup8u361.exeLZMA_EXELZMA_EXE

pid	process
4328	JavaSetup8u361.exe
4328	JavaSetup8u361.exe
2252	JavaSetup8u361.exe
2252	JavaSetup8u361.exe
2252	JavaSetup8u361.exe
1640	jp2launcher.exe
1920	JavaSetup8u361.exe
1920	JavaSetup8u361.exe
1920	JavaSetup8u361.exe
2824	LZMA_EXE
1992	LZMA_EXE
1920	JavaSetup8u361.exe
1920	JavaSetup8u361.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PrismLauncher-Windows-MSVC-Setup-6.3.exeprismlauncher.exeprismlauncher.exechrome.exe

description	pid	process	target process
PID 1536 wrote to memory of 3544	1536	PrismLauncher-Windows-MSVC-Setup-6.3.exe	TaskKill.exe
PID 1536 wrote to memory of 3544	1536	PrismLauncher-Windows-MSVC-Setup-6.3.exe	TaskKill.exe
PID 1536 wrote to memory of 3544	1536	PrismLauncher-Windows-MSVC-Setup-6.3.exe	TaskKill.exe
PID 1536 wrote to memory of 4292	1536	PrismLauncher-Windows-MSVC-Setup-6.3.exe	prismlauncher.exe
PID 1536 wrote to memory of 4292	1536	PrismLauncher-Windows-MSVC-Setup-6.3.exe	prismlauncher.exe
PID 4292 wrote to memory of 4376	4292	prismlauncher.exe	javaw.exe
PID 4292 wrote to memory of 4376	4292	prismlauncher.exe	javaw.exe
PID 4292 wrote to memory of 2680	4292	prismlauncher.exe	javaw.exe
PID 4292 wrote to memory of 2680	4292	prismlauncher.exe	javaw.exe
PID 4292 wrote to memory of 2072	4292	prismlauncher.exe	javaw.exe
PID 4292 wrote to memory of 2072	4292	prismlauncher.exe	javaw.exe
PID 4292 wrote to memory of 3368	4292	prismlauncher.exe	javaw.exe
PID 4292 wrote to memory of 3368	4292	prismlauncher.exe	javaw.exe
PID 4560 wrote to memory of 2044	4560	prismlauncher.exe	javaw.exe
PID 4560 wrote to memory of 2044	4560	prismlauncher.exe	javaw.exe
PID 4560 wrote to memory of 320	4560	prismlauncher.exe	javaw.exe
PID 4560 wrote to memory of 320	4560	prismlauncher.exe	javaw.exe
PID 4560 wrote to memory of 2712	4560	prismlauncher.exe	javaw.exe
PID 4560 wrote to memory of 2712	4560	prismlauncher.exe	javaw.exe
PID 4560 wrote to memory of 2720	4560	prismlauncher.exe	javaw.exe
PID 4560 wrote to memory of 2720	4560	prismlauncher.exe	javaw.exe
PID 1176 wrote to memory of 1712	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 1712	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3200	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 4868	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 4868	1176	chrome.exe	chrome.exe
PID 1176 wrote to memory of 3964	1176	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-6.3.exe
"C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-6.3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\TaskKill.exe
TaskKill /IM prismlauncher.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4292

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar
3⤵
PID:4376

C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar
3⤵
PID:2680

C:\ProgramData\Oracle\Java\javapath\javaw.exe
javaw -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar
3⤵
PID:2072

C:\ProgramData\Oracle\Java\javapath\javaw.exe
C:\ProgramData\Oracle\Java\javapath\javaw.exe -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar
3⤵
PID:3368

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4560

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar
2⤵
PID:2044

C:\ProgramData\Oracle\Java\javapath\javaw.exe
C:\ProgramData\Oracle\Java\javapath\javaw.exe -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar
2⤵
PID:2720

C:\ProgramData\Oracle\Java\javapath\javaw.exe
javaw -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar
2⤵
PID:2712

C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Programs/PrismLauncher/jars/JavaCheck.jar
2⤵
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd60e29758,0x7ffd60e29768,0x7ffd60e29778
2⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:2
2⤵
PID:3200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3216 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:1
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3352 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:1
2⤵
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4688 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:1
2⤵
PID:612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5148 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:3916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4672 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:1
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3244 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:1
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4664 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:1
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5560 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:1
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5868 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5816 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6048 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 --field-trial-handle=1844,i,16491268559024728436,3121624343046970215,131072 /prefetch:8
2⤵
PID:2348

C:\Users\Admin\Downloads\JavaSetup8u361.exe
"C:\Users\Admin\Downloads\JavaSetup8u361.exe"
2⤵
- Executes dropped EXE
PID:1764

C:\Users\Admin\AppData\Local\Temp\jds241030031.tmp\JavaSetup8u361.exe
"C:\Users\Admin\AppData\Local\Temp\jds241030031.tmp\JavaSetup8u361.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Users\Admin\Downloads\JavaSetup8u361.exe
"C:\Users\Admin\Downloads\JavaSetup8u361.exe"
2⤵
- Executes dropped EXE
PID:1248

C:\Users\Admin\AppData\Local\Temp\jds241037671.tmp\JavaSetup8u361.exe
"C:\Users\Admin\AppData\Local\Temp\jds241037671.tmp\JavaSetup8u361.exe"
3⤵
- Executes dropped EXE
PID:816

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5056

C:\Users\Admin\Downloads\JavaSetup8u361.exe
"C:\Users\Admin\Downloads\JavaSetup8u361.exe"
1⤵
- Executes dropped EXE
PID:5100

C:\Users\Admin\AppData\Local\Temp\jds241061140.tmp\JavaSetup8u361.exe
"C:\Users\Admin\AppData\Local\Temp\jds241061140.tmp\JavaSetup8u361.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Windows\Installer\MSIA110.tmp
"C:\Windows\Installer\MSIA110.tmp" ProductCode={26A24AE4-039D-4CA4-87B4-2F86418066F0} /s
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2448

C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
PID:332

C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_66" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzY2XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -u auto-update
3⤵
PID:2340

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe" /x {4A03706F-666A-4037-7777-5F2748764D10} /qn
4⤵
PID:4852

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6415A9174C94943DF5E413C6F74DF961
2⤵
- Loads dropped DLL
PID:4388

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 111617DC85F34F0879CCA4BC52E0A13D E Global\MSI0000
2⤵
- Loads dropped DLL
PID:3080

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3A2979EC8F3EE17A9070ECE2B7336DA5
2⤵
- Loads dropped DLL
PID:2720

C:\Users\Admin\Downloads\JavaSetup8u361.exe
"C:\Users\Admin\Downloads\JavaSetup8u361.exe"
1⤵
- Executes dropped EXE
PID:1852

C:\Users\Admin\AppData\Local\Temp\jds241124953.tmp\JavaSetup8u361.exe
"C:\Users\Admin\AppData\Local\Temp\jds241124953.tmp\JavaSetup8u361.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

System Information Discovery