f607e4e0cc1d39352854e171efe277e691b01ccc0a15820b72a12de4aace6a4c

Analysis

max time kernel
159s
max time network
326s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner.v6.10.10347.exe
Size

32.3MB
MD5

9a09391b4b56f5536ebd631ec9a70467
SHA1

b5b4029e10893e2fa4427e19cc1b8c5be3127a32
SHA256

f607e4e0cc1d39352854e171efe277e691b01ccc0a15820b72a12de4aace6a4c
SHA512

535b887500ad83ef366560392334757fd44b78c272d22b7933b7b7bfe23a2cf88190e299008420dfbe5c03968ac5de91b65895ed009400fc74ce7d67908528b7
SSDEEP

786432:3NwaTjX+cS77nNiO2CCSHVt2lOwwCcovp9dOD:hTjOcSXNSS1slGoC

Score

8^/10

adware bootkit discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

99 3040 msiexec.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

CCleaner.v6.10.10347.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts CCleaner.v6.10.10347.exe

flow	pid	process
99	3040	msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	CCleaner.v6.10.10347.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PACK.EXECCleaner64.exeya.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	PACK.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	CCleaner64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	ya.exe

Executes dropped EXE 9 IoCs

Processes:

CCleaner64.exePACK.EXEya.exeUpdate-a6a0f7c173094f8dafef996157751ecf.exeUpdate-e70de386ebc763932a181fc37a2ad042.exeUpdate-e70de386ebc763932a181fc37a2ad042.exeinstaller.exejavaw.exessvagent.exe

pid	process
1836	CCleaner64.exe
3988	PACK.EXE
3400	ya.exe
4716	Update-a6a0f7c173094f8dafef996157751ecf.exe
4476	Update-e70de386ebc763932a181fc37a2ad042.exe
4168	Update-e70de386ebc763932a181fc37a2ad042.exe
1808	installer.exe
2920	javaw.exe
408	ssvagent.exe

Loads dropped DLL 64 IoCs

Processes:

CCleaner.v6.10.10347.exeCCleaner64.exeMsiExec.exejavaw.exeinstaller.exe

pid	process
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
3252	CCleaner.v6.10.10347.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
3252	CCleaner.v6.10.10347.exe
1836	CCleaner64.exe
4784	MsiExec.exe
4784	MsiExec.exe
4784	MsiExec.exe
2920	javaw.exe
2920	javaw.exe
2920	javaw.exe
2920	javaw.exe
2920	javaw.exe
2920	javaw.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe
1808	installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

installer.exessvagent.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0219-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0031-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0066-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0272-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0032-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0153-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0273-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0105-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0040-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0003-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0021-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0358-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0227-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0350-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0177-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0159-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0130-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0191-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0143-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0245-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0275-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0049-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0177-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0216-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0295-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0032-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0058-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0250-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0260-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0347-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0282-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0155-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0103-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0109-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0142-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0289-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0273-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0310-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0316-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0172-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0266-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0118-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe

Checks for any installed AV software in registry 1 TTPs 11 IoCs

Security Software Discovery

T1063

Processes:

CCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

CCleaner64.exe

description ioc process

File opened for modification \??\PhysicalDrive0 CCleaner64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe

Drops file in System32 directory 3 IoCs

Processes:

CCleaner64.exeinstaller.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log	CCleaner64.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

CCleaner.v6.10.10347.exeUpdate-a6a0f7c173094f8dafef996157751ecf.exemsiexec.exeinstaller.exejavaw.exe

description	ioc	process
File created	C:\Program Files\CCleaner\lang\lang-1110.dll	CCleaner.v6.10.10347.exe
File created	C:\Program Files\CCleaner\locales\lang.Portuguese.locale	CCleaner.v6.10.10347.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	Update-a6a0f7c173094f8dafef996157751ecf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	Update-a6a0f7c173094f8dafef996157751ecf.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\fonts\LucidaSansDemiBold.ttf	msiexec.exe
File created	C:\Program Files\CCleaner\CCleaner64.exe	CCleaner.v6.10.10347.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\fonts\LucidaTypewriterBold.ttf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\security\java.policy	msiexec.exe
File created	C:\Program Files\CCleaner\lang\lang-3098.dll	CCleaner.v6.10.10347.exe
File created	C:\Program Files\Java\jre1.8.0_361\LICENSE	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\cmm\CIEXYZ.pf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\javacpl.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\jli.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\cldr.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\orbd.exe	msiexec.exe
File created	C:\Program Files\CCleaner\locales\lang.Chinese_Simplified.locale	CCleaner.v6.10.10347.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	Update-a6a0f7c173094f8dafef996157751ecf.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\jp2native.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\java-rmi.exe	msiexec.exe
File created	C:\Program Files\CCleaner\lang\lang-1035.dll	CCleaner.v6.10.10347.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\accessibility.properties	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\lcms.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\tzdb.dat	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\ext\sunec.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\fonts\LucidaBrightDemiBold.ttf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_240701984\javaws.exe	installer.exe
File created	C:\Program Files\CCleaner\lang\lang-1065.dll	CCleaner.v6.10.10347.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\lcms.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\dt_shmem.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\ext\access-bridge-64.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\jopt-simple.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\servertool.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\security\java.security	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	Update-a6a0f7c173094f8dafef996157751ecf.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\glib-lite.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\jfr\default.jfc	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\gstreamer-lite.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\unpack200.exe	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\jawt.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\fonts\LucidaSansRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\release	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\fonts\LucidaBrightRegular.ttf	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\sunec.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\images\cursors\win32_MoveDrop32x32.gif	msiexec.exe
File created	C:\Program Files\CCleaner\locales\lang.Turkish.locale	CCleaner.v6.10.10347.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	Update-a6a0f7c173094f8dafef996157751ecf.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\keytool.exe	msiexec.exe
File created	C:\Program Files\CCleaner\lang\lang-1061.dll	CCleaner.v6.10.10347.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\server\classes.jsa	javaw.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\CCleaner\locales\lang.Japanese.locale	CCleaner.v6.10.10347.exe
File created	C:\Program Files\Java\jre1.8.0_361\bin\nio.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\jdk\icu.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\THIRDPARTYLICENSEREADME-JAVAFX.txt	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\deploy\splash_11@2x-lic.gif	msiexec.exe
File created	C:\Program Files\CCleaner\lang\lang-1079.dll	CCleaner.v6.10.10347.exe
File created	C:\Program Files\Java\jre1.8.0_361\lib\management\snmp.acl.template	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	Update-a6a0f7c173094f8dafef996157751ecf.exe
File created	C:\Program Files\CCleaner\lang\lang-1155.dll	CCleaner.v6.10.10347.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	Update-a6a0f7c173094f8dafef996157751ecf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	Update-a6a0f7c173094f8dafef996157751ecf.exe
File created	C:\Program Files\Java\jre1.8.0_361\legal\javafx\directshow.md	msiexec.exe

Drops file in Windows directory 51 IoCs

Processes:

CCleaner64.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	CCleaner64.exe
File opened for modification	C:\Windows\WindowsUpdate.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\sammui.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000B.log	CCleaner64.exe
File opened for modification	C:\Windows\Installer\e58682b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00003.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00009.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log	CCleaner64.exe
File opened for modification	C:\Windows\Installer\MSI70C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00004.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000C.log	CCleaner64.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99AD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CDA.tmp	msiexec.exe
File opened for modification	C:\Windows\lsasetup.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000E.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00010.log	CCleaner64.exe
File created	C:\Windows\Installer\e58682b.msi	msiexec.exe
File created	C:\Windows\Installer\e58682e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00008.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000A.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000D.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00007.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000F.log	CCleaner64.exe
File opened for modification	C:\Windows\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\PASSWD.LOG	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	CCleaner64.exe
File opened for modification	C:\Windows\Installer\MSI6F9D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00006.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\NetSetup.LOG	CCleaner64.exe
File opened for modification	C:\Windows\security\logs\scesetup.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CbsPersist_20230328074431.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00005.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	CCleaner64.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F64180361F0}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exemsiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5116 schtasks.exe

pid	process
5116	schtasks.exe

Gathers network information 2 TTPs 9 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
4576	ipconfig.exe
4944	ipconfig.exe
3372	ipconfig.exe
4568	ipconfig.exe
3064	ipconfig.exe
3436	ipconfig.exe
3776	ipconfig.exe
4064	ipconfig.exe
544	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exeCCleaner64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_361\\bin"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	CCleaner64.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CCleaner64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CCleaner64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0242-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0090-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0109-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0202-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0230-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0311-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Java VM\EnableJavaConsole = "0"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_06"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_198"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0217-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0267-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0312-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0025-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0298-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0263-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_30"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0050-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0110-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0299-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0231-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_231"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0305-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_305"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0095-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0189-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_22"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0170-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0098-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0169-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0265-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_08"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0142-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_142"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0289-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_289"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0319-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0342-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0084-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0102-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_102"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0032-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0012-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_12"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0335-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0011-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0088-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\JavaPlugin.11662\CLSID	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0213-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0250-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_250"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0172-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0092-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_92"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0096-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0140-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_140"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0195-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0339-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0226-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0140-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0279-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exessvagent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0208-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0204-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0172-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0330-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_22"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0219-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_219"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0314-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_314"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0214-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0176-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0092-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0133-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_133"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0279-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0323-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0329-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_329"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0341-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0045-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0053-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0153-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0237-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0158-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0217-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0156-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0175-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_175"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0314-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0154-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0108-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0151-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_151"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0072-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0291-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBC}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0229-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0158-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0152-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_152"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0278-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0140-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_140"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0047-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0125-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0107-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_107"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0294-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_361\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0313-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0201-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CCleaner64.exepowershell.exepowershell.exepowershell.exe

pid	process
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
2144	powershell.exe
2144	powershell.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe
1836	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

CCleaner64.exepowershell.exepowershell.exepowershell.exeUpdate-e70de386ebc763932a181fc37a2ad042.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1836	CCleaner64.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeShutdownPrivilege	1836	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1836	CCleaner64.exe
Token: SeShutdownPrivilege	1836	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1836	CCleaner64.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeIncreaseQuotaPrivilege	1708	powershell.exe
Token: SeSecurityPrivilege	1708	powershell.exe
Token: SeTakeOwnershipPrivilege	1708	powershell.exe
Token: SeLoadDriverPrivilege	1708	powershell.exe
Token: SeSystemProfilePrivilege	1708	powershell.exe
Token: SeSystemtimePrivilege	1708	powershell.exe
Token: SeProfSingleProcessPrivilege	1708	powershell.exe
Token: SeIncBasePriorityPrivilege	1708	powershell.exe
Token: SeCreatePagefilePrivilege	1708	powershell.exe
Token: SeBackupPrivilege	1708	powershell.exe
Token: SeRestorePrivilege	1708	powershell.exe
Token: SeShutdownPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeSystemEnvironmentPrivilege	1708	powershell.exe
Token: SeRemoteShutdownPrivilege	1708	powershell.exe
Token: SeUndockPrivilege	1708	powershell.exe
Token: SeManageVolumePrivilege	1708	powershell.exe
Token: 33	1708	powershell.exe
Token: 34	1708	powershell.exe
Token: 35	1708	powershell.exe
Token: 36	1708	powershell.exe
Token: SeIncreaseQuotaPrivilege	1708	powershell.exe
Token: SeSecurityPrivilege	1708	powershell.exe
Token: SeTakeOwnershipPrivilege	1708	powershell.exe
Token: SeLoadDriverPrivilege	1708	powershell.exe
Token: SeSystemProfilePrivilege	1708	powershell.exe
Token: SeSystemtimePrivilege	1708	powershell.exe
Token: SeProfSingleProcessPrivilege	1708	powershell.exe
Token: SeIncBasePriorityPrivilege	1708	powershell.exe
Token: SeCreatePagefilePrivilege	1708	powershell.exe
Token: SeBackupPrivilege	1708	powershell.exe
Token: SeRestorePrivilege	1708	powershell.exe
Token: SeShutdownPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeSystemEnvironmentPrivilege	1708	powershell.exe
Token: SeRemoteShutdownPrivilege	1708	powershell.exe
Token: SeUndockPrivilege	1708	powershell.exe
Token: SeManageVolumePrivilege	1708	powershell.exe
Token: 33	1708	powershell.exe
Token: 34	1708	powershell.exe
Token: 35	1708	powershell.exe
Token: 36	1708	powershell.exe
Token: SeShutdownPrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeIncreaseQuotaPrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeSecurityPrivilege	3040	msiexec.exe
Token: SeCreateTokenPrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeAssignPrimaryTokenPrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeLockMemoryPrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeIncreaseQuotaPrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeMachineAccountPrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeTcbPrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeSecurityPrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeTakeOwnershipPrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeLoadDriverPrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeSystemProfilePrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe
Token: SeSystemtimePrivilege	4168	Update-e70de386ebc763932a181fc37a2ad042.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

CCleaner64.exeya.exe

pid process

1836 CCleaner64.exe
1836 CCleaner64.exe
3400 ya.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

CCleaner.v6.10.10347.execmd.exePACK.EXEya.execmd.exeCCleaner64.exeUpdate-e70de386ebc763932a181fc37a2ad042.exemsiexec.exeinstaller.exe

description	pid	process	target process
PID 3252 wrote to memory of 544	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 544	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 3064	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 3064	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 4576	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 4576	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 3436	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 3436	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 4944	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 4944	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 3776	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 3776	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 4064	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 4064	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 3372	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 3372	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 4568	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 4568	3252	CCleaner.v6.10.10347.exe	ipconfig.exe
PID 3252 wrote to memory of 1836	3252	CCleaner.v6.10.10347.exe	CCleaner64.exe
PID 3252 wrote to memory of 1836	3252	CCleaner.v6.10.10347.exe	CCleaner64.exe
PID 3252 wrote to memory of 4996	3252	CCleaner.v6.10.10347.exe	cmd.exe
PID 3252 wrote to memory of 4996	3252	CCleaner.v6.10.10347.exe	cmd.exe
PID 3252 wrote to memory of 4996	3252	CCleaner.v6.10.10347.exe	cmd.exe
PID 4996 wrote to memory of 3988	4996	cmd.exe	PACK.EXE
PID 4996 wrote to memory of 3988	4996	cmd.exe	PACK.EXE
PID 4996 wrote to memory of 3988	4996	cmd.exe	PACK.EXE
PID 3988 wrote to memory of 2144	3988	PACK.EXE	powershell.exe
PID 3988 wrote to memory of 2144	3988	PACK.EXE	powershell.exe
PID 3988 wrote to memory of 2144	3988	PACK.EXE	powershell.exe
PID 3988 wrote to memory of 4496	3988	PACK.EXE	powershell.exe
PID 3988 wrote to memory of 4496	3988	PACK.EXE	powershell.exe
PID 3988 wrote to memory of 4496	3988	PACK.EXE	powershell.exe
PID 3988 wrote to memory of 4400	3988	PACK.EXE	powershell.exe
PID 3988 wrote to memory of 4400	3988	PACK.EXE	powershell.exe
PID 3988 wrote to memory of 4400	3988	PACK.EXE	powershell.exe
PID 3988 wrote to memory of 3400	3988	PACK.EXE	ya.exe
PID 3988 wrote to memory of 3400	3988	PACK.EXE	ya.exe
PID 3988 wrote to memory of 3400	3988	PACK.EXE	ya.exe
PID 3400 wrote to memory of 3560	3400	ya.exe	cmd.exe
PID 3400 wrote to memory of 3560	3400	ya.exe	cmd.exe
PID 3400 wrote to memory of 3560	3400	ya.exe	cmd.exe
PID 3560 wrote to memory of 3120	3560	cmd.exe	schtasks.exe
PID 3560 wrote to memory of 3120	3560	cmd.exe	schtasks.exe
PID 3560 wrote to memory of 3120	3560	cmd.exe	schtasks.exe
PID 3560 wrote to memory of 5116	3560	cmd.exe	schtasks.exe
PID 3560 wrote to memory of 5116	3560	cmd.exe	schtasks.exe
PID 3560 wrote to memory of 5116	3560	cmd.exe	schtasks.exe
PID 3560 wrote to memory of 1708	3560	cmd.exe	powershell.exe
PID 3560 wrote to memory of 1708	3560	cmd.exe	powershell.exe
PID 3560 wrote to memory of 1708	3560	cmd.exe	powershell.exe
PID 1836 wrote to memory of 4716	1836	CCleaner64.exe	Update-a6a0f7c173094f8dafef996157751ecf.exe
PID 1836 wrote to memory of 4716	1836	CCleaner64.exe	Update-a6a0f7c173094f8dafef996157751ecf.exe
PID 1836 wrote to memory of 4716	1836	CCleaner64.exe	Update-a6a0f7c173094f8dafef996157751ecf.exe
PID 1836 wrote to memory of 4476	1836	CCleaner64.exe	Update-e70de386ebc763932a181fc37a2ad042.exe
PID 1836 wrote to memory of 4476	1836	CCleaner64.exe	Update-e70de386ebc763932a181fc37a2ad042.exe
PID 4476 wrote to memory of 4168	4476	Update-e70de386ebc763932a181fc37a2ad042.exe	Update-e70de386ebc763932a181fc37a2ad042.exe
PID 4476 wrote to memory of 4168	4476	Update-e70de386ebc763932a181fc37a2ad042.exe	Update-e70de386ebc763932a181fc37a2ad042.exe
PID 3040 wrote to memory of 4784	3040	msiexec.exe	MsiExec.exe
PID 3040 wrote to memory of 4784	3040	msiexec.exe	MsiExec.exe
PID 3040 wrote to memory of 1808	3040	msiexec.exe	installer.exe
PID 3040 wrote to memory of 1808	3040	msiexec.exe	installer.exe
PID 1808 wrote to memory of 2920	1808	installer.exe	javaw.exe
PID 1808 wrote to memory of 2920	1808	installer.exe	javaw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CCleaner.v6.10.10347.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner.v6.10.10347.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:544

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:3064

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:4576

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:3436

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:4944

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:3776

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:4064

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:3372

C:\Windows\SYSTEM32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:4568

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\Temp\CC-Updates\Update-a6a0f7c173094f8dafef996157751ecf.exe
"C:\Windows\Temp\CC-Updates\Update-a6a0f7c173094f8dafef996157751ecf.exe" /S
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4716

C:\Windows\Temp\CC-Updates\Update-e70de386ebc763932a181fc37a2ad042.exe
"C:\Windows\Temp\CC-Updates\Update-e70de386ebc763932a181fc37a2ad042.exe" /s REMOVEOUTOFDATEJRES=1
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\jds240667578.tmp\Update-e70de386ebc763932a181fc37a2ad042.exe
"C:\Users\Admin\AppData\Local\Temp\jds240667578.tmp\Update-e70de386ebc763932a181fc37a2ad042.exe" "/s" "REMOVEOUTOFDATEJRES=1"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\Temp\CC-Updates\Update-7fddbac28a9c85c79fe08e2d6506e535.exe
"C:\Windows\Temp\CC-Updates\Update-7fddbac28a9c85c79fe08e2d6506e535.exe" /S
3⤵
PID:180

C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe
"C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe" C:\Program Files\VideoLAN\VLC\plugins
4⤵
PID:2376

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files\VideoLAN\VLC\axvlc.dll"
4⤵
PID:2916

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\VideoLAN\VLC\axvlc.dll"
5⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PACK.EXE" -p123
2⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\PACK.EXE
C:\Users\Admin\AppData\Local\Temp\PACK.EXE -p123
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147781989 -ThreatIDDefaultAction_Actions Allow -Force"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147735505 -ThreatIDDefaultAction_Actions Allow -Force"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -noninteractive -windowStyle hidden -noprofile -command "Add-MpPreference -ThreatIDDefaultAction_Ids 2147814523 -ThreatIDDefaultAction_Actions Allow -Force"
4⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ya.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ya.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\inst100.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN "G100"
6⤵
PID:3120

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /F /SC HOURLY /MO 3 /TN "G100" /RL HIGHEST /TR "powershell -WindowStyle Hidden -Command \"Start-Process -WindowStyle hidden -FilePath \\\"C:\Users\Admin\AppData\Local\Temp\g100.bat\\\" -ArgumentList \\\"111\\\"\" "
6⤵
- Creates scheduled task(s)
PID:5116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command ""Set-ScheduledTask -TaskName G100 -Trigger (New-JobTrigger -Once -RepetitionInterval 03:00:00 -RepetitionDuration (New-TimeSpan -Days 2) -At (Get-Date).AddMinutes(20)) -Settings $(New-ScheduledTaskSettingsSet -StartWhenAvailable -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)""
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding B3CD7A7823CAE0AB7ABB570CE59B95D1
2⤵
- Loads dropped DLL
PID:4784

C:\Program Files\Java\jre1.8.0_361\installer.exe
"C:\Program Files\Java\jre1.8.0_361\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_361\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180361F0}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files\Java\jre1.8.0_361\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_361\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2920

C:\Program Files\Java\jre1.8.0_361\bin\ssvagent.exe
"C:\Program Files\Java\jre1.8.0_361\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:408

C:\Program Files\Java\jre1.8.0_361\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_361\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
PID:4708

C:\Program Files\Java\jre1.8.0_361\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_361\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_361" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM2MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM2MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
PID:4256

C:\Program Files\Java\jre1.8.0_361\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_361\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
PID:4404

C:\Program Files\Java\jre1.8.0_361\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_361\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_361" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM2MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zNjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzM2MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzYxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
PID:4728

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding A588954679588DB7138453B6B887769E E Global\MSI0000
2⤵
PID:2824

C:\Windows\Installer\MSI9E2B.tmp
"C:\Windows\Installer\MSI9E2B.tmp" ProductCode={26A24AE4-039D-4CA4-87B4-2F86418066F0} /s
2⤵
PID:4524

C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
PID:2068

C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_66" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzY2XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
PID:3404

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -u auto-update
3⤵
PID:224

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6CD21497BCE59FFA928CBB7703CC4B22
2⤵
PID:3976

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AEC5180688037587988539A78627B69D E Global\MSI0000
2⤵
PID:1160

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1C1BED42D167A96D66BC5FE0F0BC04D6
2⤵
PID:2068

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E5EDDA92EDD887F24C558E53A1836ECD E Global\MSI0000
2⤵
PID:652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58682d.rbs
Filesize
984KB

MD5
d0aa839fb2fe75fdb23311babb4596ea

SHA1
f23bc61974f8a2ed743684d86e444cd0df09fc2c

SHA256
66ed7812374f34d29ab2d50ad104e4e432935cbcd51dd397980603e2e44aaa86

SHA512
18720ce52c40985776a1c239a6d1c209ff29280111c59760a997859abf9d9aff3e857f4c30ee5041592b54bd794539f931a606c456425ac23d97078eba96112e

Download Submit
C:\Config.Msi\e586830.rbs
Filesize
49KB

MD5
5f731b77b36e22c63899b8fed8a4c702

SHA1
c5c7afc88a3ebc52943350957a93a4a0b9b404f0

SHA256
9630def0f8d7e5bd30a8c98576a475e1b9bba4071b71b8e7415d2a1bf5ba5780

SHA512
47b46b9489d6f7b7446525280e5bce89842f5b616adc04ef78b0aa58a0052dfc28778547d0648252a8defc53f34ef7c200982a190f0d04d235610bddfc0f6fd1

Download Submit
C:\Config.Msi\e5868f4.rbs
Filesize
7KB

MD5
7ff47c6c9c4b5037351d081e7c97561f

SHA1
73c90e8b596367e191ab38a0592c8c6ec2ec91f3

SHA256
1b8d213a8e1fc7dc98e2c228cc9d55bd5e372e5225c66d2dad0f205fbf1967e7

SHA512
3104f3f3348b66a982c12f7df53b414f0acbfb662cca8e580c63a6259c756f5e191cff6b4480264e0618fc3599aa74e7574a34f735776dbd4268fd80fa817cfa

Download Submit
C:\Config.Msi\e5868fa.rbs
Filesize
8KB

MD5
bbe0ee5e3e31d5e11511eced02329f0a

SHA1
b3ecf9650445f4c6213418de47fec71820b70a4b

SHA256
751dd4e2e14870cdbd4b734c19d9d30a3ba5d093ca0e3880158b79634ab71fcc

SHA512
0fc7eb0524e099bb740ea6980360d781157de22555fe75b34af5d364f4b1d4ba93ad2b314b85a42cdc2fac8fc270b0cd7c008d78389cc8f0cd88e7eaf287a42b

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
935KB

MD5
d36deceeb4c9645aab2ded86608d090b

SHA1
912f4658c4b046fbadd084912f9126cb1ae3737b

SHA256
018d74ff917692124dee0a8a7e6302aecd219d79b049ad95f2f4eedea41b4a45

SHA512
9752a9e57dd2e6cd454ba6c2d041d884369734c2b62c53d3ec4854731c398cd6e25ac75f7a55cda9d4b4c2efb074cb2e6efcbf3080cd8cc7d9bc8c9a25f62ff2

Download Submit
C:\Program Files\CCleaner\CCEnhancer.exe
Filesize
835KB

MD5
928cb9009e248e648280270255d6d44b

SHA1
5ff1b16d9da12d5325a8169ee1d7a770e62d660a

SHA256
4d025fad652ec6b890883f64e617f1e5dccfbff0dc857631695c6cf4315c1c23

SHA512
e0a1e4e667d71853dca434309d48beeb1d2a04f89c7c8bfc94f7a8c8f1cc3ba948f78e06ab6dea9aaeb1fdc3d6f40840de31bf5e4032907698f68f120bcb24e2

Download Submit
C:\Program Files\CCleaner\CCleaner.dat
Filesize
80B

MD5
6e6499100191a660813bb594ab561868

SHA1
83df514c5f40a57240a7a9cd143a13d57ddc6611

SHA256
371a402c1ed762951a30393fb238543ff9a1ca78727b37f6add40ce096700927

SHA512
a3e25e4ad033e8af88581d0fa20b6727c47e826179411f82bae7e85a5483f9a7be44b1e734e311a40e9c2f16b7e3558d3544ba84b1ffaea2e19232c27a1fe0e0

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.3MB

MD5
75290d2b9b0d182ade602ffd9ac1bb5c

SHA1
39602e6ea8de45d0f7bb3e0eb2b5066f3bf3e390

SHA256
535e2a83829d6e68d8b7f4f1224b69de4f3b888ad71887c4f8bbf2794627d096

SHA512
c010e844c158752e9d02240ecd102104d594ecee714e78c984bb47299c1cc7ba5f31cd81fd4cddfb7abf627dcd118a5e4dafd956376c161a3a2f7fc125ac5eca

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.3MB

MD5
75290d2b9b0d182ade602ffd9ac1bb5c

SHA1
39602e6ea8de45d0f7bb3e0eb2b5066f3bf3e390

SHA256
535e2a83829d6e68d8b7f4f1224b69de4f3b888ad71887c4f8bbf2794627d096

SHA512
c010e844c158752e9d02240ecd102104d594ecee714e78c984bb47299c1cc7ba5f31cd81fd4cddfb7abf627dcd118a5e4dafd956376c161a3a2f7fc125ac5eca

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.3MB

MD5
75290d2b9b0d182ade602ffd9ac1bb5c

SHA1
39602e6ea8de45d0f7bb3e0eb2b5066f3bf3e390

SHA256
535e2a83829d6e68d8b7f4f1224b69de4f3b888ad71887c4f8bbf2794627d096

SHA512
c010e844c158752e9d02240ecd102104d594ecee714e78c984bb47299c1cc7ba5f31cd81fd4cddfb7abf627dcd118a5e4dafd956376c161a3a2f7fc125ac5eca

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll
Filesize
8.2MB

MD5
eea47668c90db2fb6ea328e9f1760451

SHA1
d965bc56c1f0480b7e572c14ec84c5f5762dec85

SHA256
fefa23b99bc98b4dca30ae8d30bcb9220de4da0c5bdc5e6781ab27d5ccdfb6c0

SHA512
20460ed7b123e91ead45f1565c286dfb30472a020fa877690e6ee0d990181a61a01cb287b083e7f3546c8fa2de935a55df382cd2da176f92543df3f343e04d8c

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll
Filesize
8.2MB

MD5
eea47668c90db2fb6ea328e9f1760451

SHA1
d965bc56c1f0480b7e572c14ec84c5f5762dec85

SHA256
fefa23b99bc98b4dca30ae8d30bcb9220de4da0c5bdc5e6781ab27d5ccdfb6c0

SHA512
20460ed7b123e91ead45f1565c286dfb30472a020fa877690e6ee0d990181a61a01cb287b083e7f3546c8fa2de935a55df382cd2da176f92543df3f343e04d8c

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
60KB

MD5
e528e6ef09563e1148c7e80fae9ab937

SHA1
f6bc0bec5eb3568eac823f0db670ef03929d6da5

SHA256
c6be338b8927ccd7b96a236b2cd46d6f8ef2c31d7ed048679ac867f1445c41da

SHA512
c1afdd98f25bd676c5f3e24b0f4fcdeca43db7dd4eb8800b7714dea82aa57e2d71d6bdf912812c68a4231980304947df5b88fe43e32cc66f6f83a76779be9943

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
60KB

MD5
e528e6ef09563e1148c7e80fae9ab937

SHA1
f6bc0bec5eb3568eac823f0db670ef03929d6da5

SHA256
c6be338b8927ccd7b96a236b2cd46d6f8ef2c31d7ed048679ac867f1445c41da

SHA512
c1afdd98f25bd676c5f3e24b0f4fcdeca43db7dd4eb8800b7714dea82aa57e2d71d6bdf912812c68a4231980304947df5b88fe43e32cc66f6f83a76779be9943

Download Submit
C:\Program Files\CCleaner\gcapi_16799894901836.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\Java\jre1.8.0_361\installer.exe
Filesize
1.1MB

MD5
dcb07febfc873261ae0c351d327027a0

SHA1
b3855001990bb500212f4f8b421594e91f45d5f3

SHA256
e9d0623547dd40d5ccc42e4718d4e307241fcf2d4a5df93d1ec0fdc9925aafac

SHA512
374d8d4d39e344cc050ea0cde3a51db801ba77b18c85934820e6d1f37101922878b4107dc506f5be7ab3e0f2badbf0ace87bb0ab5713f5bdc27df00731f84dff

Download Submit
C:\Program Files\Java\jre1.8.0_361\installer.exe
Filesize
1.1MB

MD5
dcb07febfc873261ae0c351d327027a0

SHA1
b3855001990bb500212f4f8b421594e91f45d5f3

SHA256
e9d0623547dd40d5ccc42e4718d4e307241fcf2d4a5df93d1ec0fdc9925aafac

SHA512
374d8d4d39e344cc050ea0cde3a51db801ba77b18c85934820e6d1f37101922878b4107dc506f5be7ab3e0f2badbf0ace87bb0ab5713f5bdc27df00731f84dff

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo
Filesize
599KB

MD5
b32e3dc98ae64634ac70bca8d9fe9049

SHA1
b76035923c6712c4ef4242cbbd0fee1fd98fa88b

SHA256
62fe79e569453987e9e2f0f6ce1b3d31f1591b9a2b9243972f46406f70b53f1d

SHA512
4d67d9ff3d769d279aa9760fe87fe7ed3d91b526a52c96a2ac5fde95557ed1ba3b77421ed793f14dd094763129e9a2b791c40562e6f6c1a1c2663c62ca946deb

Download Submit
C:\Program Files\VideoLAN\VLC\uninstall.log
Filesize
42KB

MD5
d67ee1a30f5a67ed10333e3319fe217f

SHA1
9f98fbca68d547d906a70bdae881a14849e2a3a1

SHA256
8ca28e95c1c95cee3dcb682e8aa6f0aaea95d9ac64cd5fe21cd59e8c56dc64ab

SHA512
b7f79b47be0987a89b696b94c11839267b7ec64174430e5635a6770f7dfa6bc9c3dd8a76bc495bc5e0e49412e62da26a0a90e12177a4304b889d1f2ea01b0917

Download Submit
C:\Program Files\VideoLAN\VLC\vlc.exe
Filesize
966KB

MD5
e634616d3b445fc1cd55ee79cf5326ea

SHA1
ca27a368d87bc776884322ca996f3b24e20645f4

SHA256
1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937

SHA512
7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url
Filesize
195B

MD5
a5422debbdc81da65f5fa2b17da9eeaa

SHA1
e9c01053c6c45589462db2e31bfd7c6ffea60f31

SHA256
239a4ee2824fa17a17e0b84f94a07fc4bc56edf3f9cc426daf3878d16e722e95

SHA512
f49d75c09140e6b5ec1a2c64ea102396d57edb0c2312a1ab27cb3d0919726965ba3ed34a992898661f974a0405db57a1e5f8948345bebd72e52c07a796ba093f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url
Filesize
197B

MD5
faded0d5bdcbad42d8f4826cc3c620fd

SHA1
c49c34f2d2160297b1c0c71c327180ed52ff673e

SHA256
d869d1b0c391cd9ce8f0c633cb8e5731c5073c33f875b32a2a61006a3c1bb24a

SHA512
bc60186037724353460a0f7af8b207ccabe64d80aaff796d9ee082c6cb6573ff214dedc22080fdf23664ce79f7604276e1bab746dcf2407a46e40ff38b7119cb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url
Filesize
182B

MD5
472d99cc0c3c745e9d794af2495e1073

SHA1
c1fbb2d17fbcea3d8d76d4516cb099ef89c3d6ce

SHA256
0a07df0e4ca2361cbd92c5c56068d8ea51cf0cfcc755d015cd1034c250cf1f9a

SHA512
bed250fb803323ebef7c6af71912572767a6e36e4ed54886d773758e3470c906ca9995dd54c64b43f297c7de676fc47936ced5c81cdf3fa8ee9688d9c96a6e27

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url
Filesize
180B

MD5
ced45757da7212b9c8419d34ddadce4a

SHA1
e88a8765caeb6300a71111d71b1bf00a4f922391

SHA256
2b3049bac564084a0c1dddb06fc74c52fd2cd433375fdefb326cc1587c906c67

SHA512
c1cd76f468604b07fa21430bcd5214331ce440bba540426ba823de2a67e3363397fc440dc3d64264d5a2b81746ad420aa44b78090f4b9b03abf43546fa8fcdf0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url
Filesize
178B

MD5
629c2e7a4d9e24406873fe2fa7543be7

SHA1
d6c48edc07e35c1b84fc2bf5f74367edcd2bd3d2

SHA256
cf23fccf15c640cda1a383a09246a5a1213ebd5c9a1c077ad5cddb785f4700dd

SHA512
00cd51c0377e9c058c3cafcf4ba03ffbdad37711b4bafe054eba978fb3dc4c178cfec0d292d4fee27aea42a8b39ba8187866ad4d304f8b74662bf1accfaae8e8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url
Filesize
176B

MD5
8f614b432b7dbc23691ab9e2c96d74ca

SHA1
6c34b22285a6cf15ebe8f5ff956cfe99d1a4121c

SHA256
d3cd1f65c7c6e564f76220e963ff22f15769aa95e500b57ddce9260049f59220

SHA512
12aa2ff757263e497e2b45871d64fa91acccc53a209f30c761ad36328e7074bb123641a20e81207e6fae0eecf5db58834c01ef096286be2ec6c3afe6e1cac421

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
a7e9116a90242bd18440c1a9b986acdb

SHA1
5a2cbcf174d89a06a1be5188d34cdb10f21da08d

SHA256
043e669649ee36dc66f8a808ed94f1b11cf9de983f5d270cc063d5237741cfc4

SHA512
af41f038ef6190d71e5f864213ba8c3031836289c80620876a09c14a751f4478e06cf84f406c603db22cbc609d1b7f6cd9f69a8847aee73fc24a443255fbd8d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
c0beffd3dd0db195fe31ce8265e9094f

SHA1
bf9e183202f8283aad218eda5049abc566903ae0

SHA256
e769ed75ff7a96b74a16fcd412d683686bcb611a0b7905808c139f15526cd7c0

SHA512
369253adaec3d990c0dcc99c8450900ae8619db635b9c2b35e9515f39ec903469ef4faa4ee4a85f31158dccbd4991700478c27e613dafbc5e26817c32fa58e83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B909E30E95B241D9E108D9CF47683C20
Filesize
503B

MD5
14a149c9c8f4c9b30dea0296adf25eca

SHA1
a054eb7ef484f8b83f15bef9854583d1a4df24c2

SHA256
459ebd3a0cfc832a463fa2267c06cff99e57dba079a887a7ae4dfd280ae55806

SHA512
ff3b4070344b46c164289b9c8b674172f35128ed4326397e90f2b448d9ee282e2d435ec8bb68cc1e6dcaafbbf9143ea291495461088765be809a683907a6cf31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
5d3e035b375345f05806978e3d9a51c1

SHA1
5810cf0b35bed8489428e7e26d0ac9409e1bd5b5

SHA256
52d8fcfdb2dfdaa41d0cb6ccaeefa523967075e36a93e9c2cf904bcf1b2e750e

SHA512
8f8c81e40d94580b7e3497ac1a258af2d03b88d136bd7257f109f9afcdab2aa39a1d1ce240d4ff35d5d2589ed5163950db44152cebabbe24350cb5cc7eddb163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
2a663797112d35ac811ea1881ce6a41e

SHA1
b6c2bc41b6febe39a2db96954700133cef3094f4

SHA256
8f4053372f90e347608fd1b380e542f246b18d227b401f77fd862e2fcb016e72

SHA512
dec23a79a1904dee2f3cf6289c5ca762261c399af42e9f0ef17ae7957272712e9f671062eabcce098ce0e906e87d32606f30acb20dab7d734204f407455278b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
430B

MD5
7f74400e57d44eca8c6211d26029b747

SHA1
e3b1c16f6e606b7d39979815784d0a9ff8130a22

SHA256
019f96819c20dfb6d5c0fa2b3924cb8fed80801d056f284d8f12531e52f45483

SHA512
e2ddf283ea73c1af9c25136eb5f64168950d5643b6ba13266dd4199a10355799c9017f57f4009b7a007f9f81782f0de5078728070f98c044b9ce785081cffdf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B909E30E95B241D9E108D9CF47683C20
Filesize
548B

MD5
c6091b16b3a284b56d6ab55567fb7265

SHA1
e2b4deea79af8660a60e1390f737544f8b1e6b8b

SHA256
e3f03d27d25d02fcb195a404be0a2ad6c3e77ef0887b8a87b32d96ede48ff765

SHA512
a3027912821b3a01c139e0eeceff4176fafa5a31c868f0bdf60acd24d40cfbae82967889f33bab3b1571b8321a654997a67b2e9b4225665c7423ada0ad20714b

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361_x64\jre1.8.0_36164.msi
Filesize
58.7MB

MD5
407d36101348022e67342b44292d2b39

SHA1
1811ab3993672a9f329868622d96014043bd5f4a

SHA256
213e9fa760dfa2af22a4ac94a10c7f21f4b482aa04e8cf3706264e4c17d2481e

SHA512
cd78f2d3d8057467f87c846fd2252cc2632de822b2c5d37a9f2bcd0c68fafe598bdc4bc69760cd7e84037a5b28b3f11a4385684962857e3ce572ec9b302f0c0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
Filesize
1KB

MD5
0a96f50f441179d9c55d7a144d31f08f

SHA1
54474c2eb38379e41018b90d7395a2d193972e62

SHA256
20f57217aa481fe4fe5ab3d271e25723ade5d022388bbe9b86e8086988136acc

SHA512
e76c31a395f609dbd6418f1925c810310d2dc9474c96926cad5f1bee40fbcdeb2c1d2cb4988b0658a32df7662bbebad28fce2948f56fbc27d91fd84ca0f6232e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CC49A6.tmp
Filesize
8KB

MD5
0829f71740aab1ab98b33eae21dee122

SHA1
0631457264ff7f8d5fb1edc2c0211992a67c73e6

SHA256
9f1dcbc35c350d6027f98be0f5c8b43b42ca52b7604459c0c42be3aa88913d47

SHA512
18790c279e0ca614c2b57a215fecc23a6c3d2d308ce77f314378cb2d1b0f413acd3a9cd353aa6da86ec9f51916925c7210f7dfabc0ef726779f8d44f227f03b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\vkwZzU9B[1].txt
Filesize
22B

MD5
772bc4e512636d2166ba1ebcc5422d94

SHA1
23d136fe6087b4ab9afeeb3475c8c90b51955407

SHA256
6641fa5eabe01afc93ab02af6265e8728cfd49ffdb777426b2d3c68049910f4a

SHA512
1d893797b4ea3cf7fc07d3ad6a8adf423cbcac8bca749d45e9c8e746ec7b061c7b35153d55b4506b16a86d859025670b7d5cc03417796760f501b763f86ba029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y624AVVJ\jBMw[1].pkg
Filesize
444KB

MD5
4197192468b26ff1230c83ea8f310ca2

SHA1
d2aba8ae19225d8b742e89d16370fca0a12df7f4

SHA256
4121f6ec9fb18f06b02637a3b7ff555de49bcfc9b887e6d64f964be668f7bf0f

SHA512
fc8fc4b10f82bf16dcddf72d47a326672ff73cc17120c964cde4d3d829809fb9041be72f087936f2ff3a1050918a8058207d1ee42e3fb6765b77b39859615b86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
21bd3a9096143a781c70624f3f1f7260

SHA1
ef78273e487abf842c7d3eecc82e70876ae3ae2e

SHA256
5d8b87b5fc4d5360f6eb96834e96450544ed2ff5e0057f4d5ee64979ad896dbf

SHA512
277e4987410fed6a3b7c1db2c26a066250aed350576e6b57f1972f476e7bae91fc54012b0e86cd241ac37ed746e392f1a493d3e4bc3e813b09b8dfb1f540cf3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
4bcd31cf37aa235993435833de927d42

SHA1
61a42d262d0e196410379440d671c9e5587a2242

SHA256
b4b7a0dacab511e2b2832659a4c82d20b63a7e05c2178a3c893ffce7a83eb132

SHA512
d9b0ab4cafb094b8e823908e8a96c19084c95721e9317f59d182c674f0dde7a2872ce2a9e1df49b4a9ed320a6068f711ef82f57c88e86c8aebb79a0e909129c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
8b19ca32048099356ad94463fc864553

SHA1
1aad2ff455501bc815e440417a3237696ee6ad5d

SHA256
2b7904145c970c24951abea8d784fa788ee1d5fd95fe9ef973c67911e158deda

SHA512
432ae410f7c0b23d6ff10adfbc30c7a582b731ba0b9a5db8313a2abbc8a9a78de96dd9e2c54a41a21eedec89c8c27b47f659f1e52f94ecd7965200cc1be73649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
c1111ce2c803670e56bc515bda15f989

SHA1
13f4c63ad91efceeda35b2dd6a14c2d4a8b5c50b

SHA256
66cb2e353e8766c5388a67dad2d688f033667b863ede7317cbe5f85321991e72

SHA512
539a31c8df463b33e8da231c6cb99026c159cea71cf1612faef508593f866509bdca709d0f0a7f8b354e5eafc2d8556c598cae9c64566b1a975bd2538e9c74eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
87e16c45080548d7ae9862301e3d6e70

SHA1
74820004f758cb95c2e895dc8d9b01f6b7d40bdc

SHA256
9fd7d255858af50bcd478fd63d874acf2c3d01abbd7746c75c9366ae25a01762

SHA512
c5edbdcdc81b97b2fa367bcfa75492725577b56a0a44978214aa8840bdc9f96012c11498f713b3f280c6b228ef7535336b254e337d783153e866baa0d113026a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
b3952d2df6a519e48111838b6eb67c3f

SHA1
741f07cc1c52be1736466d60051ab665a66b08b6

SHA256
ed7199803c5e8bff8f3d88c2aa2f953a318a65c459efc14ed3bb895517715a8c

SHA512
a2100c22352eab9de395dc1cc9544e88737a942292e319d0907723a078f8974babd43d7ad242a7048c6fe15c66f3f5541965a085a5a239d4ca1198489bcd6997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
000a7f30dec1e30d11802f9a77e36abc

SHA1
f18195188f31d535a9ee1895e218855b026ee131

SHA256
5dd90098c5fb48a1e1bc566c101ad14a6378cd128738b90e895e67e4d6478e78

SHA512
272bb86a28abcfe8931480fa40a551b2530c3fd91684eda45ded6ee53f179c44ceb4a5aeef0842165b1bd5b667776d52ee926dff2eee8c7e7c664773dbe022ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
03b6b7c4bae242f0b925eed0559a8f1f

SHA1
53877ef228119fd352c327c0f941ba294af8cff9

SHA256
e75a0b81b051c3e66d15df84ecf89ffd5f11ad2846e26f4b2257d6f5145de457

SHA512
df415e6adc1908b247e32d1fec8e0f5a32efe1d93431422199852ea07cf4d385938cae0497e36eaf3649c4081473d7fd6976ed7d9409097b0cf3fcbd6bbc186e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
925c5b3f5d797b96c7f7be013ed5612b

SHA1
ff22e2ed2554f047fb4bf3d5d92067a7068f8c8b

SHA256
ad05ac2160cf1187e74270cbaacc500ff42c8b3f406e32b85e8b653b103c760f

SHA512
63c7663acb0c5f1bcfd6c3a6a535f0a05f372c4c8cdc391dc73dd0c98200ece1e4adc32e646db2624df9fe2ebee3e163745ec173e8e331f74ae0aa063ba1f253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
cc4e2af1bd219bdb4abe8a3fbd6a931b

SHA1
76680a8a9ba9800aa0541849154c573f2045be08

SHA256
e3ce11814b0386cb33bc0d78edea488431f7b8b77e57c5ce17ae5a47d88defc9

SHA512
42865355b8cf3c79b502f8d2c3259c0e2c405f911b0740a2e08c93b2b9dc1920e7df1f0d06b7c631b9a54dd787bd2ab9a823ed4ecd9b25cce572c486cd646367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
5e5a836149a3fb0484513eedba74b420

SHA1
ac44424faf7dec02b96e2529b351e39a86b6137b

SHA256
a1094fa901b78665ff532e56d5bd66f9bc6ab1282988183f6064fc6e28c593ca

SHA512
3aa3c36e2e76fe383c3e90343eead24570bea57965821261139d9b2c7574b7b176ddc94cc7a4d8f8d40db193120aa9a90eb78c410fa3ae946d46d899a0ff79ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
2c49e74ee337fbdf9090dd5ac95b6875

SHA1
3651f83c006b2342be34b3dcb1f71f7b6e80a0e4

SHA256
c2f9204891a6c2c7cd92384a3fd9803e999345465b5b16500fc755ff5c6d01f3

SHA512
dc85cd4cfc24829c9c306bfbc621e3df8bb9e6141b8705e4d3c2de1680e79e99336117e1e40178c65ef534a7d6e8ba7221ad53079c38572c5cf0e2180543f240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
03f210eb73f5562731366906afa9d68a

SHA1
20b7701cc06ed16467ea416b12ececc26c533e0e

SHA256
67f1eb18e07e6d6258a0d17b76d86860da3c50938e84f294891b4c39cb0e9846

SHA512
192c96c1e5b08332cfe4fff3bbc4c86d7c44af8ef95d4ef9a061d3998719550a14f066f15307accae3fc9c41583ed72626b18e35ed078c2e1c4eef85e26ba587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
667cfcbac8f0df853616d19289ac5a4f

SHA1
752d2f96bb7d11a4da02f78254b384e523018564

SHA256
17ac09b2ecaa4b1cf521d21d78ad370669ebe4ff5bf0a6bd2d7b67439fa251a2

SHA512
421431ce37e4c634c05b919327dcd293b56949cceb6ab3debe464a2b2de4109e1f21351b50a45e8205e66cc99f2f4dd12a3a18c8031491c147900fd9999e2654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
bbc12a9d18dcebc716274aeb1decb210

SHA1
c59fe81042a156593b99ee8e328f430baee36e92

SHA256
07fc46b2a06536fe8f424a5d359bbec562628c5e4f7634b1b259b60dd7b6be37

SHA512
1ed0a0a4db7820ce58eef178218d92c503fd2b45569980fe9dabe98919b91c9415689b2b2624bb77418a2722f4a5c456cd97c53cba6fc5f54733228d8d729c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\PACK.EXE
Filesize
444KB

MD5
4197192468b26ff1230c83ea8f310ca2

SHA1
d2aba8ae19225d8b742e89d16370fca0a12df7f4

SHA256
4121f6ec9fb18f06b02637a3b7ff555de49bcfc9b887e6d64f964be668f7bf0f

SHA512
fc8fc4b10f82bf16dcddf72d47a326672ff73cc17120c964cde4d3d829809fb9041be72f087936f2ff3a1050918a8058207d1ee42e3fb6765b77b39859615b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\PACK.EXE
Filesize
444KB

MD5
4197192468b26ff1230c83ea8f310ca2

SHA1
d2aba8ae19225d8b742e89d16370fca0a12df7f4

SHA256
4121f6ec9fb18f06b02637a3b7ff555de49bcfc9b887e6d64f964be668f7bf0f

SHA512
fc8fc4b10f82bf16dcddf72d47a326672ff73cc17120c964cde4d3d829809fb9041be72f087936f2ff3a1050918a8058207d1ee42e3fb6765b77b39859615b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ya.exe
Filesize
164KB

MD5
91acbc160d7e7a499ec13b3ad53c7d5e

SHA1
181479660c14de470a5c754f28640d3dcd8a1f77

SHA256
31d5f6acf8e54d00f09c2fb2d10825c92e39c867c2190154ef3277e2322ca12a

SHA512
d8d3c3deb88d127f3a496a41a57ac07c9d286dbda7ff493152e6a79c744c20bd726959287d0b24e42fb6884af269f0f33d7706dabc5cdee310201d03a7481ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ya.exe
Filesize
164KB

MD5
91acbc160d7e7a499ec13b3ad53c7d5e

SHA1
181479660c14de470a5c754f28640d3dcd8a1f77

SHA256
31d5f6acf8e54d00f09c2fb2d10825c92e39c867c2190154ef3277e2322ca12a

SHA512
d8d3c3deb88d127f3a496a41a57ac07c9d286dbda7ff493152e6a79c744c20bd726959287d0b24e42fb6884af269f0f33d7706dabc5cdee310201d03a7481ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ya.exe
Filesize
164KB

MD5
91acbc160d7e7a499ec13b3ad53c7d5e

SHA1
181479660c14de470a5c754f28640d3dcd8a1f77

SHA256
31d5f6acf8e54d00f09c2fb2d10825c92e39c867c2190154ef3277e2322ca12a

SHA512
d8d3c3deb88d127f3a496a41a57ac07c9d286dbda7ff493152e6a79c744c20bd726959287d0b24e42fb6884af269f0f33d7706dabc5cdee310201d03a7481ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fwhf03gl.ub2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\g100.bat
Filesize
5KB

MD5
18074cede4e9d2b029a1db98a634ad46

SHA1
3977f74dc510a4c5af192ff8af0093f23cf24c57

SHA256
e140ae0028daaf1cba89c5959b0e1182566720b5a5bac05d6add053641a913a2

SHA512
a29f66d7660376a83e220a03e0e2529c0c47235345fd5b9fade7acbff4a9071af2b8170c4f779d8ed4cab82685457d58e937214d50466acae2ff967090cc8650

Download Submit
C:\Users\Admin\AppData\Local\Temp\g100.bat
Filesize
5KB

MD5
18074cede4e9d2b029a1db98a634ad46

SHA1
3977f74dc510a4c5af192ff8af0093f23cf24c57

SHA256
e140ae0028daaf1cba89c5959b0e1182566720b5a5bac05d6add053641a913a2

SHA512
a29f66d7660376a83e220a03e0e2529c0c47235345fd5b9fade7acbff4a9071af2b8170c4f779d8ed4cab82685457d58e937214d50466acae2ff967090cc8650

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240667578.tmp\Update-e70de386ebc763932a181fc37a2ad042.exe
Filesize
61.7MB

MD5
e920cf3e63612868ed4b6cd9612bae77

SHA1
ef64fb46f8e955430d6fbd3778ff03e4c1f0e1b0

SHA256
a45104f8bf9a356b538f74aec9c7d25b92bef2d8e97cc27ed6d7232294a8ed82

SHA512
b02af44d9a87e06b0309e842d550b54b92575ba36a3ea74184bba40d4665751d91c8547ddd9c1c009d413f56829f7fcc604592ba51118c916cd1e039930571b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240667578.tmp\Update-e70de386ebc763932a181fc37a2ad042.exe
Filesize
61.7MB

MD5
e920cf3e63612868ed4b6cd9612bae77

SHA1
ef64fb46f8e955430d6fbd3778ff03e4c1f0e1b0

SHA256
a45104f8bf9a356b538f74aec9c7d25b92bef2d8e97cc27ed6d7232294a8ed82

SHA512
b02af44d9a87e06b0309e842d550b54b92575ba36a3ea74184bba40d4665751d91c8547ddd9c1c009d413f56829f7fcc604592ba51118c916cd1e039930571b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
267KB

MD5
d39f15cc8172a16953e8904bf0a4ddaf

SHA1
9873a8a3db4ad179e683af1dd33a732a5168977e

SHA256
a8ccc407ebc919ccbebed90f5bea4961e4755aea381066afd99cbb58e00ca4b9

SHA512
69b127bb668b1d24d14c7b89bd91bf787ba38398e41221994f08478a05a1e4a0d1f62fd36123441f51b82662bf75a560691684e420ef5ba01ce049e26dac0eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
267KB

MD5
a0e4c2eda8cb7ba8b9861e9c30de714b

SHA1
22b7bdecdc34eb0160897d4ed6e4b24fc3dcf0a5

SHA256
3e00d24870d1a8af1dc5988ff11073ae92f40f284a30b74fffe79b502dda5ed3

SHA512
efadaba0aa9a437bcf07c37ed74e9195ba7284e4d6287b7f68b6abf8f944ebb12be7bfd16372190a9163ef157a47db8ea387337ad4ded056bd99894486ee10d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
292KB

MD5
ca417cc49fbfc842b79699147d7896ae

SHA1
f22bf0dc527ecaf348efede24953a7ad5ab22ddb

SHA256
cdd77a3b5547ba3954d041f3261fe5c104ea471e503416656595a80bfb334db1

SHA512
4348e8fea1d9376b9c83575a5c564c69bdcfea709fa781fb2b052739c50ffa1212c56e5983e5fe0eb1bbd18ee86ac6e1dada1cbc378c781536a14083d3a0db30

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
305KB

MD5
1d2afc71b248aa8458f349425768dab4

SHA1
7d64378e73cc7f99947635c82bac9ffa9f663029

SHA256
3662b4ac6904a494e4ff6ad66af140067e356324cc0b3d881b6b1cbcc587d5af

SHA512
abeb17575cf39ae3bfae395960626eff005555cbaa0cf20152a6736084b245038cfd5be16176e469a9a903e56b7b1db421aa6e60d514b5687b22e532a5b5bda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\INetC.dll
Filesize
238KB

MD5
38f2b22967573a872426d05bdc1a1a70

SHA1
ecae471eb4e515e1006fce645a82b70c8acda451

SHA256
83005624a3c515e8e4454a416693ba0fbf384ff5ea0e1471f520dfae790d4ab7

SHA512
31bc78bb4efc7c178c2c489b77d890b8806073180fbdd58156907c187cb73b0860701a9a2648da1da4930a8934c9a86b60ea5550315afebe833a681bcb4368e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\INetC.dll
Filesize
238KB

MD5
38f2b22967573a872426d05bdc1a1a70

SHA1
ecae471eb4e515e1006fce645a82b70c8acda451

SHA256
83005624a3c515e8e4454a416693ba0fbf384ff5ea0e1471f520dfae790d4ab7

SHA512
31bc78bb4efc7c178c2c489b77d890b8806073180fbdd58156907c187cb73b0860701a9a2648da1da4930a8934c9a86b60ea5550315afebe833a681bcb4368e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\INetC.dll
Filesize
238KB

MD5
38f2b22967573a872426d05bdc1a1a70

SHA1
ecae471eb4e515e1006fce645a82b70c8acda451

SHA256
83005624a3c515e8e4454a416693ba0fbf384ff5ea0e1471f520dfae790d4ab7

SHA512
31bc78bb4efc7c178c2c489b77d890b8806073180fbdd58156907c187cb73b0860701a9a2648da1da4930a8934c9a86b60ea5550315afebe833a681bcb4368e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\LangDLL.dll
Filesize
5KB

MD5
109b201717ab5ef9b5628a9f3efef36f

SHA1
98db1f0cc5f110438a02015b722778af84d50ea7

SHA256
20e642707ef82852bcf153254cb94b629b93ee89a8e8a03f838eef6cbb493319

SHA512
174e241863294c12d0705c9d2de92f177eb8f3d91125b183d8d4899c89b9a202a4c7a81e0a541029a4e52513eee98029196a4c3b8663b479e69116347e5de5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\System.dll
Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\nsDialogs.dll
Filesize
9KB

MD5
ec9640b70e07141febbe2cd4cc42510f

SHA1
64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

SHA256
c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

SHA512
47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB770.tmp\nsExec.dll
Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
71d0f953d45d227d977eebb15048eccb

SHA1
6fd437b316aaf7030426f4f85ab114eb1f77d5e6

SHA256
5210f9c57638f296afcc7f4bbb71193988c1324a764dca97fb6410b5315c1283

SHA512
dc8363364f858cf83974098651be0a49b97f964c19742e25dd0326649ec3473b541ff848903c29269c99372b24a3fbaf3315d1294bb4e4ffe3d32e64cf142349

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
6KB

MD5
e6463638d4be4d74dba0f7633d25ebbf

SHA1
087f8278ecf6bd24dce7c7a75a0b4daa7d806aac

SHA256
0d6cd89bc8bb45cc6d67b2ee697c428d8bbc7b053fd1e32d4e244180e2b0a5a2

SHA512
c8a67e46b4f21145c2faa1a73c9e5638c4783cea5ad3ed6b8fee2dac1b7eb8271733bc92bc87788cbca7b52f74533ad3d3fd8868ac64a7a01d248396078857b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jesyn8dv.default-release\places.sqlite
Filesize
5.0MB

MD5
1fb4ea4bdcb1a6f14265884ee00ac2c1

SHA1
2af9e14eba832c3112279b4823ba950c41e00374

SHA256
d9771f15c10f70fbd2519b369dad8e7f7df583e15f3d65f9e59d30c0d4eabea8

SHA512
e980019bfaae57b9414b5072cf545ab2d19ba12a09c53db0e8b30f1f4c1394eeae28261999d388f89aca71f9c9037e1c175c89c12717787b65402cc12d59cd45

Download Submit
C:\Windows\Installer\MSI6F9D.tmp
Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
C:\Windows\Installer\MSI6F9D.tmp
Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
C:\Windows\Installer\MSI70C7.tmp
Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
C:\Windows\Installer\MSI70C7.tmp
Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
C:\Windows\Installer\MSI9CDA.tmp
Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
C:\Windows\Installer\MSI9CDA.tmp
Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
C:\Windows\Installer\MSI9CDA.tmp
Filesize
759KB

MD5
216acbc40fb42eb247260a1feb124114

SHA1
3f16a8479e9e467a200c9fc6d98ffe56cfa642ec

SHA256
bbad98c96204a8f8b09457779a5da5cc3563de73925f0535e37b3f5e73fdc2a9

SHA512
001cf5470656cce65205074fda01528e066226b135b8e8bcb0e5dd13ca64e8bb70b45ee8e99ec2d8139157d40355a1cba353022c8a69bc3f9fa9af18304448e5

Download Submit
C:\Windows\Installer\MSIED0B.tmp
Filesize
198KB

MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
C:\Windows\Installer\e58682b.msi
Filesize
58.7MB

MD5
407d36101348022e67342b44292d2b39

SHA1
1811ab3993672a9f329868622d96014043bd5f4a

SHA256
213e9fa760dfa2af22a4ac94a10c7f21f4b482aa04e8cf3706264e4c17d2481e

SHA512
cd78f2d3d8057467f87c846fd2252cc2632de822b2c5d37a9f2bcd0c68fafe598bdc4bc69760cd7e84037a5b28b3f11a4385684962857e3ce572ec9b302f0c0c

Download Submit
C:\Windows\Installer\e5868f8.msi
Filesize
1016KB

MD5
d82092d71622d5121dac785254a53707

SHA1
6e26aef9fbc34eda9b099e03242c2ee4a8e3a845

SHA256
1f6b3176e5e7ecfd7d262e9470eec2ac1a7fe9401bb064c87810af9a0aa7bb82

SHA512
e1f54163b242d8b3149d536d7bc3d3da896da229a8fc298e613bcbf75b3a77129d07b99df3008a30f95a80a91c17fe0feeaa8ad0e2ebfe4deb8678751258eca0

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
1KB

MD5
21cf8b585aaaf310f1fcc337d0e28507

SHA1
91ffc445dc6fbaf77eb583dfc9cf0fe903ce7ff2

SHA256
6591cd135971e80d52003d3ea702f609a9f2da7254ae50db8ec590bd1c347564

SHA512
308a42f78bffb25f568dada6bd7427df0abe365ca1a61484ece0edd638cf8d68b4f887e49eb80904176ea9d20991743880c0e33c0c9b23e1ce6a251ddc2b25a4

Download Submit
C:\Windows\Temp\CC-Updates\Update-a6a0f7c173094f8dafef996157751ecf.exe
Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
C:\Windows\Temp\CC-Updates\Update-a6a0f7c173094f8dafef996157751ecf.exe
Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
C:\Windows\Temp\CC-Updates\Update-e70de386ebc763932a181fc37a2ad042.exe
Filesize
62.1MB

MD5
e70de386ebc763932a181fc37a2ad042

SHA1
18e76e452b289ae2fc167667b55a81b11ec2693f

SHA256
419328f3a2325b1dc27f710abd73e232e9deac47915b4dba61a697b925b5b83d

SHA512
a45cb9c665a867042d0d52f085d095ac774c3f9b10febd858b26d2c899f7c2b5024586156ec572be384b226a8efc44d6757bbbc920843ce58119345bea155a0d

Download Submit
C:\Windows\Temp\CC-Updates\Update-e70de386ebc763932a181fc37a2ad042.exe
Filesize
62.1MB

MD5
e70de386ebc763932a181fc37a2ad042

SHA1
18e76e452b289ae2fc167667b55a81b11ec2693f

SHA256
419328f3a2325b1dc27f710abd73e232e9deac47915b4dba61a697b925b5b83d

SHA512
a45cb9c665a867042d0d52f085d095ac774c3f9b10febd858b26d2c899f7c2b5024586156ec572be384b226a8efc44d6757bbbc920843ce58119345bea155a0d

Download Submit
C:\inst100.bat
Filesize
5KB

MD5
18074cede4e9d2b029a1db98a634ad46

SHA1
3977f74dc510a4c5af192ff8af0093f23cf24c57

SHA256
e140ae0028daaf1cba89c5959b0e1182566720b5a5bac05d6add053641a913a2

SHA512
a29f66d7660376a83e220a03e0e2529c0c47235345fd5b9fade7acbff4a9071af2b8170c4f779d8ed4cab82685457d58e937214d50466acae2ff967090cc8650

Download Submit
memory/1708-633-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1708-649-0x0000000007330000-0x000000000735C000-memory.dmp

Filesize
176KB

Download
memory/1708-634-0x000000007F580000-0x000000007F590000-memory.dmp

Filesize
64KB

Download
memory/1708-622-0x000000006F3B0000-0x000000006F3FC000-memory.dmp

Filesize
304KB

Download
memory/1708-620-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1708-619-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1836-712-0x000002048D370000-0x000002048D371000-memory.dmp

Filesize
4KB

Download
memory/1836-708-0x000002048D3B0000-0x000002048D3B1000-memory.dmp

Filesize
4KB

Download
memory/1836-705-0x000002048D4A0000-0x000002048D4A8000-memory.dmp

Filesize
32KB

Download
memory/1836-703-0x000002048D460000-0x000002048D468000-memory.dmp

Filesize
32KB

Download
memory/1836-691-0x000002048D370000-0x000002048D371000-memory.dmp

Filesize
4KB

Download
memory/1836-688-0x000002048D3B0000-0x000002048D3B8000-memory.dmp

Filesize
32KB

Download
memory/1836-684-0x000002048D3C0000-0x000002048D3C8000-memory.dmp

Filesize
32KB

Download
memory/1836-682-0x000002048D3B0000-0x000002048D3B1000-memory.dmp

Filesize
4KB

Download
memory/1836-681-0x000002048D3C0000-0x000002048D3C8000-memory.dmp

Filesize
32KB

Download
memory/1836-679-0x000002048D4E0000-0x000002048D4E8000-memory.dmp

Filesize
32KB

Download
memory/1836-658-0x00000204FFF20000-0x00000204FFF30000-memory.dmp

Filesize
64KB

Download
memory/1836-652-0x00000204FFB70000-0x00000204FFB80000-memory.dmp

Filesize
64KB

Download
memory/1836-438-0x00007FFA22A90000-0x00007FFA22A91000-memory.dmp

Filesize
4KB

Download
memory/1836-439-0x00007FFA22AA0000-0x00007FFA22AA1000-memory.dmp

Filesize
4KB

Download
memory/1836-440-0x00007FFA22AB0000-0x00007FFA22AB1000-memory.dmp

Filesize
4KB

Download
memory/1836-441-0x00007FFA22B00000-0x00007FFA22B01000-memory.dmp

Filesize
4KB

Download
memory/1836-442-0x00007FFA22AC0000-0x00007FFA22AC1000-memory.dmp

Filesize
4KB

Download
memory/1836-443-0x00007FFA22B30000-0x00007FFA22B31000-memory.dmp

Filesize
4KB

Download
memory/1836-444-0x00007FFA22AD0000-0x00007FFA22AD1000-memory.dmp

Filesize
4KB

Download
memory/1836-445-0x00007FFA21490000-0x00007FFA21491000-memory.dmp

Filesize
4KB

Download
memory/2144-549-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/2144-486-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/2144-548-0x0000000007930000-0x00000000079C6000-memory.dmp

Filesize
600KB

Download
memory/2144-538-0x0000000007720000-0x000000000772A000-memory.dmp

Filesize
40KB

Download
memory/2144-522-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/2144-521-0x0000000007CF0000-0x000000000836A000-memory.dmp

Filesize
6.5MB

Download
memory/2144-520-0x000000007FCE0000-0x000000007FCF0000-memory.dmp

Filesize
64KB

Download
memory/2144-518-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/2144-508-0x000000006F2C0000-0x000000006F30C000-memory.dmp

Filesize
304KB

Download
memory/2144-507-0x0000000006980000-0x00000000069B2000-memory.dmp

Filesize
200KB

Download
memory/2144-504-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/2144-497-0x00000000063A0000-0x00000000063BE000-memory.dmp

Filesize
120KB

Download
memory/2144-492-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/2144-550-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/2144-485-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/2144-484-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/2144-483-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/2144-482-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/2144-481-0x0000000003000000-0x0000000003036000-memory.dmp

Filesize
216KB

Download
memory/2144-551-0x00000000078E0000-0x00000000078EE000-memory.dmp

Filesize
56KB

Download
memory/2144-552-0x00000000079F0000-0x0000000007A0A000-memory.dmp

Filesize
104KB

Download
memory/2144-553-0x00000000079D0000-0x00000000079D8000-memory.dmp

Filesize
32KB

Download
memory/4496-573-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/4496-574-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/4496-575-0x000000006F2C0000-0x000000006F30C000-memory.dmp

Filesize
304KB

Download
memory/4496-585-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/4496-586-0x000000007EE60000-0x000000007EE70000-memory.dmp

Filesize
64KB

Download