Malware Analysis Report

2025-01-18 21:12

Sample ID 240311-z9q5hsgh26
Target error422(1).zip
SHA256 63bfdf16183fc6ba3aac2ccc86b3368445e448d2a50386a9dfeb88b8b7ff567d
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

63bfdf16183fc6ba3aac2ccc86b3368445e448d2a50386a9dfeb88b8b7ff567d

Threat Level: Shows suspicious behavior

The file error422(1).zip was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Executes dropped EXE

Blocklisted process makes network request

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 21:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 21:25

Reported

2024-03-11 21:43

Platform

win7-20240221-en

Max time kernel

120s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\error422(1).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\error422(1).exe

"C:\Users\Admin\AppData\Local\Temp\error422(1).exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 21:25

Reported

2024-03-11 21:43

Platform

win7-20240221-en

Max time kernel

147s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jdk-8u191-windows-i586.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\sunmscapi.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\ext\nashorn.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\LICENSE C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\bin\jdb.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\bin\servertool.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\j2pcsc.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\fonts\LucidaTypewriterBold.ttf C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\jfr.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.2.174165\lib\gimap.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\bin\serialver.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-crt-string-l1-1-0.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\rmiregistry.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\ant-javafx.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.2.174165\feature.xml C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\jsoundds.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\cmm\LINEAR_RGB.pf C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\security\trusted.libraries C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\msvcp140.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\javafx-mx.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.2.174165\icons\flight_recorder.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.2.174165.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\content-types.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.2.174165.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\Welcome.html C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.2.174165\html\dcommon\gifs\contbig.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\bin\appletviewer.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-core-memory-l1-1-0.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\javafx.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.2.174165\html\dcommon\gifs\bookicon.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\bin\jconsole.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\ucrtbase.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.2.174165\html\dcommon\gifs\rightnav.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\bin\rmid.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.2.174165\icons\date-span-16.png C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-core-synch-l1-1-0.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.2.174165.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\java-rmi.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\ext\cldrdata.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.2.174165\html\dcommon\gifs\prodicon.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.2.174165.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\deploy\messages_zh_HK.properties C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\deploy\splash.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\meta-index C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.2.174165\html\dcommon\gifs\larrow.gif C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.2.174165.jar C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.2.174165\META-INF\MANIFEST.MF C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\bin\idlj.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.2.174165.jar C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f784173.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f784174.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI606A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI61C3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI626F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6501.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6783.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI65BD.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f784176.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI99BC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f784173.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4F28.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5F31.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6435.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI66C7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI5E84.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6126.tmp C:\Windows\system32\msiexec.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\msiexec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{382DB241-DFF0-11EE-BAC3-EEF45767FDFF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Version = "134219638" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A23297B6D117AA8000B0D810000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk1.8.0_191\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\PublicjreFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\ToolsFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\ProductIcon = "C:\\Program Files (x86)\\Java\\jdk1.8.0_191\\\\bin\\javaws.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\3 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\PackageName = "jdk1.8.0_191.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\ProductName = "Java SE Development Kit 8 Update 191" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\SourceFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A23297B6D117AA8000B0D810000\4F4A3A23297B6D117AA8000B0D811019 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\2 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\4 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\PackageCode = "E663C303E21155C42B46898EBE586277" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk1.8.0_191\\" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\jdk-8u191-windows-i586.exe C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe
PID 2700 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\jdk-8u191-windows-i586.exe C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe
PID 2700 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\jdk-8u191-windows-i586.exe C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe
PID 2700 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\jdk-8u191-windows-i586.exe C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe
PID 2700 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\jdk-8u191-windows-i586.exe C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe
PID 2700 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\jdk-8u191-windows-i586.exe C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe
PID 2700 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\jdk-8u191-windows-i586.exe C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe
PID 2636 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe C:\Windows\SysWOW64\msiexec.exe
PID 2636 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe C:\Windows\SysWOW64\msiexec.exe
PID 2636 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe C:\Windows\SysWOW64\msiexec.exe
PID 2636 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe C:\Windows\SysWOW64\msiexec.exe
PID 2636 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe C:\Windows\SysWOW64\msiexec.exe
PID 2636 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe C:\Windows\SysWOW64\msiexec.exe
PID 2636 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe C:\Windows\SysWOW64\msiexec.exe
PID 2104 wrote to memory of 2120 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 2120 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 2120 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 2120 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 2120 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 2120 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 2120 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 632 wrote to memory of 292 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 632 wrote to memory of 292 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 632 wrote to memory of 292 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 632 wrote to memory of 292 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2104 wrote to memory of 364 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 364 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 364 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 364 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 364 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 364 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 364 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\jdk-8u191-windows-i586.exe

"C:\Users\Admin\AppData\Local\Temp\jdk-8u191-windows-i586.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe

"C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\jdk1.8.0_191.msi" WRAPPER=1

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9924DB1B007685271710860FBB59CFA0 C

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://appdata/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:632 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\error422(1).exe

"C:\Users\Admin\AppData\Local\Temp\error422(1).exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000574" "00000000000003D8"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B696B1007129533C5115D7A1A72EA5DB

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 28F5D4E9291833C7F4C2D97477AD8D15 M Global\MSI0000

Network

Files

\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe

MD5 c7752c9f284bbf64e30d92faa20b0af2
SHA1 65b52a075007d28ef3c43e12af4a05551e4cbd26
SHA256 6c90b7905f13145914358b97d92baeb2b33440437b416ecd2ae26d08dbf1e9b4
SHA512 a44951aae0aebdf7d2c871d3268a50c7dc9d301836b1b42e61875431cf0980d73336031eea72569f495836db6b09d909cbfe656d9f87abbb817a0ff966a47b3d

C:\Users\Admin\AppData\Local\Temp\jds259428617.tmp\jdk-8u191-windows-i586.exe

MD5 1faad2e94a9951c58b5ccc06b576b9ed
SHA1 c8775edc24b989e2da8881024a0af4951d1ba347
SHA256 b2568e8bb40c3fd2a1ccb9317e7cb51cd9cf6280e4c4768c9f51ca30531a80f3
SHA512 8f46a69218ac6e03352e7a95eef4164a25c27f22171eed8bfa23bd3e6e6810d2dd1ece7ef4092127522badf14d34861e0042b6aa03db17ff84b6cb2bac2a5dc5

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 02c2401905c24f0c36f50c818568e50e
SHA1 45d131123307021f942544016cb97f957a4b0cea
SHA256 3f011d5b7f4f53df5211e2e48c848c926685e286a605c8ae16df31de8a4b2b2f
SHA512 553d52b58243cde1bfa42a7d92d87e1a47aa033d4b477fae220ce788ea11658744f8fb1023f332d1bdae1bd75f3340fffdf9e28ed8fecf17d1add1692f6ccc86

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 462ef46f58cabb26da9cfb93efb73881
SHA1 82d83f85c39a12ced90a6db9a25aaa8f5e800f9a
SHA256 51840272e007dc3007a46ea4679079852e8287e6c5fcacf2a37bd307ac69b63d
SHA512 10d3281f5ab3ca86de45b442baf84189e17f5c7fd9ca8f0d42ea9931774fe64168f6aa279db7034c5625af48f8b5896d1111f8197ecc73ad9ff7c7cdfc6a2e8e

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\jdk1.8.0_191.msi

MD5 84f5b7ada4e0c06a2aae07a8419c9f64
SHA1 ed8e9b61e4967b0608406f1255e3e2dbfee3cf0b
SHA256 530f769f400f371383aa1ffaab30b46791a3bb5ea8e9304e3efe9ef419a7faa0
SHA512 84a341cd6ad2e6b560f40792042e60d4d68cdc5cfefee7a85f28a55077aa872dcaa16e27b4a95bb7fe2516a4fe3b0e714c746b69cb826b5bddef8a659fcde38c

C:\Users\Admin\AppData\Local\Temp\Cab10E4.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1164.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar1B59.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\Local\Temp\MSI659D.tmp

MD5 4ca39f5a1af6d35e41170e8c30a8391e
SHA1 0ba37cf6d207c5401fc24687ae35fd6c93f10b79
SHA256 32b059eb787925202eebe00ab45312f8484a9dc09c0b76df6a7b38a161133457
SHA512 a4bcf340581edee8ad0fabaa9ee93be726d199022f8e7fc64aa88fb52cf713cb5be99cf2b8618aad3a7ac3b1715f1629394e8d8caed0ae113fea5b1674d13c3a

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 88e4fbbb239ca796bc5476d69cc83ec3
SHA1 e478fc6f3502566614f1633380eee4bc4aa273cc
SHA256 3995c6f8a644201ab33bb0fbfbec2ef81a0d14021c3f8961548946800d4be6e2
SHA512 8835b53d2c56fed2691ba070e4105d3cbfebcfa7a29fb09db8f9b42fcc6a5d15ecd6ff043b7f231ded78f90ab92e79b1cfd7f5ac4b55ae2698e5964de77e8294

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f4c5ae18557e081a737dd428093cec1
SHA1 9e8e3bb41940f2a1b49b8cc62c5a7574a20616ca
SHA256 01404cfcad6a59ecb0b2e17ab3208b2d5f95d9749a18efdb3c479eae71c2e74b
SHA512 0e62b216f0a187288ecf443cf4ec46367ecc5932f3538742bf4bbd3eeb6a9c31cb80cfcb40cb33c931b1644f567e6689fc07faf877b95e3b2548d31b1013a1e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

MD5 c5263bd07881152fbc52ca6b556163bc
SHA1 1f77c236ee9823bf7d83b4573b28c75ff412c338
SHA256 e9bf7a3ec216ed6d1da5c9e515736b7e564c97ee91daca223713b3b245f05932
SHA512 40c21cd4257f5c68e576314dff2fdf4f9266d6b09264c4080e2f3371a99e5f021678f70f4991e3900fbfb795d96de06d7804b5c75bbd3e24f00e03640714503e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

MD5 9b1f6b70bda69a1103260c6951aa560f
SHA1 121da6f9d62998913f09dedbb4b23efdc2d509c2
SHA256 fb69fd0d9babc979c3b479a20301fb658b23ccab1b0377925423860439dda4d5
SHA512 3ab2380733ec7c1e1bdf2252cecaf4b5d50aff8b887184de127b0849016a19dd332dc9d392254f4dcca71c730f17bb9d1a57b1fe47e32adc78a1021d433448d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

MD5 41c6a3dfdbb29ed227582e4fd20809ad
SHA1 2bd351b008f0b1821b657ae63ac1d6adbff01551
SHA256 56ad2b1e86f649bb62de9a6947585d34e8f1158bf3c4dd39628b87ecb211a5e9
SHA512 6cbec9d7b5b493a25fefd74ff31886e27612ca0f2296d4d585ee4215f131e9060425dd4e04a9def5b4155bee4bf1dddb8b86081a695855e457dd0751d123d530

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1958C8FC5F0E0F8549703D0A9B9309B5

MD5 05ff6888def37a4aaf909745a6c21e25
SHA1 195e1f2ad72e68ea64622cc1a4f9d0ba3a769847
SHA256 429a1d6d133297bff4b48bd105d326c667f41bd78b49d377ce9385d8a63f2231
SHA512 6143476db6cd1e4e961bf2d61a7c4ef38f5ce05d4815d643c6ebe595db073b8ab577fb76064781b3d155c42cd48f681eabddf3a1ec5e6ba211c21b539fc0b44d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1958C8FC5F0E0F8549703D0A9B9309B5

MD5 6a766986f7b4bb007ee20375ee7c87ed
SHA1 b24e8b655f775e5622bff14b83acfcd3bcb9e0a6
SHA256 6e9e088937e9abd2c25aa89f3c2f6f892cdffb7ea3ff74e16ce189eea31830c4
SHA512 62d0a6186fa300e7693a4b0bd33ef650fb604c073aa4263e7a0fefdc0362cbd8e34a77720b89748b839a96e01f0d5f861cc8e075741f13091761ce688e73332a

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\sj180191.cab

MD5 b5520373782ed61f7ef5abdcac363452
SHA1 c9aeba0f2665088486ff51c995b69bfcbd77b05f
SHA256 538309768498df05d9e9ad218c33006532b98829bdc094428ea78a49bc9c849a
SHA512 2458f4408e7c2fff5d53585edd29d3eae858f2858d0a57b6e4046682ad882fd89db211873c5b8aaf45219288e21f929b50d1376f6d54bb1ddebb004b238a157f

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\ss180191.cab

MD5 af826fa2ccb14e4c34e6970c71337349
SHA1 32421e1c8538aa0d125d19532e5e9905d4c5ceae
SHA256 641a5995446f0fb17e75506d0919782b6fcc924b3ebab99b843d547d53442923
SHA512 7259cdca9895bd07a50471499b596f71f382a60d4c0eeb1e76cd8cab2577adc4b7388b0c4dec9124e5c103bf3b04a7a5efb465bf2e79936756cb2ea34ca1b7e9

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\st180191.cab

MD5 d25a0fc09f43e8195ab2768dcad347b5
SHA1 8645a5f731d141a5fbcafa176315ab2e141bdc63
SHA256 1ce983abfbdc7ae928ca731f78759a95fed74a914ff3099cb05838709aea1ed4
SHA512 394068b603814df813bb171f0930e55f4602c9a89894485297c794379e1b81e448d6c0aa97ec9e5123698f292a33c46f3188ac0a32934bc955a3e72b3c447d89

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\sz180191.cab

MD5 6ddd9f7229af91f72510332059768b7f
SHA1 2ca8b4863afc1d44352b35601dbfa652838baed2
SHA256 3a8f0955ee74c76f0879bcc3eb2c56c573c59a37be1e725846858ecf6ae455ac
SHA512 4351a88404f80cbb197dda565a27ea8e8e1d9a206207ff6469f1768080c5f8a00067488733f6470c028e6f15b9158ec47bc3052e1cab77ae7a8dc5358acaccd9

C:\Program Files (x86)\Java\jdk1.8.0_191\tools.zip

MD5 4885a7ef56baf1c93898c580b3d946c4
SHA1 981a12177888a06416225847d645602a4becf073
SHA256 1b268eec1e1ccc1c2629c5f00bef25b867882c6f64351293f03796c2ffc62e0e
SHA512 808be3325d850d639a21e00e56dc9bbeeed4e0b9abc2d6478c304f5d5ec2f8d25a4b53fa5aac311861bd11da616ed72511ba63a790bc3789cc405b68e9237427

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 a5a939fa867d1181a42b38d423dccb34
SHA1 f677b72ab91837f06775a5f55100fd352071d0a6
SHA256 0c9cdeee856b609a6fc5a21c3b9405123e0007c8bb5d16b17a895dc640f95363
SHA512 9d44fbff762bbc9d477e9c4ec6109bde476ef8645e1c342b391e5287103a11908e6ae6f3990d383380df6e4967eb487eb91af3ce0a6452464f0ca8d5b91d4477

C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

MD5 b35adb5213ca9657e911e9befb180842
SHA1 8d80da0c92c1269b610b03cc8061556004898c85
SHA256 9a96d0daf98aa6fb4aa530d399c742c66121b0bdae4a1f7ffa22d2135e1df7fd
SHA512 82112691ba9b49c3e335e7eb7a426f5d24072c72424612b0d07863560fd37042b6408317db9bd973280eb17e100ec25d3ce18cc6eeedc57c27d338fa517ea6fa

C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

MD5 1fabf1d6edd14f933014d5557c7b7522
SHA1 67958aa114880c281036cc14a4e53fa123c4d9ad
SHA256 5f7d79ccbca7bdd2d9e036984a8a60c6bb9051411a740dc538f36f882f983b6e
SHA512 4c4f2caafc7ea9e97303f31c6f6a192a64fea4f24cc9d071b8339a519c1ea7f951e14571c9e9a23eee140fb676c7b213dc25828b274639046d9e01f6cd85dd3b

C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

MD5 adf99b54fd6f317b611320564167c305
SHA1 d3d80dd39b686e04bf31db6ac9335084e841ef73
SHA256 1b68454d53e781f8793547fde8fcb2f3b03b5c8134f37b9d8c4045cb8a5473f3
SHA512 65fb44cdaf01632d60ecf3b49ab1eb661982ee8b6a430dcf6d1e75789787c9e7356754cd071421ca44a1b32ab918be97a630b1b0ca722383eea56d40fa131642

C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

MD5 36f381cc8f60a659777f1133a006de4f
SHA1 b70e38fecb27a4de0776951a919bf072e601690e
SHA256 a3f56fee6bf824076f7599298272225f054dabac6a45b517eedfedc1f37d3c16
SHA512 dc1afd3b53c97c090c3baae27ef50531b27ce72509fbe2d3d4e53b99bcf7d555d13a7545a072c518e446bc433c2cf14300bb149e784a1db841ef9c3f3dd0efae