26c76cf5ce5f7b1968d31782afe50a56275eee121497a798a39e18910864b07b

Analysis

max time kernel
121s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jre-10.0.2_windows-x64_bin.exe
Size

100.6MB
MD5

604dbc1ab825d6d1814852a9a09aa8f7
SHA1

ca95256dbce87518fb74c282f75e1a6666f42492
SHA256

26c76cf5ce5f7b1968d31782afe50a56275eee121497a798a39e18910864b07b
SHA512

ddb4fb500dd4f626610cd234cfaad24cdac80b83eafe02dd2b0cd81aa9c7362bfeaf3ec6a810083085edca4d15e365cf84967776531901c470cdb62c6a84744e
SSDEEP

3145728:r7zVG8SIzSLIk/IsUCwP6BrU5em6x7VrEe2pwgMY/C:88SmSL3v26Beem6NmeR4/C

Score

7^/10

adware persistence stealer

Malware Config

Signatures

Executes dropped EXE 13 IoCs

Processes:

jre-10.0.2_windows-x64_bin.exeinstaller.exebspatch.exeunpack200.exeunpack200.exeunpack200.exejavaw.exessvagent.exejavaw.exejavaw.exejavaw.exejavaw.exe

pid	process
2300	jre-10.0.2_windows-x64_bin.exe
1284
2348	installer.exe
2792	bspatch.exe
2364	unpack200.exe
3012	unpack200.exe
1068	unpack200.exe
2224	javaw.exe
2896	ssvagent.exe
2544	javaw.exe
1012	javaw.exe
2844	javaw.exe
2044	javaw.exe

Loads dropped DLL 64 IoCs

Processes:

jre-10.0.2_windows-x64_bin.exeMsiExec.exemsiexec.exebspatch.exeinstaller.exeunpack200.exeunpack200.exeunpack200.exejavaw.exessvagent.exejavaw.exejavaw.exeMsiExec.exeMsiExec.exeMsiExec.exejre-10.0.2_windows-x64_bin.exe

pid	process
1368	jre-10.0.2_windows-x64_bin.exe
800	MsiExec.exe
800	MsiExec.exe
800	MsiExec.exe
800	MsiExec.exe
700	msiexec.exe
2792	bspatch.exe
2792	bspatch.exe
2792	bspatch.exe
2348	installer.exe
2364	unpack200.exe
3012	unpack200.exe
1068	unpack200.exe
2348	installer.exe
2348	installer.exe
2348	installer.exe
856
856
2224	javaw.exe
2224	javaw.exe
2224	javaw.exe
2224	javaw.exe
2224	javaw.exe
2224	javaw.exe
2224	javaw.exe
2348	installer.exe
2348	installer.exe
2348	installer.exe
2348	installer.exe
2348	installer.exe
2348	installer.exe
2348	installer.exe
2348	installer.exe
2348	installer.exe
2348	installer.exe
856
2896	ssvagent.exe
2896	ssvagent.exe
2348	installer.exe
2348	installer.exe
2348	installer.exe
2348	installer.exe
2544	javaw.exe
2544	javaw.exe
2544	javaw.exe
2544	javaw.exe
2544	javaw.exe
2544	javaw.exe
2544	javaw.exe
2544	javaw.exe
1012	javaw.exe
1012	javaw.exe
1012	javaw.exe
1012	javaw.exe
1012	javaw.exe
1012	javaw.exe
1012	javaw.exe
1012	javaw.exe
840	MsiExec.exe
1620	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
2300	jre-10.0.2_windows-x64_bin.exe
2300	jre-10.0.2_windows-x64_bin.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

ssvagent.exeinstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0052-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0154-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0178-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0049-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0149-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0110-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0111-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0191-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0110-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0172-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0114-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0098-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0129-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0160-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0068-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0116-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0188-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0096-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0144-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0154-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0107-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0066-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0077-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0117-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0150-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0144-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0174-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0088-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0113-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0149-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0015-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0101-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0117-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0100-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0155-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0086-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0132-ABCDEFFEDCBC}\InprocServer32	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0143-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0124-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0130-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0039-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exe

flow pid process

10 700 msiexec.exe
12 700 msiexec.exe
14 700 msiexec.exe
16 700 msiexec.exe
20 700 msiexec.exe

flow	pid	process
10	700	msiexec.exe
12	700	msiexec.exe
14	700	msiexec.exe
16	700	msiexec.exe
20	700	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe

Drops file in System32 directory 2 IoCs

Processes:

installer.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeunpack200.exe

description	ioc	process
File created	C:\Program Files\Java\jre-10.0.2\bin\api-ms-win-crt-utility-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\tnameserv.exe	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.security.auth\LICENSE	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\classlist	installer.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_259500331\java.exe	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\glass.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\fonts\LucidaBrightDemiBold.ttf	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\api-ms-win-core-processthreads-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\api-ms-win-crt-convert-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.deploy\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.internal.le\LICENSE	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.jsobject\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\server\Xusage.txt	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\deploy.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\java.xml\xerces.md	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.management.jfr\LICENSE	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\api-ms-win-core-errorhandling-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\j2pcsc.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.javaws\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.naming.dns\LICENSE	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\jweblauncher.exe	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\javaws.jar	unpack200.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.crypto.cryptoki\pkcs11wrapper.md	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.deploy.controlpanel\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\deploy\messages_ja.properties	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\fonts\LucidaBrightDemiItalic.ttf	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\security\cacerts	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\api-ms-win-core-file-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.zipfs\LICENSE	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\rmid.exe	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\java.base\public_suffix.md	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\java.desktop\giflib.md	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\appletviewer.exe	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\glib-lite.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\jabswitch.exe	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\vcruntime140.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\java.rmi\COPYRIGHT	installer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\msvcp120.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.plugin\LICENSE	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\java.transaction\LICENSE	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.snmp\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\management_agent.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\jaccesswalker.exe	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\java.xml\jcup.md	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.internal.le\jline.md	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\javafx-swt.jar	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\psfont.properties.ja	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\javaw.exe	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\java.se.ee\LICENSE	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\javafx.web\libxml2.md	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\jdk.sctp\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\jdk.javaws.jar	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\java.scripting\LICENSE	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\legal\java.se\COPYRIGHT	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\plugin2\msvcp120.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\api-ms-win-core-debug-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\api-ms-win-core-libraryloader-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\conf\security\policy\limited\default_US_export.policy	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\lib\fonts\LucidaBrightRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre-10.0.2\bin\dtplugin\npdeployJava1.dll	installer.exe

Drops file in Windows directory 21 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f7700fa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2544.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF43.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE53F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f770103.ipi	msiexec.exe
File created	C:\Windows\Installer\f7700fd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770100.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE678.tmp	msiexec.exe
File created	C:\Windows\Installer\f7700ff.msi	msiexec.exe
File created	C:\Windows\Installer\f770100.msi	msiexec.exe
File created	C:\Windows\Installer\f770103.ipi	msiexec.exe
File created	C:\Windows\Installer\f7700fa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1FA8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25F0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI26DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7700fd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE414.tmp	msiexec.exe
File created	C:\Windows\Installer\f770105.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

Processes:

installer.exejre-10.0.2_windows-x64_bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{72601EDF-E030-4682-B548-27F69B93BDA0}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{09C72F5D-AD71-4F38-9E6E-A2BA33D10394}\AppPath = "C:\\Program Files\\Java\\jre-10.0.2\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	jre-10.0.2_windows-x64_bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{09C72F5D-AD71-4F38-9E6E-A2BA33D10394}\Policy = "3"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{72601EDF-E030-4682-B548-27F69B93BDA0}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{72601EDF-E030-4682-B548-27F69B93BDA0}\AppPath = "C:\\Program Files\\Java\\jre-10.0.2\\bin"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{72601EDF-E030-4682-B548-27F69B93BDA0}\AppName = "ssvagent.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{09C72F5D-AD71-4F38-9E6E-A2BA33D10394}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre-10.0.2\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{09C72F5D-AD71-4F38-9E6E-A2BA33D10394}\AppName = "jweblauncher.exe"	installer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0167-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0117-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_24"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0175-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0102-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_22"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0163-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_163"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0019-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0151-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0156-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0188-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_188"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0161-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_161"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0087-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0141-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0181-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0096-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0086-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_86"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0051-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_51"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0070-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0031-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_32"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_10"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0014-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0121-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_121"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0166-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_166"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0096-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0003-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0152-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_16"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0109-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0155-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0170-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0152-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_152"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0061-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_61"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0159-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0101-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0173-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0100-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_100"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0171-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0061-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0096-ABCDEFFEDCBA}	installer.exe

Modifies registry class 64 IoCs

Processes:

installer.exessvagent.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0187-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0165-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0173-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0049-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0163-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_22"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0166-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0195-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0180-ABCDEFFEDCBA}	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBA}\INPROCSERVER32	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0003-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0166-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0106-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0174-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0136-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_136"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0078-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_81"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0141-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0148-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0084-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_71"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0163-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0097-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0122-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBC}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0133-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_133"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0057-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0047-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0182-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0068-ABCDEFFEDCBA}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0172-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0066-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0126-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_48"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0119-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_119"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0053-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-10.0.2\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0087-ABCDEFFEDCBB}	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0065-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0144-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_144"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0087-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

jre-10.0.2_windows-x64_bin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	jre-10.0.2_windows-x64_bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	jre-10.0.2_windows-x64_bin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

700 msiexec.exe
700 msiexec.exe

pid	process
700	msiexec.exe
700	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jre-10.0.2_windows-x64_bin.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeIncreaseQuotaPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeSecurityPrivilege	700	msiexec.exe
Token: SeCreateTokenPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeAssignPrimaryTokenPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeLockMemoryPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeIncreaseQuotaPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeMachineAccountPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeTcbPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeSecurityPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeTakeOwnershipPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeLoadDriverPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeSystemProfilePrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeSystemtimePrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeProfSingleProcessPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeIncBasePriorityPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeCreatePagefilePrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeCreatePermanentPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeBackupPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeRestorePrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeShutdownPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeDebugPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeAuditPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeSystemEnvironmentPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeChangeNotifyPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeRemoteShutdownPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeUndockPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeSyncAgentPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeEnableDelegationPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeManageVolumePrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeImpersonatePrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeCreateGlobalPrivilege	2300	jre-10.0.2_windows-x64_bin.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe
Token: SeRestorePrivilege	700	msiexec.exe
Token: SeTakeOwnershipPrivilege	700	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

jre-10.0.2_windows-x64_bin.exe

pid process

2300 jre-10.0.2_windows-x64_bin.exe
2300 jre-10.0.2_windows-x64_bin.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

jre-10.0.2_windows-x64_bin.exemsiexec.exeinstaller.exeMsiExec.exe

description	pid	process	target process
PID 1368 wrote to memory of 2300	1368	jre-10.0.2_windows-x64_bin.exe	jre-10.0.2_windows-x64_bin.exe
PID 1368 wrote to memory of 2300	1368	jre-10.0.2_windows-x64_bin.exe	jre-10.0.2_windows-x64_bin.exe
PID 1368 wrote to memory of 2300	1368	jre-10.0.2_windows-x64_bin.exe	jre-10.0.2_windows-x64_bin.exe
PID 700 wrote to memory of 800	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 800	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 800	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 800	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 800	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 2348	700	msiexec.exe	installer.exe
PID 700 wrote to memory of 2348	700	msiexec.exe	installer.exe
PID 700 wrote to memory of 2348	700	msiexec.exe	installer.exe
PID 2348 wrote to memory of 2792	2348	installer.exe	bspatch.exe
PID 2348 wrote to memory of 2792	2348	installer.exe	bspatch.exe
PID 2348 wrote to memory of 2792	2348	installer.exe	bspatch.exe
PID 2348 wrote to memory of 2792	2348	installer.exe	bspatch.exe
PID 2348 wrote to memory of 2792	2348	installer.exe	bspatch.exe
PID 2348 wrote to memory of 2792	2348	installer.exe	bspatch.exe
PID 2348 wrote to memory of 2792	2348	installer.exe	bspatch.exe
PID 2348 wrote to memory of 2364	2348	installer.exe	unpack200.exe
PID 2348 wrote to memory of 2364	2348	installer.exe	unpack200.exe
PID 2348 wrote to memory of 2364	2348	installer.exe	unpack200.exe
PID 2348 wrote to memory of 3012	2348	installer.exe	unpack200.exe
PID 2348 wrote to memory of 3012	2348	installer.exe	unpack200.exe
PID 2348 wrote to memory of 3012	2348	installer.exe	unpack200.exe
PID 2348 wrote to memory of 1068	2348	installer.exe	unpack200.exe
PID 2348 wrote to memory of 1068	2348	installer.exe	unpack200.exe
PID 2348 wrote to memory of 1068	2348	installer.exe	unpack200.exe
PID 2348 wrote to memory of 2224	2348	installer.exe	javaw.exe
PID 2348 wrote to memory of 2224	2348	installer.exe	javaw.exe
PID 2348 wrote to memory of 2224	2348	installer.exe	javaw.exe
PID 2348 wrote to memory of 2544	2348	installer.exe	javaw.exe
PID 2348 wrote to memory of 2544	2348	installer.exe	javaw.exe
PID 2348 wrote to memory of 2544	2348	installer.exe	javaw.exe
PID 700 wrote to memory of 840	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 840	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 840	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 840	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 840	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 840	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 840	700	msiexec.exe	MsiExec.exe
PID 840 wrote to memory of 368	840	MsiExec.exe	cmd.exe
PID 840 wrote to memory of 368	840	MsiExec.exe	cmd.exe
PID 840 wrote to memory of 368	840	MsiExec.exe	cmd.exe
PID 840 wrote to memory of 368	840	MsiExec.exe	cmd.exe
PID 700 wrote to memory of 1620	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1620	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1620	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1620	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1620	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1620	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1620	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1648	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1648	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1648	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1648	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1648	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1648	700	msiexec.exe	MsiExec.exe
PID 700 wrote to memory of 1648	700	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\jre-10.0.2_windows-x64_bin.exe
"C:\Users\Admin\AppData\Local\Temp\jre-10.0.2_windows-x64_bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\jds259434732.tmp\jre-10.0.2_windows-x64_bin.exe
"C:\Users\Admin\AppData\Local\Temp\jds259434732.tmp\jre-10.0.2_windows-x64_bin.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Program Files\Java\jre-10.0.2\bin\javaw.exe
-Djdk.disableLastUsageTracking -m jdk.javaws/com.sun.javaws.registration.RegisterDeploy -getUserWebJavaStatus
3⤵
- Executes dropped EXE
PID:2844

C:\Program Files\Java\jre-10.0.2\bin\javaw.exe
-Djdk.disableLastUsageTracking -m jdk.javaws/com.sun.javaws.registration.RegisterDeploy -getUserPreviousDecisionsExist 30
3⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 31A7C40F0E035FA756E9A3B60E21D0F4
2⤵
- Loads dropped DLL
PID:800

C:\Program Files\Java\jre-10.0.2\installer.exe
"C:\Program Files\Java\jre-10.0.2\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre-10.0.2\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={EECB2736-D013-5AC5-9917-7656712F6931}
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348

C:\ProgramData\Oracle\Java\installcache_x64\259471205.tmp\bspatch.exe
C:\ProgramData\Oracle\Java\installcache_x64\259471205.tmp\bspatch.exe C:\ProgramData\Oracle\Java\installcache_x64\baseimage_2dd5fe71afe7df677ea0edcae758b597.zip C:\ProgramData\Oracle\Java\installcache_x64\259471205.tmp\jre_image_259472360.zip C:\ProgramData\Oracle\Java\installcache_x64\259471205.tmp\jre_diff
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792

C:\Program Files\Java\jre-10.0.2\bin\unpack200.exe
"C:\Program Files\Java\jre-10.0.2\bin\unpack200.exe" -r "C:\Program Files\Java\jre-10.0.2\lib/plugin.pack" "C:\Program Files\Java\jre-10.0.2\lib/plugin.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364

C:\Program Files\Java\jre-10.0.2\bin\unpack200.exe
"C:\Program Files\Java\jre-10.0.2\bin\unpack200.exe" -r "C:\Program Files\Java\jre-10.0.2\lib/javaws.pack" "C:\Program Files\Java\jre-10.0.2\lib/javaws.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3012

C:\Program Files\Java\jre-10.0.2\bin\unpack200.exe
"C:\Program Files\Java\jre-10.0.2\bin\unpack200.exe" -r "C:\Program Files\Java\jre-10.0.2\lib/deploy.pack" "C:\Program Files\Java\jre-10.0.2\lib/deploy.jar"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068

C:\Program Files\Java\jre-10.0.2\bin\javaw.exe
"C:\Program Files\Java\jre-10.0.2\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224

C:\Program Files\Java\jre-10.0.2\bin\ssvagent.exe
"C:\Program Files\Java\jre-10.0.2\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2896

C:\Program Files\Java\jre-10.0.2\bin\javaw.exe
"C:\Program Files\Java\jre-10.0.2\bin\javaw.exe" -Djdk.disableLastUsageTracking -m jdk.javaws/com.sun.javaws.registration.RegisterDeploy -fixPermissions
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544

C:\Program Files\Java\jre-10.0.2\bin\javaw.exe
"C:\Program Files\Java\jre-10.0.2\bin\javaw.exe" -Djdk.disableLastUsageTracking --add-exports=java.base/jdk.internal.misc=jdk.deploy -m jdk.javaws/com.sun.javaws.registration.RegisterDeploy -fixShortcuts
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 96475CF3DE71C1AD5CA1B21C4E5702B1 M Global\MSI0000
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /c del "C:\Program Files\Java\jre-10.0.2\installer.exe"
3⤵
PID:368

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FC29A422E7F11812E9A0812C2005DCE5
2⤵
- Loads dropped DLL
PID:1620

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A551333CB2DB0CD4F72FC143861227DC M Global\MSI0000
2⤵
- Loads dropped DLL
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7700fe.rbs
Filesize
1.0MB

MD5
59eecb3c78c9fb37a766bb67819e11d0

SHA1
9635449956246079825fb63b62f371f9bdc1d0b7

SHA256
e69642fdbaed5c527d92503ea2d18dde471eb6ec89220aed6bf12e31bced2090

SHA512
071c70546c20fb780d0e10cd037cfcbfd19ecfd0d4b24e75e06994da1828440907ad855ca89eb358809735ec22a53fbc488e76a884e660b26aaef255e24d15f5

Download Submit
C:\Config.Msi\f770104.rbs
Filesize
7KB

MD5
0a352ff6b7d0c6ff2adf6e5fd68e48ad

SHA1
9d827a0a5abf29c832253a8f85383d02dac260ca

SHA256
493dacc949b41a085eda7432a70a3a2a9ab77446570b8504ba4e09d9a0e30807

SHA512
b53e293d031f6f6724edc19a4eb6a6cb57702bc44b20093b9db1bd8eb66ea786d1095301a7e605d25eb14290d4bd0fa93619a161f28fb79e996b42989abc84fb

Download Submit
C:\Program Files\Java\jre-10.0.2\bin\MSVCR120.dll
Filesize
940KB

MD5
9c861c079dd81762b6c54e37597b7712

SHA1
62cb65a1d79e2c5ada0c7bfc04c18693567c90d0

SHA256
ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c

SHA512
3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

Download Submit
C:\Program Files\Java\jre-10.0.2\bin\dtplugin\npdeployJava1.dll
Filesize
1.2MB

MD5
0e74cedcc095d09d1ce51b4270fe0134

SHA1
309a4c97488bd32a30e806aad568bb54e337ed51

SHA256
4e3b0aac5e88ecd208d92e87ec403ed4c79d438c62cadf17c73f8b55ba23f3c8

SHA512
ef5b3578abe26f63e621cf0bffcd237e92251112535d41eb0e7c2991df202ad1aaefc7ab53c9de1b380bef1ce3b10f105d21e8218b1b55f07d7e3f1b66139147

Download Submit
C:\Program Files\Java\jre-10.0.2\bin\javaws.exe
Filesize
342KB

MD5
2ca2f72d189008a00416b83c638d70f6

SHA1
af2a825ff2a4fca795fc6119b96598b2b6713147

SHA256
08fb99d9a05e2b8342fad819d7fc25ada7cd95574cd405b159d519bf5dd2e8d4

SHA512
34cabff03fb27e85192ca40d032b5b6409ed1c20e5dee97012a00bdd4bc8e8a956cd0d07d78c50c16edcba08e9290e401a922448762d5606fc1162cc1f2d1951

Download Submit
C:\Program Files\Java\jre-10.0.2\bin\server\jvm.dll
Filesize
10.1MB

MD5
dedfc8a105b491c279a9ba8c7e54382a

SHA1
cd07d5f5c9cf77210317e3fbf20fe35d3508a161

SHA256
896011ea575dad573b308827e74381aade3b465c7ec8dfc901c9f898697e4411

SHA512
681297fa95187758120dd7caab24edd4c28f5af93553140d9edc50c0891cce6f0a3dfa6b83ac7a3ee667a06fbb1dee4525154348aa6714fb608d6a2ae57e76c5

Download Submit
C:\Program Files\Java\jre-10.0.2\legal\java.desktop\COPYRIGHT
Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Program Files\Java\jre-10.0.2\legal\java.desktop\LICENSE
Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Program Files\Java\jre-10.0.2\lib\classlist
Filesize
42KB

MD5
e693289cd3bc7a08f3f1162da609134c

SHA1
aaeb5c821b0604988517c1a7027133928d5a4ad7

SHA256
911476bb2e0b748d09f5f2839dbf4102db51ff45ffd315ef9fc93a271b9a6484

SHA512
faf50a3b12e5a5c9162b9ca327cc4e691f2449cf7c2698bfdbd778fc0767d9b01dcaedcb383f821ef00cea514b0c1bde9e5565be5c10a5c388692bb775177027

Download Submit
C:\Program Files\Java\jre-10.0.2\lib\deploy.pack
Filesize
1.8MB

MD5
7362147e342d000ce467d4154896eec9

SHA1
ed35cd9c9e32a309c7346893f40e5023236beff3

SHA256
47d331d6a584d54efb67142dbebd5ba257d7f804deca5f55701e22955ea8a823

SHA512
b003ab04cbd2b554a8ba712e58aa591c92eb4350401511d507a3255f3ec223ec2cad51f1364b567e407ca1f3a63b019a583cf8a4b915c91f073bbbe6a52605fe

Download Submit
C:\Program Files\Java\jre-10.0.2\lib\javaws.pack
Filesize
202KB

MD5
e621d9c671ee20d2642d87817603c5e6

SHA1
a6bd4d3208866a213a878fc92a9521a42d4b1f91

SHA256
394734aa38987845fc08254c884c75d21d26ab8edf3ae4c48867ebf730b2d1ad

SHA512
1beee51f702c88c8c6515d57660f9c3eada77486cac572001111ef7a79a6597dfb3ce7cd68a25f2b244cf073781ee4906b39b8d4eb5fcdee0ee1b4cb1fcc7982

Download Submit
C:\Program Files\Java\jre-10.0.2\lib\jvm.cfg
Filesize
621B

MD5
e8c0e384b66bb391608297b00d52f939

SHA1
29848fd719e290e214ea03148b85c36b81c97901

SHA256
13e9b24468cc662f8e17b33a5b3f577b5197bba899e9dc4d823ab2b6d71a7ce4

SHA512
5fc7096e36b43fbabedba10ad4f6b7d605f78604772fb79b6712faf41f90bb63e2b2a1908a282be8499cd3a911a0b69e6e09685775870b60255c2b2d1ce57408

Download Submit
C:\Program Files\Java\jre-10.0.2\lib\plugin.pack
Filesize
317KB

MD5
d68c892097314a16401abdd0055f532f

SHA1
eed5231fef9198ecadb629e42a086f07f9d663e8

SHA256
607612a796ce3ec38d61a82b3f060b136f3decc7ef66f2f3116fc8bd48be2e91

SHA512
6b903a4323f99ba94453e2a891050a525ffdbe0101963325611185c3402bac97b79c79168d286611e4304fdc62e1fa24e5c32fde52007d13dbfe2572eb5db5aa

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.lnk
Filesize
195B

MD5
42734f2565ebd0f1e61dccbe7045f665

SHA1
d380a19aab99f6cf54a19f5587024509818a2d89

SHA256
629cb4f37d95a26476a5a29307cb85680a2a2105abdf3ef455fc415bf337f022

SHA512
b081bef263c5ebd85a9a6f935a4898d8e35b43299d9a0b356f982f8037d4413c19c3aceb079eeaffd28a2f7fa31561eb1685c2e8c8650288b065f4f023f0be3a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url
Filesize
178B

MD5
e7682c14b2d7544e0a51759dd56234a1

SHA1
9acb9ea501be329a63acbb939335ef9e96aa751e

SHA256
3a698e98e4b19b910730da58ae0ecea089b06e3e57924a96f16d1b40a980fe8a

SHA512
0ad3595280e7fac2f402c4814d44b2f7520deaed69dc51c040f106509cd6d0847ca44709221603e63b311036002b17bfbab0c0058efbced0da4b2a98a9836fc8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url
Filesize
174B

MD5
f30f63a3fa9d0196069227a1f7ac76a3

SHA1
4eb4ee7d0666d2a2144825f03c1d1b0942ca0036

SHA256
a01980bdbcde178fa5e3f958994eebf701877353a15e1d4fc4b119081a93c78c

SHA512
157d3a9cb7aa9ec117fb0ea06ea648f5b0d007cc8feec4856b80d47629de84b7760f6dac9e5558fe043a26d68404867b90d0803add416dd67c73555b5bbc46bf

Download Submit
C:\ProgramData\Oracle\Java\installcache_x64\259471205.tmp\bspatch.exe
Filesize
76KB

MD5
e76d957ac6885bf081878194f44db859

SHA1
1ac280ccb177c9179c9af048c40870bbd66545af

SHA256
6e660254360d0dcdc3909797b2106b212a54f8ab0cdbf62799010cff3956b054

SHA512
4d1c6900073e9893d9762f19f87db475b9e790807042f42bd0c34a81e8868ebb4444a297a7858ff1a86e4539c6f32e3788a9f92721c7e88a51061a3a34878693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
174d158452280ee3f3274a5851236eed

SHA1
d034ad17a27b3755c98352cf1d774115e1358781

SHA256
70cc87809b2e190b8c4c1dcfd29cb0b1e26e7c6909b07ecbc28f964562509976

SHA512
b9da5d034e945ca4b602a76f081af4e5895a8ceb83211d68cc2d754edb3e3ba1b2dc9cf1b116e139765517fc5f5a6a89101276e032e81d8c09e00509a3f6cf66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
d26660f9bd8d598a2a1a7760b8e5f575

SHA1
b085a598d13473a3bdd3c7dadb03321e55bdd40a

SHA256
cedcc3194a846476f55641626b0cd829442f73916594319f4c23eb05dea1ef6e

SHA512
c01825b0c43d38a3e51b7a50ecc4c0a54c768b3a762018fb299ff077ecb69f1319995fb89253ea5175cb47f3a3053d4bf064071d45ffaad53877517fdaca4333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\rtutils[1]
Filesize
244B

MD5
c0a4cebb2c15be8262bf11de37606e07

SHA1
cafc2ccb797df31eecd3ae7abd396567de8e736d

SHA256
7da9aa32aa10b69f34b9d3602a3b8a15eb7c03957512714392f12458726ac5f1

SHA512
cc68f4bc22601430a77258c1d7e18d6366b6bf8f707d31933698b2008092ba5348c33fa8b03e18c4c707abf20ce3cbcb755226dc6489d2b19833809c98a11c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\host[1]
Filesize
1KB

MD5
cc8ab7a5af0b3aaf0860365963db68f5

SHA1
6c840b0a04b6bdff250b4b107d2468b511b52b14

SHA256
396eb5a5dc652dc646fbf5e582dd85561cf24f1a80ee544ba000616dfdf739b1

SHA512
734094a97c5e4c40fc39aed74a9a2fbe6fd4131b1e2e1b6fb88ac964d1584478bc89a0789e6aefd3d7395a0412a497a14780e720e55c3b897eaba8690c30f17e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\masthead_left[1]
Filesize
4KB

MD5
b663555027df2f807752987f002e52e7

SHA1
aef83d89f9c712a1cbf6f1cd98869822b73d08a6

SHA256
0ce32c034dfb7a635a7f6e8152666def16d860b6c631369013a0f34af9d17879

SHA512
b104ed3327fed172501c5aa990357b44e3b31bb75373fb8a4ea6470ee6a72e345c9dc4bcf46a1983c81adb567979e6e8e6517d943eb204c3f7fac559cd17c451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\layout[1]
Filesize
2KB

MD5
cc86b13a186fa96dfc6480a8024d2275

SHA1
d892a7f06dc12a0f2996cc094e0730fe14caf51a

SHA256
fab91ced243da62ec1d938503fa989462374df470be38707fbf59f73715af058

SHA512
0e3e4c9755aa8377e00fc9998faab0cd839dfa9f88ce4f4a46d8b5aaf7a33e59e26dbf55e9e7d1f8ef325d43302c68c44216adb565913d30818c159a182120fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\masthead_fill[1]
Filesize
1KB

MD5
91a7b390315635f033459904671c196d

SHA1
b996e96492a01e1b26eb62c17212e19f22b865f3

SHA256
155d2a08198237a22ed23dbb6babbd87a0d4f96ffdc73e0119ab14e5dd3b7e00

SHA512
b3c8b6f86ecf45408ac6b6387ee2c1545115ba79771714c4dd4bbe98f41f7034eae0257ec43c880c2ee88c44e8fc48c775c5bb4fd48666a9a27a8f8ac6bcfdcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\common[1]
Filesize
1KB

MD5
f5bb484d82e7842a602337e34d11a8f6

SHA1
09ea1dee4b7c969771e97991c8f5826de637716f

SHA256
219108bfef63f97562c4532681b03675c9e698c5ae495205853dbcbfd93faf1a

SHA512
a23cc05b94842e1f3a53c2ea8a0b78061649e0a97fcd51c8673b2bcb6de80162c841e9fdde212d3dfd453933df2362dcb237fe629f802bafaa144e33ca78b978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\l10n[1]
Filesize
5KB

MD5
1dc701a5bb8b416b19e746e13da3f000

SHA1
3e5e362882f492ac716a5ec2db2a1a8c754801ee

SHA256
8a98faee6a869c534270e3137e693956e5315fa7da5430a9814c4cbe37918d9e

SHA512
dafa77e4be10ec7273742de973422c9f0659d3892a15d545172bd0f29c71bcfead09b80091d040a0b44b8276586dc2a402cf4cae8c3aab25dae4adaa9b1c5d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\runtime[1]
Filesize
43KB

MD5
b6871e79037226098441b8b3cc81d607

SHA1
1d16b4fd7a1746730aa915ba36b3047ba11c7698

SHA256
42e0016d21e63d36c987ed0347d07d55cfe4648183a79072a7c75675a18629bb

SHA512
c237f0bc9f4e00a8fa755d4025d9002dc818cff565944f37a41eb4c9b306432a11d017dddd95a3b257ccb5363d8a051514093749fa4cff7412abb0d5818fdcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab408.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
Filesize
21KB

MD5
2b0e6e3fe24606f9c8a44b0e7886789e

SHA1
082fee626bee724049188899b680382c87394f96

SHA256
b2a371ecb4546a924041c40c72f9970b39f7231bc83686b21f039a8dd9523347

SHA512
fb141cbce9153ddaeb49054e42f9bc4dcbc1f4cf22aecec031d78050b106a29353a0a2f85a002a16809dd960164058744d5130e884c6e70d036474164265d970

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43A.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar643.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
10KB

MD5
386113afc23ef06542c93ff70151cb87

SHA1
7cd1347776f98f43321422360d4e0730942dc507

SHA256
115c2aec1b818c339e7773f5ab0615deb4bc5a417d6dc104947dadc087d64c36

SHA512
c1831ec985b66565e298172252bf0a7d5cab57236b5069e1efefb1ba084478e2ecf8aea2cbab81409eb5aa00a66475f3958126e0b12db42fa78e80710586c7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
28KB

MD5
46145035e9ff8192c91d4b24d02eba3a

SHA1
fe615b179ed0fa8612b76bca961fac59ae4f2a56

SHA256
3ed3362368590409f8e0967a80711b38f8448a7f40037bac6f39ebf511610231

SHA512
0f7e8aaf4962d5bd9317e00f7db19632fb2d40f2bdbfda937f47af03b63b5cfb549279a397aed94fa1861f0d9f26ea48f218441f5f0f480b4fbaa5afb1f69f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
32KB

MD5
59716f32209b51a3a7cfc6741612a752

SHA1
340ac19f4bc13a1650f14a4dd86a6903ca8dedae

SHA256
3e734305b0aee47719fb8f84b320bc31a488bae19edff94be0845f17a53f774f

SHA512
e7654113279636a1f895dc11ad89ebfefdfe3bee0b90cb1d8704ca2800030209073443da95e3f5664935d4d2270663a4907291149328ef04376f9e8707c70445

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
2KB

MD5
5e01966911d53846e850cd1637e38924

SHA1
35ecc365a31691273b7326b467758421244696cb

SHA256
c6d8fc5390af18dc7f39151cd4223ffa08bc6cc3f7b9a94433bd01bba4af49e0

SHA512
ca03cdf0f455029a32060cc2b1a7ed8f48fe9d07dda96288a1876dd6b78535c7942d9205d579548739faa2b4fad1e8a3eeb713e30232df51496a85e219dbf99e

Download Submit
C:\Windows\Installer\MSI1FA8.tmp
Filesize
977KB

MD5
1850687430f5458aa3615a51520749f7

SHA1
6d51064b3060381daf69530e77bd9b34bb63b61b

SHA256
6ff503bfc6c5274b6d2caae84ce935a0d269400fedd90587b961ced32eddddda

SHA512
146b95284887ba6edebb078a9326cf02ce3f44a4d1c93e4fbb56626dce14bf74edd32eaa2b0e89d1bb9bab54cde211a9edd9f2891006b8c4c44a18a307567808

Download Submit
C:\Windows\Installer\MSIE678.tmp
Filesize
231KB

MD5
d8c647f1e2afdef62a6988f0baca820f

SHA1
f63816b45cbe49c84489c6090dfd172041fa82c6

SHA256
cd912f9b52a00cbd45dd75af6d1c7fb547d7f0877f79c49a51c1ef2fe96b1fea

SHA512
f1c06e4412d04f7c62013cc8647e54826225e72f7d5311e093b4945f73baffcb899a94a49189cf146f053d0026e9f6bee6978dcbc0caf98e71a4d765e29b9256

Download Submit
C:\Windows\Installer\f770100.msi
Filesize
812KB

MD5
ac7b9ee3740e06fbaf03a5be8cfb317a

SHA1
84000bded251f9fc61ba61dcf7e11cfbe52c729b

SHA256
3b1bc9804ff6bf7e3c598526eac8c62d6bce0346de6624e6d6a2b971e5d5947a

SHA512
d914cfe08d8ab849bb23e75fcf421b33293b934b9a973abf404025a56b88ff392d6da6ff6af4a27fd99822077a3bb0d363d0ade57d80f52e83d070844cb10f10

Download Submit
\Program Files\Java\jre-10.0.2\bin\java.dll
Filesize
146KB

MD5
e9ed37a8939f349d4213551510795e53

SHA1
0a2712cfb79a78e0440125411ee1d015a1cba365

SHA256
bdd6b18560561e9d514cc3c6f6ce630ca1407ffa4f4d68e86e35d93000a6bc51

SHA512
dfdeeeabae79484e65a587f21e6952b048c4bd7f9556d3d230fdbf7d97c065f20273d25206ad0d4073520c2b1dfc7c90e7c356728b2aad9137d3e036cd6597e9

Download Submit
\Program Files\Java\jre-10.0.2\bin\javacpl.exe
Filesize
85KB

MD5
14d1fe07a810dafba3e2343a72419661

SHA1
991706ee3fff399cf87d0d7acc69d5d043fe0edc

SHA256
fcc6e3df9bafadb0badfc096250606516688dd6adb8481e9fc1daa953bd5d471

SHA512
cd15f02959531aad6344186724cc6adffbe1271c3af74cecd73729cb2bacecd38c39c742f8e150e556e9b3f6fa17639d727f5ab85c0c20a0752ee951e07003dd

Download Submit
\Program Files\Java\jre-10.0.2\bin\javaw.exe
Filesize
226KB

MD5
7c05ed02f40a3499aa718569c40e065c

SHA1
fe4f36fc365f516577795d373763c26dbac6e4b9

SHA256
178c95a11e3e4b2bed84a6d660ac69bc11d4f0722ecb03fd0ec740b37eebba8b

SHA512
b46d1ad8f2de2404863f217680bc38939a8f03c378322c5837f36be598077557e058a75198db7b83059ec8419a2f5d26fcb953acad43f5fa93e30a5d21824198

Download Submit
\Program Files\Java\jre-10.0.2\bin\jimage.dll
Filesize
26KB

MD5
3ac93ed97356271b9dc96aadfd42ac69

SHA1
9117a62bc9747e5109dcc306232741132969e4c9

SHA256
4fee27032d65d8ee16bfafb9fc00adeaedef9873f9f6be1f5d46a6f7fa657409

SHA512
2b1cae103bd6a29194dd6ff9e79b240696a186711ad317e45ad59d84be43b10d9432f8320ebb248512cf6eabcc3990805a58978191c9ad599ef7df46529f66da

Download Submit
\Program Files\Java\jre-10.0.2\bin\msvcp120.dll
Filesize
644KB

MD5
46060c35f697281bc5e7337aee3722b1

SHA1
d0164c041707f297a73abb9ea854111953e99cf1

SHA256
2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848

SHA512
2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a

Download Submit
\Program Files\Java\jre-10.0.2\bin\unpack200.exe
Filesize
129KB

MD5
4b554a6b583bcc690d3e44bf9dc535ed

SHA1
5ad936dcc9ab8458723b3ae06ba77f25324c75c4

SHA256
c2c8046d88e4d90df675a9986db9a339dd85936cbfd8db48541108d2ef6ebbcd

SHA512
8810d3deba000310e0d161991a50fe520ecbbda5060e67660db9090120bf2b2dc71688f8ee1b799ed0cce3750997799891ad072ef5d6682d5c89aea463824395

Download Submit
\Program Files\Java\jre-10.0.2\bin\verify.dll
Filesize
48KB

MD5
16f72cabeeeb822ce02a6e9148172b0e

SHA1
533fa0e183141ae576f47a4465d7ba8b13fb782a

SHA256
2b6f7e2d88271feed4c99c829c391272db6fc99ea3f6f0b8e23230e6e33e849c

SHA512
9693fc9d44c91a2268d2af29ded6ce011ce05526e4b647abe71f28e8dd27127df35a88262cfdcd716babff90a0bfa1e202a0da7fa2c3982f4edc8f0681e6c968

Download Submit
\Program Files\Java\jre-10.0.2\bin\zip.dll
Filesize
75KB

MD5
93c5f641909f60ddfb05dd18fa1bcf0e

SHA1
acf8d3b093c133fa9580a75238399483cd60b6d0

SHA256
280c965ceded6a904a1119ea21f9b8828a33d108ee14668e476bceeaf515f3ca

SHA512
0ac91c28e1590695d4d1cc4d2a43e5c795edb27539fde196f07861f89fa14ddab204aad0885516234a349c7b9101255bbedcbd6405bf30532222fd0d04feb2c9

Download Submit
memory/2300-147-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download