e589884dddfd5c543579b6f557c9c087a56ea252d2fe327cff6f2b1db4570a97

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume4/SB Laptop/SUKUMARANS BACKUP/D Drive/Sukumaran/D drive/data backup- 28-07-07/Desktop/jre-5.exe
Size

14.5MB
MD5

a2bec18a54863f9797dfabab1ef15196
SHA1

09737ab5e31bf5adc8d0b3a64dfb6ff5d42187ee
SHA256

faf3bfcc34a4ba9ee361f00e17391f7011076cf4991d43da985b7d042a59a0b4
SHA512

f1180da6fc83327ed4eb9fd5c55f78950d026a42712c5a9f1c3355d2c5c27b36f666100dcbab9ebcce62f65acd8a924bd4294ef0d9b2c5f247195aa25b70b4ea
SSDEEP

393216:UML5gI49HBvqRiMz+bRH1yAfQtZgTaz8E7vRdN8Rvcok:UML5D49HGz+bLG6kb/ok

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}\Locale = "EN"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}\ = "Java (Sun)"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}\ComponentID = "JAVAVM"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}\IsInstalled = "1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}\KeyFileName = "C:\\Program Files (x86)\\Java\\jre1.5.0_02\\bin\\regutils.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}\Version = "5,0,5000,0"	MsiExec.exe

Executes dropped EXE 21 IoCs

pid	Process
1372	jre-1_5_0_02-windows-i586-p.exe
1248	zipper.exe
2440	zipper.exe
3340	zipper.exe
1592	launcher.exe
808	unpack200.exe
4960	launcher.exe
4928	unpack200.exe
1268	launcher.exe
540	unpack200.exe
4796	launcher.exe
3068	unpack200.exe
3064	launcher.exe
1232	unpack200.exe
1500	zipper.exe
2596	launcher.exe
4000	unpack200.exe
2352	launcher.exe
4656	unpack200.exe
4768	patchjre.exe
4372	java.exe

Loads dropped DLL 25 IoCs

pid	Process
2012	MsiExec.exe
2012	MsiExec.exe
2012	MsiExec.exe
2012	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4372	java.exe
4768	patchjre.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
2012	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\java.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\javaw.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\javaws.exe	MsiExec.exe
File created	C:\Windows\SysWOW64\jpicpl32.cpl	MsiExec.exe
File created	C:\Windows\SysWOW64\jupdate-1.5.0_02-b09.log	patchjre.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\Indianapolis	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Etc\GMT+9	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Indian\Mauritius	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Pacific\Wallis	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Africa\Lagos	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\Anchorage	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\El_Salvador	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\CET	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Indian\Chagos	zipper.exe
File opened for modification	C:\PROGRA~2\Java\JRE15~1.0_0\Welcome.html	patchjre.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\ext\sunjce_provider.jar	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\Cayman	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\Mendoza	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\St_Lucia	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Africa\Gaborone	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Africa\Lome	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Indian\Christmas	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\ext\localedata.pack	zipper.exe
File created	C:\PROGRA~2\Java\JRE15~1.0_0\a.A867	patchjre.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Etc\GMT-2	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\Guyana	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\Montreal	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\St_Vincent	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Asia\Riyadh	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Asia\Aqtobe	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Pacific\Funafuti	zipper.exe
File created	C:\PROGRA~2\Java\JRE15~1.0_0\bin\NPJPI150_02.dll	patchjre.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\javaws\messages_de.properties	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Pacific\Galapagos	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Etc\GMT+8	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Etc\GMT-8	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Europe\Simferopol	zipper.exe
File created	C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\patchjre.exe	msiexec.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\fontconfig.Me.properties.src	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\javaws\messages_zh_TW.properties	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\St_Johns	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\Tijuana	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Asia\Damascus	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Etc\GMT-1	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Europe\Tirane	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Europe\Gibraltar	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Pacific\Enderbury	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Pacific\Truk	zipper.exe
File opened for modification	C:\PROGRA~2\Java\JRE15~1.0_0\lib\ext\RTA86740	patchjre.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\bin\kinit.exe	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\im\indicim.jar	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Asia\Dubai	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Europe\Belfast	zipper.exe
File opened for modification	C:\PROGRA~2\Java\JRE15~1.0_0\lib\security\RTA86740	patchjre.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\GMT	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Pacific\Yap	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\ext\localedata.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\javaws\messages_fr.properties	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\javaws\messages_it.properties	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Africa\Johannesburg	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Europe\Zurich	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\bin\axbridge.dll	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\Edmonton	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Pacific\Noumea	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\fontconfig.98.properties.src	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Africa\Ouagadougou	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\America\Santo_Domingo	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\Asia\Chongqing	zipper.exe
File created	C:\Program Files (x86)\Java\jre1.5.0_02\bin\rmiregistry.exe	zipper.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5eb3c0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{3248F0A8-6813-11D6-A77B-00B0D0150020}\1033.MST	msiexec.exe
File created	C:\Windows\Installer\e5eb3bd.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3248F0A8-6813-11D6-A77B-00B0D0150020}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB583.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{3248F0A8-6813-11D6-A77B-00B0D0150020}\1033.MST	msiexec.exe
File opened for modification	C:\Windows\Installer\e5eb3bd.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e5eb3be.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\e5eb3be.mst	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jre-1_5_0_02-windows-i586-p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zipper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patchjre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jre-5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSIEXEC.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSIEXEC.EXE

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\SELECT\CheckedValue = "1"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\SELECT\UncheckedValue = "0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\Text = "Java (Sun)"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\SELECT\RegPath = "Software\\JavaSoft\\Java Plug-in\\1.5.0_02"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\SELECT\Type = "checkbox"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\SELECT\Text = "Use JRE 1.5.0_02 for <applet> (requires restart)"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\SELECT\ValueName = "UseJava2IExplorer"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\SELECT\DefaultValue = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\MenuText = "Sun Java Console"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\SELECT	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\SELECT\HKeyRoot = "2147483650"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ClsidExtension = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\Type = "group"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_SUN\Bitmap = "C:\\Program Files (x86)\\Java\\jre1.5.0_02\\bin\\regutils.dll,1000"	MsiExec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510002\jrecore	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_02 <applet> redirector"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_02"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\Transforms = "C:\\Windows\\Installer\\{3248F0A8-6813-11D6-A77B-00B0D0150020}\\1033.MST"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\{3248F0A6-6813-11D6-A77B-00B0D0150020}\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\EditFlags = 00000100	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0\ = "isInstalled Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\Version = "17104896"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Java\\jre1.5.0_02\\bin\\javaws.exe\" \"%1\""	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled\CLSID\ = "{5852F5ED-8BF4-11D4-A245-0080C6F74284}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\VersionIndependentProgID\ = "JavaWebStart.isInstalled"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Programmable	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510002\8A0F842331866D117AB7000B0D510002	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\SourceList\PackageName = "J2SE Runtime Environment 5.0 Update 2.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\TreatAs\ = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510002\extra	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.150_02\CLSID\ = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\ProgID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\VersionIndependentProgID	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.5.0_02\\bin\\JavaWebStart.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.5.0_02\\bin\\npjpi150_02.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\PackageCode = "6A0F842331866D117AB7000B0D510002"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510002	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\ = "0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.5.0_02\\bin\\npjpi150_02.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp\Content Type = "application/x-java-jnlp-file"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\1	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre1.5.0_02\\bin\\npjpi150_02.dll"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\TypeLib\ = "{5852F5E0-8BF4-11D4-A245-0080C6F74284}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\ProgID\ = "JavaWebStart.isInstalled.1.5.0.0"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ = "Java Plug-in 1.5.0_02"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\ = "0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled\CurVer\ = "JavaWebStart.isInstalled.1.5.0.0"	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4860	msiexec.exe
4860	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	756	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	756	MSIEXEC.EXE
Token: SeSecurityPrivilege	4860	msiexec.exe
Token: SeCreateTokenPrivilege	756	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	756	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	756	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	756	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	756	MSIEXEC.EXE
Token: SeTcbPrivilege	756	MSIEXEC.EXE
Token: SeSecurityPrivilege	756	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	756	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	756	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	756	MSIEXEC.EXE
Token: SeSystemtimePrivilege	756	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	756	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	756	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	756	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	756	MSIEXEC.EXE
Token: SeBackupPrivilege	756	MSIEXEC.EXE
Token: SeRestorePrivilege	756	MSIEXEC.EXE
Token: SeShutdownPrivilege	756	MSIEXEC.EXE
Token: SeDebugPrivilege	756	MSIEXEC.EXE
Token: SeAuditPrivilege	756	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	756	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	756	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	756	MSIEXEC.EXE
Token: SeUndockPrivilege	756	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	756	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	756	MSIEXEC.EXE
Token: SeManageVolumePrivilege	756	MSIEXEC.EXE
Token: SeImpersonatePrivilege	756	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	756	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	756	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	756	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	756	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	756	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	756	MSIEXEC.EXE
Token: SeTcbPrivilege	756	MSIEXEC.EXE
Token: SeSecurityPrivilege	756	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	756	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	756	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	756	MSIEXEC.EXE
Token: SeSystemtimePrivilege	756	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	756	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	756	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	756	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	756	MSIEXEC.EXE
Token: SeBackupPrivilege	756	MSIEXEC.EXE
Token: SeRestorePrivilege	756	MSIEXEC.EXE
Token: SeShutdownPrivilege	756	MSIEXEC.EXE
Token: SeDebugPrivilege	756	MSIEXEC.EXE
Token: SeAuditPrivilege	756	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	756	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	756	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	756	MSIEXEC.EXE
Token: SeUndockPrivilege	756	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	756	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	756	MSIEXEC.EXE
Token: SeManageVolumePrivilege	756	MSIEXEC.EXE
Token: SeImpersonatePrivilege	756	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	756	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	756	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	756	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	756	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
756	MSIEXEC.EXE
756	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1372	2964	jre-5.exe	85
PID 2964 wrote to memory of 1372	2964	jre-5.exe	85
PID 2964 wrote to memory of 1372	2964	jre-5.exe	85
PID 1372 wrote to memory of 756	1372	jre-1_5_0_02-windows-i586-p.exe	91
PID 1372 wrote to memory of 756	1372	jre-1_5_0_02-windows-i586-p.exe	91
PID 1372 wrote to memory of 756	1372	jre-1_5_0_02-windows-i586-p.exe	91
PID 4860 wrote to memory of 2012	4860	msiexec.exe	94
PID 4860 wrote to memory of 2012	4860	msiexec.exe	94
PID 4860 wrote to memory of 2012	4860	msiexec.exe	94
PID 4860 wrote to memory of 3376	4860	msiexec.exe	103
PID 4860 wrote to memory of 3376	4860	msiexec.exe	103
PID 4860 wrote to memory of 4028	4860	msiexec.exe	105
PID 4860 wrote to memory of 4028	4860	msiexec.exe	105
PID 4860 wrote to memory of 4028	4860	msiexec.exe	105
PID 4860 wrote to memory of 1248	4860	msiexec.exe	106
PID 4860 wrote to memory of 1248	4860	msiexec.exe	106
PID 4860 wrote to memory of 1248	4860	msiexec.exe	106
PID 4860 wrote to memory of 2440	4860	msiexec.exe	107
PID 4860 wrote to memory of 2440	4860	msiexec.exe	107
PID 4860 wrote to memory of 2440	4860	msiexec.exe	107
PID 4860 wrote to memory of 3340	4860	msiexec.exe	108
PID 4860 wrote to memory of 3340	4860	msiexec.exe	108
PID 4860 wrote to memory of 3340	4860	msiexec.exe	108
PID 4860 wrote to memory of 1592	4860	msiexec.exe	109
PID 4860 wrote to memory of 1592	4860	msiexec.exe	109
PID 4860 wrote to memory of 1592	4860	msiexec.exe	109
PID 1592 wrote to memory of 808	1592	launcher.exe	110
PID 1592 wrote to memory of 808	1592	launcher.exe	110
PID 1592 wrote to memory of 808	1592	launcher.exe	110
PID 4860 wrote to memory of 4960	4860	msiexec.exe	111
PID 4860 wrote to memory of 4960	4860	msiexec.exe	111
PID 4860 wrote to memory of 4960	4860	msiexec.exe	111
PID 4960 wrote to memory of 4928	4960	launcher.exe	112
PID 4960 wrote to memory of 4928	4960	launcher.exe	112
PID 4960 wrote to memory of 4928	4960	launcher.exe	112
PID 4860 wrote to memory of 1268	4860	msiexec.exe	113
PID 4860 wrote to memory of 1268	4860	msiexec.exe	113
PID 4860 wrote to memory of 1268	4860	msiexec.exe	113
PID 1268 wrote to memory of 540	1268	launcher.exe	114
PID 1268 wrote to memory of 540	1268	launcher.exe	114
PID 1268 wrote to memory of 540	1268	launcher.exe	114
PID 4860 wrote to memory of 4796	4860	msiexec.exe	115
PID 4860 wrote to memory of 4796	4860	msiexec.exe	115
PID 4860 wrote to memory of 4796	4860	msiexec.exe	115
PID 4796 wrote to memory of 3068	4796	launcher.exe	116
PID 4796 wrote to memory of 3068	4796	launcher.exe	116
PID 4796 wrote to memory of 3068	4796	launcher.exe	116
PID 4860 wrote to memory of 3064	4860	msiexec.exe	117
PID 4860 wrote to memory of 3064	4860	msiexec.exe	117
PID 4860 wrote to memory of 3064	4860	msiexec.exe	117
PID 3064 wrote to memory of 1232	3064	launcher.exe	118
PID 3064 wrote to memory of 1232	3064	launcher.exe	118
PID 3064 wrote to memory of 1232	3064	launcher.exe	118
PID 4860 wrote to memory of 1500	4860	msiexec.exe	119
PID 4860 wrote to memory of 1500	4860	msiexec.exe	119
PID 4860 wrote to memory of 1500	4860	msiexec.exe	119
PID 4860 wrote to memory of 2596	4860	msiexec.exe	120
PID 4860 wrote to memory of 2596	4860	msiexec.exe	120
PID 4860 wrote to memory of 2596	4860	msiexec.exe	120
PID 2596 wrote to memory of 4000	2596	launcher.exe	121
PID 2596 wrote to memory of 4000	2596	launcher.exe	121
PID 2596 wrote to memory of 4000	2596	launcher.exe	121
PID 4860 wrote to memory of 2352	4860	msiexec.exe	122
PID 4860 wrote to memory of 2352	4860	msiexec.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\SB Laptop\SUKUMARANS BACKUP\D Drive\Sukumaran\D drive\data backup- 28-07-07\Desktop\jre-5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\SB Laptop\SUKUMARANS BACKUP\D Drive\Sukumaran\D drive\data backup- 28-07-07\Desktop\jre-5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964
- C:\jre-1_5_0_02-windows-i586-p.exe
  C:\jre-1_5_0_02-windows-i586-p.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\{3248F0A6-6813-11D6-A77B-00B0D0150020}\J2SE Runtime Environment 5.0 Update 2.msi" TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\_is2D1A\1033.MST" SETUPEXEDIR="C:"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 68A7CA0544CA764AB9FEC696B7EF3F5C C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3376
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89B04C18EF9E4AA3B7BC615C3BD50FD5
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4028
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\zipper.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\zipper.exe" "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\\core1.zip" "C:\Program Files (x86)\Java\jre1.5.0_02\\" "C:\Users\Admin\AppData\Local\Temp\java_install.log"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1248
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\zipper.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\zipper.exe" "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\\core2.zip" "C:\Program Files (x86)\Java\jre1.5.0_02\\" "C:\Users\Admin\AppData\Local\Temp\java_install.log"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\zipper.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\zipper.exe" "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\\core3.zip" "C:\Program Files (x86)\Java\jre1.5.0_02\\" "C:\Users\Admin\AppData\Local\Temp\java_install.log"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3340
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\launcher.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\\launcher.exe" "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\rt.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\rt.jar"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Program Files (x86)\Java\jre1.5.0_02\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\rt.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\rt.jar"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:808
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\launcher.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\\launcher.exe" "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\jsse.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\jsse.jar"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Program Files (x86)\Java\jre1.5.0_02\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\jsse.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\jsse.jar"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4928
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\launcher.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\\launcher.exe" "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\plugin.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\plugin.jar"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Program Files (x86)\Java\jre1.5.0_02\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\plugin.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\plugin.jar"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:540
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\launcher.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\\launcher.exe" "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\javaws.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\javaws.jar"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Program Files (x86)\Java\jre1.5.0_02\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\javaws.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\javaws.jar"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3068
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\launcher.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\\launcher.exe" "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\deploy.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\deploy.jar"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files (x86)\Java\jre1.5.0_02\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\deploy.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\deploy.jar"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1232
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\zipper.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\zipper.exe" "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\\other.zip" "C:\Program Files (x86)\Java\jre1.5.0_02\\" "C:\Users\Admin\AppData\Local\Temp\java_install.log"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1500
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\launcher.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\\launcher.exe" "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\charsets.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\charsets.jar"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Program Files (x86)\Java\jre1.5.0_02\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\charsets.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\charsets.jar"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4000
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\launcher.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\\launcher.exe" "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\ext\localedata.jar"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2352
- - C:\Program Files (x86)\Java\jre1.5.0_02\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jre1.5.0_02\bin\\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre1.5.0_02\\lib\ext\localedata.jar"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4656
- C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\patchjre.exe
  "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\patchjre.exe" -s "C:\Program Files (x86)\Java\jre1.5.0_02\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4768
- - C:\Program Files (x86)\Java\jre1.5.0_02\bin\java.exe
    "C:\Program Files (x86)\Java\jre1.5.0_02\bin\java.exe" -fullversion
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4372
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
  javaw.exe -Xshare:dump
  2⤵
  PID:4932
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
  javaw.exe -jar -cp "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\\FontChecker.jar" "C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\\FontChecker.jar" -o "C:\Program Files (x86)\Java\jre1.5.0_02\lib\fonts\\badfonts.txt" -w
  2⤵
  PID:3136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5eb3bf.rbs

Filesize
12KB

MD5
701245e62ada457657fae8b03cb39472

SHA1
50856dfd9ab8838134a7f079d0959a823c455a2e

SHA256
ef9fdf26a6e508f6c4f527c07b52223dd0641457803edb7743536346d2e22239

SHA512
851bed94db065429ff71ced17dda149e8c917bcb2f91b9d921e6eeb10c4d1ca629eda004f1afae65bce141bb0f21b6c70876a2f63edac07e1264296e171d862b

Download Submit
C:\PROGRA~2\Java\JRE15~1.0_0\bin\NPJPI150_02.dll

Filesize
68KB

MD5
6c9a4c573c0c771d99d902ee06da3cbb

SHA1
fc642212d8da4259808ab10b4253de4868b336e9

SHA256
76be27fc09567f20e8bda7cf3a90103a59629f901e771befec2ccd577da08d55

SHA512
75742fc29ba1c7c74e4c13dbbfc817613a36e15d814860c1186b6e91837cce863c728906d94ea8ef92d2fde0f429314ddb2821d238ef0d5be43a0ad0ef72955f

Download Submit
C:\PROGRA~2\Java\JRE15~1.0_0\bin\msvcrt.dll

Filesize
260KB

MD5
63da4613383ec70e047b4cd5c48f0b05

SHA1
578dd3ee844678c24c0831b6cc61a7dfae410bdc

SHA256
d4287ab5e4988dfe99bd54243d50dbe8744094f11fe5f9809a1a6fb9728c2124

SHA512
0fe7226cba7984f22367d03dafe568e8c0e44956a831fda93d4bd8ad9cbc9ee87dc03e4a56696c0bb0e5f8ec27a304c06cdb56c52d87263362359523f0a220a6

Download Submit
C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zip

Filesize
7.3MB

MD5
820482c2a3cac617a553d53b32c6d6a1

SHA1
513b248717bd8f23def900a419bc6989c98951dc

SHA256
ce4b2cc7dcb8995767ef810f118c2b9172615ed47b55d46f0e5c156681c3247e

SHA512
a0e23dc6d1df28494dd2d84a8784718b750b297e7934686f064a3b3d6376bc9f73e148e6a85063adf9de2a51afaae9b7d00f7f8351159d3d5f9fa521da5990f8

Download Submit
C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zip

Filesize
8.6MB

MD5
53463bbd1fa135b8dda67e782548344c

SHA1
a8cf95b5d40cbfdb411d9cf1dfc15bc3bfc93536

SHA256
1b7f5503019426f9806e9fb81fa94b741bb71d927adf55ccdd732f4c985120c4

SHA512
813e62058f08e973d3c7a8e292e21bd244203ccc2826be4a194a47f63fca442df018c3b8ab4909703b280f45e804e0aa711a7c74c10688b4a059409901b7ac6e

Download Submit
C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zip

Filesize
3.1MB

MD5
15290f85840d733213ca2d0f15e3d31f

SHA1
d047d9c8c27ab776feee381b12f3bbf3a4e880a7

SHA256
535a1fe32c2fc1629ebe1d0e477a9600099b25ad7662fe0b668908fb0b62bad6

SHA512
30c17478018fe746c98d475cc3f12217a976683e8fe19bd79e4618310f76d10661265e62f55c880942f0fc2a6f63943b71128ef2257bd2a93968ad4d3abaa69d

Download Submit
C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\other.zip

Filesize
3.7MB

MD5
12de956575b3252aa572d662364dcac0

SHA1
7f3291ddae46d6155399c21e0ff17ffcd44427f6

SHA256
f208d46ecc8531dce5f5fea9cac27dcdf16d669b871e71ffad8eae8933a02a47

SHA512
46b4fd2c9d93461d907de9bf0fba29d2cef7e7c7fda363df6846358f0ab0754a310dfc55d324f3fbdba9d59921a2b8692c070e3a09d74210be15d8ff4bdc9a42

Download Submit
C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\RegUtils.dll

Filesize
116KB

MD5
4ec1febff95d8760e6437dac9d8d8fc5

SHA1
c424b231605130893bf280420d4253bef0536c63

SHA256
6af5203d78e183c4fe95afd54c69a7c499876929e869ce11be95af02b6e545e5

SHA512
8848a4da328d0c2778d5b2aa3d22ad9a5db949ce5d53ad0483cf88e87ab99c571b8543aeca44a376979fda3cf08990a8926b491189b57c7f7f992632b98116e7

Download Submit
C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\launcher.exe

Filesize
16KB

MD5
0a9407b4efbf1bb03372c15a2bf3c562

SHA1
fdf0d53a92dceff49cd0cebf3adcc706d50008c5

SHA256
362a9592160a1b8a8305970dee15c162f497bf6ecd3062eb93d91ba86984409d

SHA512
35e1788fb220cf541db14aa455c949beca527ae429e7273cf14d57b76286fcac544f95781451686132a7a8f019c656e95e97f8b4538f8605f7f5865e0d0629e1

Download Submit
C:\Program Files (x86)\Common Files\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_02.b09\zipper.exe

Filesize
16KB

MD5
480c82071e4d07d48162cf1a8269e965

SHA1
b72efaef6cf0f7ca26b350b1a50f687f414624f4

SHA256
d802a908ddfc5ec74fa8a5fb9c51812868f0ce13f7c2f9f15df2bc0735aa4bbe

SHA512
ab814c93c91f27e60613af971bcf4fe4e84f2c89d9ea54b7969965fac31cf049faff304cfbd1f13320622731cca4a10c413f3c851e22209611f2f8a8f4f5ff85

Download Submit
C:\Program Files (x86)\Java\jre1.5.0_02\bin\unpack200.exe

Filesize
124KB

MD5
7d4ee5dfe5f8a6df8c8ff4d87e22e219

SHA1
d4c6ae424b530abf62f3baa3e04b3e293ffb15e6

SHA256
da457415e5f533181887c45babed3081c6b9a9facf3d7f25e7641500675417ed

SHA512
144c182e803dd8d4969f4c7057bb4671bcdb8d123ab525f97ef35bd6071924dbf98e4a86f6ac34a06c88f003ee99451afbda191ca52ceb341bb2437352581270

Download Submit
C:\Program Files (x86)\Java\jre1.5.0_02\lib\charsets.pack

Filesize
3.1MB

MD5
aba0f78c733284128815d88dc5564cae

SHA1
721bd0c8ddb8bd46560d974f69329c6a3c2fdff6

SHA256
f45f134a5c1d6efbc1d074d8aaa9f4aee67738e83df29c68441b2822a6c9af34

SHA512
dbe6ac3f0971088ed4351ff2bbdcb1f114cee7efd7ed0904bc53dd6ea82fc0d536e6f1dd5b5808c75849e77cd8c132b9a9f03c0470cdd50da356080dc3a7b7cd

Download Submit
C:\Program Files (x86)\Java\jre1.5.0_02\lib\deploy.pack

Filesize
669KB

MD5
8a7ea32649d1b57ec3b524ec4b034dde

SHA1
42f2005a43b2acd2e0cd3893325e17398bc4fb75

SHA256
5985ff187a7efcc7661dd4a3cd26621d02200f5fa97fc80c4441a206ff94e048

SHA512
7b1f44646e0270c606ccb5bcb21c368e6ddbe399d046353d7c3bf93a2603c8a83d052905cf61a29721cad3d44329303e411eb232a4fdee857725f4b09dcc9f4a

Download Submit
C:\Program Files (x86)\Java\jre1.5.0_02\lib\javaws.pack

Filesize
168KB

MD5
75b8cd90b94757e6c78fc307f4985d55

SHA1
0fd88cc9ebd9870be02b7cbfd6919a603e91789d

SHA256
f3c9a42325d66539d4063ed32a575d623c85b22dd1a7dcfb1fa1b5da1a5ed78a

SHA512
90a163abf300aa31c354f6ea89f8e171d534a026c65026c548f00affcdfe3948c205ceca3593fc6d04f32874bf49f44e4ccd0a2275627713d74f7ab5f515a551

Download Submit
C:\Program Files (x86)\Java\jre1.5.0_02\lib\jsse.pack

Filesize
116KB

MD5
ce4e498e19beff8dbf07b8bc3c31e51b

SHA1
e7edf6142a20570106d69e0dcfc0ee9b1898dbc7

SHA256
e621ba88e9e6f55d76c61b3af1460da28424d03f1c088232b385daac6a00c620

SHA512
8620484e89cfa4aad1c5be9f7365d3d4bf8079633302e7bc371cf1a64423c5936439b0a413871519a45c1fbb81960f860d3472568ffefba5f8305baea4902d66

Download Submit
C:\Program Files (x86)\Java\jre1.5.0_02\lib\plugin.pack

Filesize
287KB

MD5
408483b6b6270a98bd5687183d33d56f

SHA1
d66f4a059c77e61af76f6451dfb82322f41079d8

SHA256
7f0faad87f3ae9b0dd595ca980d6af0d61f7fb7b241bdb2febc7d2fae4fd47e2

SHA512
32c965ec2f36a4286d6b7c2fa953bd68fa07f4499be80b80fbc4907613cd9b5c6000c0f0f2a203c8da7d33138bd18e3467610c556a0b7299e84b7291b7a9454c

Download Submit
C:\Program Files (x86)\Java\jre1.5.0_02\lib\rt.pack

Filesize
8.6MB

MD5
4111b3164db26856a8cfbae52cef7d8a

SHA1
5d7b2e7d0d590c3d4a7e271d2b8526c4e890529b

SHA256
81c181bde67d06d7c9321ad447db66e9738ab83a30450df4a5d0c47cb834753a

SHA512
717c5190159a2d8fe18eeedf783605a6713c56c40101cce8426151acd44da67ffa849a6144749680ea16032edc94aa09c9679d981f9a9cb8ad8ca5cc23c22ff1

Download Submit
C:\Program Files (x86)\Java\jre1.5.0_02\lib\zi\GMT

Filesize
27B

MD5
7da9aa0de33b521b3399a4ffd4078bdb

SHA1
f188a712f77103d544d4acf91d13dbc664c67034

SHA256
0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d

SHA512
9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4573.tmp

Filesize
48KB

MD5
68b5a7d1dda5fbf4a1389edc3ad124b8

SHA1
814d0f3f6e7c555ede39383eeeb926699c2cd0ce

SHA256
a8068050d9b3612df57adbc614fbe1d34ff4b3fe7764a8fdcbcedbee0dd3ecf9

SHA512
a6c0836d9815a3c79c3aab82d3d7f2fa15b8b31c26ca4089ba403535e94e1d8b12a8d5db380eb507800448ef1d6dabe25d2fc2d8f9ae4bc0fd6d67e76934b4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI45F1.tmp

Filesize
20KB

MD5
8481c4f3a37e11f689cf3435b53e884d

SHA1
e0a0c67249ae058f78998ec163205edd0758cf71

SHA256
6403906f09bb2f5a165b1d6a3d36b5342fa0a7bb25b5168d78c185cf701a113b

SHA512
3a771ec1fc310ecc1877a635c041a87cae52af6a8527cfc35f3e76b2c159cc8b8e9295ef3ba22a082224665cd0a371c7c42050ab96558b6add9b2aa580f05543

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is2D1A\0x0409.ini

Filesize
4KB

MD5
7a858ca524beb223533a2ac6138c4b73

SHA1
aa7a7e8e7c6c2324d2906a78c243b187a072aa59

SHA256
97eca8e6d33a2761f94831f3f82e030a8e79b5cbc12dcbed4eb1de9c4edf4d1a

SHA512
d3861daf5e0754388f1719450cbfebe629090e41249ef2a206a86dc3fc5f68b3a98c29ddc159d44348080e48bc84a8e0815aa39d535187eb4737cdf4d486bf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is2D1A\1033.MST

Filesize
3KB

MD5
2b287af1d64e6cedbad080de088ef1d7

SHA1
a56b61de4990effdd9e7b6dba9ffeeffbdf8b994

SHA256
a99d115b9361527e37a8dcbb32569745cfb726efbdace095638066c8252f7fa8

SHA512
0e805339795765dc32a2b313d39d93dad352db0ef0c26528d8162cc2e272f10e3b91f42d8b30056e9b9f6b3f00d359ac753efb6ad0a6d114c663ef42c7de4d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is2D1A\J2SE Runtime Environment 5.0 Update 2.msi

Filesize
10.8MB

MD5
79a635a56d93873d2de653ba32f0909c

SHA1
fdf4174f492514132c1dead66957fa0361b0cfbd

SHA256
ef79a95ffce1e3a476a29ddc3f98ec8be48f8d90d9ace825e32a469d9b4cf535

SHA512
2620b4b3287bac4f0f30dbdf0c68b740e1d6c98e00688bca59d4536c459fff9b591d777c4e149a078af9c900bb3e5f7fd59e50ccc2f1ad335c006119eb8be82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is2D1A\Setup.INI

Filesize
1KB

MD5
be4b12d52d6ba47ce5a6ff68026c8438

SHA1
b90e328a8dad0a4406313c0335cfacdb4b956f26

SHA256
15e40cf9cec9b3efb7a7db3658555ec2903870dc60ef130785b9adb95b096063

SHA512
45902dff62f58cac612dcee82180ad639fd23b89884bfc927f7ebf5220585154837c2a9815a123bfa86168ee190fedee82300f2febdbb66bd03fdca36927dac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is2D1A\_ISMSIDEL.INI

Filesize
845B

MD5
2307031ecba979e4c6fbf5f397de4bcc

SHA1
76bef275dd13d6cedf686339a38cfa0f54738700

SHA256
15927b1113eb8cc2db4da913c84a2dcfb331751b809fab32032f0abcd6688916

SHA512
83fa2198f65edbc25780daa07d27d7a200849d20cb907fdca2b531257e75b5bf490bb3acd5b2fbefa5a26d3200b3f804edcc0719a6136b8d187897e1496ae460

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is2D1A\_ISMSIDEL.INI

Filesize
9B

MD5
ed5602cb0540d203f85998db92821f1d

SHA1
6090ee19d2e0d2fc3c65cb0bdf8242abc849ba9d

SHA256
39dc0aa1c73f37aca1528e6b1dbece97e523cd1324e9b577f5dc5e2217197868

SHA512
14fd93c45a129a88defac989f01df8f4a25580b83ad6b5eb5a9d1d28f6a6c68f840b2f6c71ec77558f8d4f35f8fc3f8ddcece19f3b687e40f396b153b4f79746

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is2D1A\setup.bmp

Filesize
118KB

MD5
d53dda9dfd780b8e236d87166bba3b61

SHA1
d33cda98d84dbcdd8809852afe3049758f38e7eb

SHA256
2eecd55cfbc78d5fbf5d693c5112b8701ff8dae94133965936ffef243b827012

SHA512
8e6aebd2d2c401b994e836336fedff133f3cc268eb9ab201cb8f434ab711a9620331ebe8e99334bda51a7a6106e2110d4fc67f679fcbf0369055a44e057d86ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
2KB

MD5
fc8d015da67505470d73a75ee412c295

SHA1
8b59a270ec1d97ef9c1870982f1b5feb2645a9b3

SHA256
83a2bb72ed43b93cdd832a0d80f903ae3fbc098c8b69786e1e9949f632727a2f

SHA512
a10d32007b540835a0d1b3decb3228e3de1d86e97d62a973dcb9b8f6c072d9d9e7b881a943763a174dc0dffa8b255597e0ec4dbc05be2dc0de79fd672a2238bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
2KB

MD5
ca0cc3a5b8959c9b87b33bdea732d444

SHA1
000ac9bf6b6f6ec6172b6d2bb32850ecf1a9a66f

SHA256
9e4611e0b18ca35645c91427cc3ed535ec69887b97f7bafeb63a18312ce566bf

SHA512
b9d350a853f95d269467742c1606863f5440b74d426ebf013a9750fe6feb6fac6e13e5689f5960d61c511fdd54e011042b1d83be3c70963b4a18f77cd5d07d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
21KB

MD5
9fc0d1a2ed28b748c675d7f506521570

SHA1
e3fe58f727b07b115a837c1345a4ad011a48d454

SHA256
dc8b5081e999c8e9dc842cabc8a964f62dbebd1ef6417931541fd3c2727e94dc

SHA512
9f23483bf71c96b0c2ba306da12318c30e58c65d08eb43351bce5542b67eafce03f4b19e2c08c7e073dddc086e7ca5c4ccc56f3e0f525db825a1b3043c71aaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
21KB

MD5
71b8e39fa534d87437fdf9229b053dbf

SHA1
2bc0cacdeac7e3421589931f3c9e79abdafe21e6

SHA256
b278a954bf319449a482a64ad29dbb1cb91b3992c38227515bf32357a26333f8

SHA512
cf860f6538e664b8b6af0a3d52220a08ba944b633ce22d1193931d3dcd496dd1729b6676d907b4466b9cf8d085dd3f3b02cb1564ea8074e321a8b01fabc8dfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
22KB

MD5
4d1f2dba5ba034103cb5ea93c064a85c

SHA1
7733217cb3a5f8f53bd5528484e04e8dc744fb6d

SHA256
acda7973ada95704614f7a77ac522aa9f323a8a8ea13974c56259ee2145eaaaa

SHA512
26cd7425147b83c256261ffeb8b1651631f995cbf745f86953cad570e5fa1967cd2f95ce698ac08c12a1aead5c7cb1fc142bd9923e6bd6c73727335f5becaaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
22KB

MD5
e453b0d975b76152b7b0014f16ad58fe

SHA1
771d2de9cb6494a4170a6761da650bf9322b123e

SHA256
95ac2df197f47265777c1d345b5cb2ad7d5ce97bfb30e999658612b3782ff65b

SHA512
c0f521449ea32c87518fad208eee4e9d76462cb6db295510a8efbde2364319baafec9740bfea73f443d509c892d44d5683604cd454ca7da91db0a7331e4a641f

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
23KB

MD5
2718b12194dcd8e4dc7c28922bd7524f

SHA1
243ef418759b9e25cb0f19c3f13a67d525a72310

SHA256
25cf7a3493854c14c1cd352a3d1c0e51951c50978d6f218095fb741b09cd5b46

SHA512
e4af638ff75a031d144c36a89d3e1a3772ff938e357bae54a3e40f2c7fce39ce8e31ed485650551b44ad1d00ce20404e8079731d7b0889f5a0d77bc52fe71390

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
23KB

MD5
db65d18db8d9efcc65a076a589a314c4

SHA1
5ffe61bbbfac58f9571cdcf9b77c3ac5520147ac

SHA256
34daf3c2c73b322080eb2bccfeceedc3c2a0e8d3003ef1e08b12812073a79acd

SHA512
51d3788b0cf69ca5d7a06d7e7806530412fdbb8751f6e721af67ff3f1ec7229befbf23404443bc005167f815497f55c6fe0b687cccafcb6ed599a0831f5e211e

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
23KB

MD5
3087a20a8c8a17b42006cb2328e7ef9b

SHA1
684e03a8998053a76cd689882ed230ecea5d3f43

SHA256
552599f4e0325ea4bbf7e6d1d20f1dc839bf32348e7d748b391700ed7ce0b828

SHA512
3762bff624d7ee6c4c1c0a108a805afb6c494c081921f760d33dfebf570457790198d00a1806dab34c660fc557768ea8e5773541d0338f8c8101fe0d7f02bb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
357B

MD5
76d185f84d4bb9a6a6766a2893badcd1

SHA1
a91641c32b8b2fa4a6917185a9b538cb8225c8ae

SHA256
6ca4fe9feaa7fc70fff2f502d3f4d8648b5d9de863a86355b0a35d4527988276

SHA512
d684a7cfdef30c3a9645c0f095b1c679101450c08d1518de483c34ab5a00276f7ce1f954e7f36de7c00f6a235f04a3d7cb3bbd05cacf98a68620520de5d2e8f4

Download Submit
C:\jre-1_5_0_02-windows-i586-p.exe

Filesize
15.3MB

MD5
3b8fce124cb704b6576a5d4175b5111b

SHA1
df5306b90dc4d94ebafcd7096dc5bc98903b7aad

SHA256
f5419b3b1235e24daef72bf0b9a91bfae3688a496a8c3e9023028e1cbd799ac3

SHA512
d6af36f7d48974838721d44a3d4c5917867ce97d80ab48221e7381f243ab3ed5cdb72d441c24a9c14ef86f270b445b3c7460cdc7e993a3076fcbb3cedb13ae8c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
750026355bd34fe8192ae2002bbe4c07

SHA1
7e3973984b134d69dfe6ab4792a6128a0cd3afd5

SHA256
95354b974c2c4a73408731220879d194c1bfb773821a3eb006a24cf404e456c3

SHA512
5b55fd0726a97f981ad303e196f1beb697b86071cd5f4258d3adb8144ad966a877f1c2839c8d6db7d592d4728d42742a6187bc4bb8f20baea96802793486eef3

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{094ce5eb-7246-483b-bec6-185114b0332b}_OnDiskSnapshotProp

Filesize
6KB

MD5
dbc2cc91a54582b6040e52e34ba44de3

SHA1
7347fcc0d152c603e641132637f32678cdb3311d

SHA256
1517dff62afde0bcf6a50b52804194188a28509ece84240788cfd28977af7ed4

SHA512
c3359ff1932a736991355c4881c74d08ba9b7fe8a602da250c85634706b3d3a177303db1fbda89a8f132534cf9cff4de53d210d306c73806773c636e5a8be179

Download Submit
memory/2964-4-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3136-816-0x000001B8D85D0000-0x000001B8D85D1000-memory.dmp

Filesize
4KB

Download
memory/4932-803-0x00000260883E0000-0x00000260883E1000-memory.dmp

Filesize
4KB

Download