Malware Analysis Report

2025-01-02 12:06

Sample ID 221230-jw3ndsae4w
Target jre-8u321-windows-x64.exe
SHA256 273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d
Tags
bazarbackdoor adware backdoor persistence stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

Threat Level: Known bad

The file jre-8u321-windows-x64.exe was found to be: Known bad.

Malicious Activity Summary

bazarbackdoor adware backdoor persistence stealer upx

BazarBackdoor

Bazar/Team9 Backdoor payload

Bazarbackdoor family

Bazar/Team9 Backdoor payload

Registers COM server for autorun

Executes dropped EXE

UPX packed file

Blocklisted process makes network request

Loads dropped DLL

Installs/modifies Browser Helper Object

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Modifies system certificate store

Checks processor information in registry

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-30 08:02

Signatures

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A

Bazarbackdoor family

bazarbackdoor

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-30 08:01

Reported

2022-12-30 08:05

Platform

win7-20220901-en

Max time kernel

67s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\ssv.dll" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\wsdetect.dll" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2ssv.dll" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\WindowsAccessBridge-64.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre1.8.0_321\legal\jdk\dom.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\ext\sunmscapi.jar C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\fxplugins.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\prism_d3d.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\verify.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\Welcome.html C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\java.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\security\trusted.libraries C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\deploy\messages_ko.properties C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-console-l1-1-0.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-runtime-l1-1-0.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\legal\javafx\webkit.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\resources.jar C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\legal\jdk\pkcs11cryptotoken.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\legal\jdk\xmlresolver.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\cmm\LINEAR_RGB.pf C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\security\policy\unlimited\local_policy.jar C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\deploy.jar C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-timezone-l1-1-0.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\javaws.exe C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\jli.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\legal\javafx\libffi.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\jp2ssv.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\sunmscapi.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\legal\jdk\relaxngcc.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\security\java.policy C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-file-l1-1-0.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\java.exe C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\JAWTAccessBridge-64.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-profile-l1-1-0.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\security\java.security C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\release C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\images\cursors\win32_MoveNoDrop32x32.gif C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\security\policy\limited\local_policy.jar C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\legal\jdk\pkcs11wrapper.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\deploy\[email protected] C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\ext\dnsns.jar C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\management.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\pack200.exe C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\jfxswt.jar C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-stdio-l1-1-0.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\glass.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\hprof.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\ext\localedata.jar C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-string-l1-1-0.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\legal\javafx\gstreamer.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\legal\jdk\jpeg.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\ext\cldrdata.jar C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\fontconfig.properties.src C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-heap-l1-1-0.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\jsoundds.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\legal\jdk\dynalink.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\cmm\GRAY.pf C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\deploy\messages_zh_HK.properties C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\WindowsAccessBridge-64.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\zip.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\legal\jdk\bcel.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\jabswitch.exe C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\ktab.exe C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\bin\unpack.dll C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\legal\jdk\thaidict.md C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\deploy\splash_11-lic.gif C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
File created C:\Program Files\Java\jre1.8.0_321\lib\ext\access-bridge-64.jar C:\Program Files\Java\jre1.8.0_321\installer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\6c8853.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6c8853.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA194.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI96E8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\6c8855.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9E0A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA202.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\6c8857.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\msiexec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\msiexec.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_321\\bin" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Control Panel C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Environment C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\EUDC C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "0ca6f7v" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Printers C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Java VM C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Java VM\EnableJavaConsole = "0" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main C:\Program Files\Java\jre1.8.0_321\installer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\TypeLib C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\EditFlags = "65536" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\ssv.dll" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130120F\ProductName = "Java 8 Update 321 (64-bit)" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130120F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_321_x64\\" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\1 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\PROGRAMMABLE C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130120F\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130120F\SourceList C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled.1.8.0.0 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130120F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jre1.8.0_321_x64\\" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jnlps\ = "URL:jnlps Protocol" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\jp2iexp.dll" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Applications\java.exe C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\jarfile\shell\open\command C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\TypeLib\ = "{5852F5E0-8BF4-11D4-A245-0080C6F74284}" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130120F C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130120F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\PROGID C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130120F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_321\\bin\\wsdetect.dll" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InProcServer32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\TYPELIB C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jnlps\Shell\Open C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\APPLICATION/X-JAVA-JNLP-FILE C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\ = "0" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ = "Java(tm) Plug-In SSV Helper" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130120F\ProductIcon = "C:\\Program Files\\Java\\jre1.8.0_321\\\\bin\\javaws.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled\CurVer\ = "JavaWebStart.isInstalled.1.8.0.0" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp\Content Type = "application/x-java-jnlp-file" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-applet\CLSID = "{8AD9C840-044E-11D1-B3E9-00805F499D93}" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4EA42A62D9304AC4784BF2468130120F\jrecore C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled\CLSID\ = "{5852F5ED-8BF4-11D4-A245-0080C6F74284}" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\Implemented Categories C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\jarfile C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Applications\javaw.exe C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ = "Java(tm) Plug-In 2 SSV Helper" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\MiscStatus\1\ = "384" C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\INPROCSERVER32 C:\Program Files\Java\jre1.8.0_321\installer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130120F\Version = "134220938" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF2468130120F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe
PID 1724 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe
PID 1724 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe
PID 1104 wrote to memory of 852 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1104 wrote to memory of 852 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1104 wrote to memory of 852 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1104 wrote to memory of 852 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1104 wrote to memory of 852 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1104 wrote to memory of 1652 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre1.8.0_321\installer.exe
PID 1104 wrote to memory of 1652 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre1.8.0_321\installer.exe
PID 1104 wrote to memory of 1652 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Java\jre1.8.0_321\installer.exe
PID 1652 wrote to memory of 1696 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Windows\system32\conhost.exe
PID 1652 wrote to memory of 1696 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Windows\system32\conhost.exe
PID 1652 wrote to memory of 1696 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Windows\system32\conhost.exe
PID 1652 wrote to memory of 1696 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Windows\system32\conhost.exe
PID 1652 wrote to memory of 1696 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Windows\system32\conhost.exe
PID 1652 wrote to memory of 1696 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Windows\system32\conhost.exe
PID 1652 wrote to memory of 1696 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Windows\system32\conhost.exe
PID 1652 wrote to memory of 1148 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1148 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1148 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1176 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1176 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1176 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 2028 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 2028 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 2028 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1896 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1896 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1896 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1700 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1700 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1700 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1688 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1688 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1688 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1356 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1356 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1356 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe
PID 1652 wrote to memory of 1648 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\javaw.exe
PID 1652 wrote to memory of 1648 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\javaw.exe
PID 1652 wrote to memory of 1648 N/A C:\Program Files\Java\jre1.8.0_321\installer.exe C:\Program Files\Java\jre1.8.0_321\bin\javaw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe

"C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe"

C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe

"C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 8C859FDBA35EAD81B7424915538115DB

C:\Program Files\Java\jre1.8.0_321\installer.exe

"C:\Program Files\Java\jre1.8.0_321\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_321\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180321F0}

C:\ProgramData\Oracle\Java\installcache_x64\7123426.tmp\bspatch.exe

"bspatch.exe" baseimagefam8 newimage diff

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_321\lib/plugin.jar"

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_321\lib/javaws.jar"

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_321\lib/deploy.jar"

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_321\lib/rt.jar"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5315073229510475421130571330-893596216-14246614-469703009-9695576251855753633"

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_321\lib/charsets.jar"

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_321\lib/ext/localedata.jar"

C:\Program Files\Java\jre1.8.0_321\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_321\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe

"C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_321\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_321\lib/jsse.jar"

C:\Program Files\Java\jre1.8.0_321\bin\ssvagent.exe

"C:\Program Files\Java\jre1.8.0_321\bin\ssvagent.exe" -doHKCUSSVSetup

C:\Program Files\Java\jre1.8.0_321\bin\javaws.exe

"C:\Program Files\Java\jre1.8.0_321\bin\javaws.exe" -wait -fix -permissions -silent

C:\Program Files\Java\jre1.8.0_321\bin\jp2launcher.exe

"C:\Program Files\Java\jre1.8.0_321\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_321" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzMyMVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zMjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzMyMVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==

C:\Program Files\Java\jre1.8.0_321\bin\jp2launcher.exe

"C:\Program Files\Java\jre1.8.0_321\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_321" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzMyMVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8zMjFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzMyMVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMzIxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==

C:\Program Files\Java\jre1.8.0_321\bin\javaws.exe

"C:\Program Files\Java\jre1.8.0_321\bin\javaws.exe" -wait -fix -shortcut -silent

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding A6D9A496AA7DBA516EDEF303DDF4A527 M Global\MSI0000

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javadl-esd-secure.oracle.com udp
N/A 23.65.205.24:443 javadl-esd-secure.oracle.com tcp
N/A 8.8.8.8:53 rps-svcs.oracle.com udp
N/A 23.65.205.24:443 rps-svcs.oracle.com tcp
N/A 8.8.8.8:53 www.java.com udp
N/A 84.53.185.179:443 www.java.com tcp

Files

\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe

MD5 80afab5be48bacf44155212c817f4e31
SHA1 5a8b12509bdecdb2024a8d00395ca5f24dec63dc
SHA256 fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657
SHA512 a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

memory/2036-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe

MD5 80afab5be48bacf44155212c817f4e31
SHA1 5a8b12509bdecdb2024a8d00395ca5f24dec63dc
SHA256 fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657
SHA512 a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 de3aaa434c3e54fa6444c9f6110d5073
SHA1 fcedbe00229596d03cc8457f2bf0bd45f24c48cb
SHA256 dbf8545602fdf415484bbd74a5a4782743d3252cd5eee850d090ef4b5032dbe2
SHA512 fccebfd5fa1ec176ecb8a20bc724a7addedaeafafba1f53d001cddf04e0c034ead607c149b9382524f68d8b249489ba28f1f2f6b89c5465ff8f1133ab515b8db

memory/2036-57-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe

MD5 80afab5be48bacf44155212c817f4e31
SHA1 5a8b12509bdecdb2024a8d00395ca5f24dec63dc
SHA256 fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657
SHA512 a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe

MD5 80afab5be48bacf44155212c817f4e31
SHA1 5a8b12509bdecdb2024a8d00395ca5f24dec63dc
SHA256 fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657
SHA512 a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

\Users\Admin\AppData\Local\Temp\jds7083786.tmp\jre-8u321-windows-x64.exe

MD5 80afab5be48bacf44155212c817f4e31
SHA1 5a8b12509bdecdb2024a8d00395ca5f24dec63dc
SHA256 fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657
SHA512 a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_321_x64\jre1.8.0_32164.msi

MD5 39bf9b1c9177645cea379fcf282a4687
SHA1 74e37738ddc512fe91296599951ef1d99ac93418
SHA256 2381f3ca2c2f75b606e0049001d09c9c7b2df732d951c9253c3891347e941c10
SHA512 4ac1fcfa37799c61c0acb451b079708ab295a5daf7f675125f0bb4808c44f58754856cae23ae1cc1142f483b9a40c203049f1446c53fba94c304fe0d68936769

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c27b870fe713d61df4a2afe06547b19d
SHA1 09e6f7bebc231005efde4ab0a544a0d756c067db
SHA256 ffa0c9f191391b9decd66e01298985ed2b4ef1e54a2c676346d8e815cc0e1d03
SHA512 af0a597aced28f210abf9275c659b408fe0f02693c580a094890ab7f43e5063f9ebe31675c9b16d81e547eba142cce4c40375b331603f23d8bdb6f8da0937fd7

memory/852-66-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 d157715725ea8240adb0431b413d6db9
SHA1 196623319b2b595c4cddcdafd124d1e3ca4f89a3
SHA256 09d56b84520f17382e6a0261a34c4c2d905092d7ce379acdfa807a80e1ea3793
SHA512 c33fbbcc4ed20b0cd4c596ef711a1a3dfc56702bc0307c8b4b60ebf98b1783cd689ebd74c9f8d513cb87a43abc7641a9c04f3277050bb125304b4b279fc40401

\Windows\Installer\MSI96E8.tmp

MD5 da4598360ae218325c6b96b91a90dd19
SHA1 d773cc0953aaad2069467ad1a51e0fd7aa75e5c4
SHA256 4a8fb4e1fc0202da504de4259742943433040bf67d1f35397f428042b5dd4ef4
SHA512 129ec79a7ad644d9dc0682f83740329bdf31d48a6a51160212fdbf236c1f9c98259b36e94755bc146756b472fbda8a727af66860c89a9bc53c61a03e30942ea4

C:\Windows\Installer\MSI96E8.tmp

MD5 da4598360ae218325c6b96b91a90dd19
SHA1 d773cc0953aaad2069467ad1a51e0fd7aa75e5c4
SHA256 4a8fb4e1fc0202da504de4259742943433040bf67d1f35397f428042b5dd4ef4
SHA512 129ec79a7ad644d9dc0682f83740329bdf31d48a6a51160212fdbf236c1f9c98259b36e94755bc146756b472fbda8a727af66860c89a9bc53c61a03e30942ea4

C:\Windows\Installer\MSI9E0A.tmp

MD5 da4598360ae218325c6b96b91a90dd19
SHA1 d773cc0953aaad2069467ad1a51e0fd7aa75e5c4
SHA256 4a8fb4e1fc0202da504de4259742943433040bf67d1f35397f428042b5dd4ef4
SHA512 129ec79a7ad644d9dc0682f83740329bdf31d48a6a51160212fdbf236c1f9c98259b36e94755bc146756b472fbda8a727af66860c89a9bc53c61a03e30942ea4

\Windows\Installer\MSI9E0A.tmp

MD5 da4598360ae218325c6b96b91a90dd19
SHA1 d773cc0953aaad2069467ad1a51e0fd7aa75e5c4
SHA256 4a8fb4e1fc0202da504de4259742943433040bf67d1f35397f428042b5dd4ef4
SHA512 129ec79a7ad644d9dc0682f83740329bdf31d48a6a51160212fdbf236c1f9c98259b36e94755bc146756b472fbda8a727af66860c89a9bc53c61a03e30942ea4

\Windows\Installer\MSIA202.tmp

MD5 da4598360ae218325c6b96b91a90dd19
SHA1 d773cc0953aaad2069467ad1a51e0fd7aa75e5c4
SHA256 4a8fb4e1fc0202da504de4259742943433040bf67d1f35397f428042b5dd4ef4
SHA512 129ec79a7ad644d9dc0682f83740329bdf31d48a6a51160212fdbf236c1f9c98259b36e94755bc146756b472fbda8a727af66860c89a9bc53c61a03e30942ea4

C:\Windows\Installer\MSIA202.tmp

MD5 da4598360ae218325c6b96b91a90dd19
SHA1 d773cc0953aaad2069467ad1a51e0fd7aa75e5c4
SHA256 4a8fb4e1fc0202da504de4259742943433040bf67d1f35397f428042b5dd4ef4
SHA512 129ec79a7ad644d9dc0682f83740329bdf31d48a6a51160212fdbf236c1f9c98259b36e94755bc146756b472fbda8a727af66860c89a9bc53c61a03e30942ea4

\Program Files\Java\jre1.8.0_321\installer.exe

MD5 5bae8b1ca4c01b42cc3cf4f97e848035
SHA1 547eeb72683756379842575ddd03ea5f17568287
SHA256 3d63f68fbad1a1be6fdef8d898f38c4981fba7150e390c514282c859d5b5b7da
SHA512 cc062f747f8d0b3449ef3c196cf8bcc6546dc842e72ded5485ddd80b58b8c60b2aa99d3934a465294324b3ee8ea53f69c977e818f7ded2881506c25188e56e2a

memory/1652-76-0x0000000000000000-mapping.dmp

C:\Program Files\Java\jre1.8.0_321\installer.exe

MD5 5bae8b1ca4c01b42cc3cf4f97e848035
SHA1 547eeb72683756379842575ddd03ea5f17568287
SHA256 3d63f68fbad1a1be6fdef8d898f38c4981fba7150e390c514282c859d5b5b7da
SHA512 cc062f747f8d0b3449ef3c196cf8bcc6546dc842e72ded5485ddd80b58b8c60b2aa99d3934a465294324b3ee8ea53f69c977e818f7ded2881506c25188e56e2a

C:\Windows\Installer\6c8857.msi

MD5 39bf9b1c9177645cea379fcf282a4687
SHA1 74e37738ddc512fe91296599951ef1d99ac93418
SHA256 2381f3ca2c2f75b606e0049001d09c9c7b2df732d951c9253c3891347e941c10
SHA512 4ac1fcfa37799c61c0acb451b079708ab295a5daf7f675125f0bb4808c44f58754856cae23ae1cc1142f483b9a40c203049f1446c53fba94c304fe0d68936769

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 8e28767a82df7a6694e4392e56a6a1e1
SHA1 20f302b48712075bf036535748b6591ca724777e
SHA256 769b690a91236df863f9d43c539dcba4e175746e0fad15750208697a3bde3b68
SHA512 d36a14eca7e6c103d0f1bbab5f8b250f467709ec8354a71d0ab4d89dd9e74cf9c20401d7a1973b987296a060298d728f4689513158df9f473f8f5d61ca53dcc1

C:\ProgramData\Oracle\Java\installcache_x64\7123426.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

memory/1696-80-0x0000000000000000-mapping.dmp

C:\ProgramData\Oracle\Java\installcache_x64\7123426.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

memory/1696-83-0x0000000074B51000-0x0000000074B53000-memory.dmp

C:\ProgramData\Oracle\Java\installcache_x64\7123426.tmp\baseimagefam8

MD5 22646919b87d1a6dfc371464405b373b
SHA1 2296c69b12c3e0244fc59586f794457a4735e692
SHA256 0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11
SHA512 b5cfe6640c3755f3094e248dcd852ade852f904e80bc7d8dfef5772620ef75eac788f503c3df4baa712e73dafcca51c4ef0c73659ae55c1e0afd59b73f90d3a0

C:\ProgramData\Oracle\Java\installcache_x64\7123426.tmp\diff

MD5 ae2916473f36200bdedab19e4a274246
SHA1 680ae426e9aa93bf98b78263df11fdcea860fb98
SHA256 d703bc1d053a6042b24fbaec8f2a5712a7b71f925aea7740832fb3e4c12c94c3
SHA512 3abc92e2dd3d6553d3d93d565fcf67d960643db21e4275db4420a9dc6809e9b79c0e016c61e4dc142652dbfb3958ca81e71393587dcacff6b701f02a15c34d23

\ProgramData\Oracle\Java\installcache_x64\7123426.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

\ProgramData\Oracle\Java\installcache_x64\7123426.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

\ProgramData\Oracle\Java\installcache_x64\7123426.tmp\bspatch.exe

MD5 2e7543a4deec9620c101771ca9b45d85
SHA1 fa33f3098c511a1192111f0b29a09064a7568029
SHA256 32a4664e367a5c6bc7316d2213e60086d2813c21db3d407350e4aca61c1b16a1
SHA512 8a69acae37d34930ed1b37a48012f4c1b214eacb18e46c7adc54aaa720b75c17ac0512206e7c7a72669c9f53e393b13ef9b7783f02482f19ea756c1022580f0d

memory/1696-89-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1696-91-0x00000000003D0000-0x00000000003E7000-memory.dmp

memory/1696-90-0x00000000003D0000-0x00000000003E7000-memory.dmp

memory/1696-92-0x00000000003D0000-0x00000000003E7000-memory.dmp

C:\ProgramData\Oracle\Java\installcache_x64\7123426.tmp\newimage

MD5 456e798b59a8f91f118fc9d8eda0f5f7
SHA1 c53cb8a7edd36d0254b6d02652eec3e929c05d38
SHA256 77603f0bd6005a176ee1d7765e2640758bd6b92f9896c175d290e65514b445c4
SHA512 b88945b0662584790816aa4908260d0ba9dd209bfd0a02568f1daf3a8536fc205c1f82a7580765f8800ec19194d408d074a3106713b33115dec58af5d4e25004

memory/1696-93-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Program Files\Java\jre1.8.0_321\bin\unpack200.exe

MD5 858aff6740ed09683163af9c753eeaf7
SHA1 ec877363b91129916883e89ff1c9a537c3fc66bd
SHA256 d76ef9842647f1036a1a3b754fa2ca9e4428cc972b16384e4c4c9c7558431d0b
SHA512 2e76715ac1d0a7dec0bdde319e0f34df85c7bdaf27fa23e995bbb162e1d65cf52f63b7561cdaaefecb8607fa5b8bd605f38c6d2deaca87daf5150f61bd1956ea

memory/1148-96-0x0000000000000000-mapping.dmp

\Program Files\Java\jre1.8.0_321\bin\unpack200.exe

MD5 858aff6740ed09683163af9c753eeaf7
SHA1 ec877363b91129916883e89ff1c9a537c3fc66bd
SHA256 d76ef9842647f1036a1a3b754fa2ca9e4428cc972b16384e4c4c9c7558431d0b
SHA512 2e76715ac1d0a7dec0bdde319e0f34df85c7bdaf27fa23e995bbb162e1d65cf52f63b7561cdaaefecb8607fa5b8bd605f38c6d2deaca87daf5150f61bd1956ea

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-runtime-l1-1-0.dll

MD5 883120f9c25633b6c688577d024efd12
SHA1 e4fa6254623a2b4cdea61712cdfa9c91aa905f18
SHA256 4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc
SHA512 f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-localization-l1-2-0.dll

MD5 8acb83d102dabd9a5017a94239a2b0c6
SHA1 9b43a40a7b498e02f96107e1524fe2f4112d36ae
SHA256 059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413
SHA512 b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-string-l1-1-0.dll

MD5 f816666e3fc087cd24828943cb15f260
SHA1 eae814c9c41e3d333f43890ed7dafa3575e4c50e
SHA256 45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a
SHA512 6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-utility-l1-1-0.dll

MD5 6f1a1dfb2761228ccc7d07b8b190054c
SHA1 117d66360c84a0088626e22d8b3b4b685cb70d56
SHA256 c81c4bba4e5f205359ad145963f6fbd074879047c66569f52b6d66711108e1ed
SHA512 480b4f9179d5da56010fa90e1937fe3a232f2f8682596c16eeaed08f57cf8cffeaa506060429501764f695cb6c5b3e56b0037de948c4d0e3933f022a0b4103d2

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-math-l1-1-0.dll

MD5 fb79420ec05aa715fe76d9b89111f3e2
SHA1 15c6d65837c9979af7ec143e034923884c3b0dbd
SHA256 f6a93fe6b57a54aac46229f2ed14a0a979bf60416adb2b2cfc672386ccb2b42e
SHA512 c40884c80f7921addced37b1bf282bb5cb47608e53d4f4127ef1c6ce7e6bb9a4adc7401389bc8504bf24751c402342693b11cef8d06862677a63159a04da544e

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-time-l1-1-0.dll

MD5 143a735134cd8c889ec7d7b85298705b
SHA1 906ac1f3a933dd57798ae826bbefa3096c20d424
SHA256 b48310b0837027f756d62c37ea91af988baa403cbcbd01cb26b6fdae21ea96a2
SHA512 c9abe209508afae2d1776391f73b658c9a25628876724344023e0fc8a790ecb7dbce75fddae267158d08a8237f83336b1d2bd5b5ce0a8eed7dd41cbe0c031d48

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-time-l1-1-0.dll

MD5 143a735134cd8c889ec7d7b85298705b
SHA1 906ac1f3a933dd57798ae826bbefa3096c20d424
SHA256 b48310b0837027f756d62c37ea91af988baa403cbcbd01cb26b6fdae21ea96a2
SHA512 c9abe209508afae2d1776391f73b658c9a25628876724344023e0fc8a790ecb7dbce75fddae267158d08a8237f83336b1d2bd5b5ce0a8eed7dd41cbe0c031d48

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-utility-l1-1-0.dll

MD5 6f1a1dfb2761228ccc7d07b8b190054c
SHA1 117d66360c84a0088626e22d8b3b4b685cb70d56
SHA256 c81c4bba4e5f205359ad145963f6fbd074879047c66569f52b6d66711108e1ed
SHA512 480b4f9179d5da56010fa90e1937fe3a232f2f8682596c16eeaed08f57cf8cffeaa506060429501764f695cb6c5b3e56b0037de948c4d0e3933f022a0b4103d2

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-environment-l1-1-0.dll

MD5 5cce7a5ed4c2ebaf9243b324f6618c0e
SHA1 fdb5954ee91583a5a4cbb0054fb8b3bf6235eed3
SHA256 aa3e3e99964d7f9b89f288dbe30ff18cbc960ee5add533ec1b8326fe63787aa3
SHA512 fc85a3be23621145b8dc067290bd66416b6b1566001a799975bf99f0f526935e41a2c8861625e7cfb8539ca0621ed9f46343c04b6c41db812f58412be9c8a0de

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-environment-l1-1-0.dll

MD5 5cce7a5ed4c2ebaf9243b324f6618c0e
SHA1 fdb5954ee91583a5a4cbb0054fb8b3bf6235eed3
SHA256 aa3e3e99964d7f9b89f288dbe30ff18cbc960ee5add533ec1b8326fe63787aa3
SHA512 fc85a3be23621145b8dc067290bd66416b6b1566001a799975bf99f0f526935e41a2c8861625e7cfb8539ca0621ed9f46343c04b6c41db812f58412be9c8a0de

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 41fbbb054af69f0141e8fc7480d7f122
SHA1 3613a572b462845d6478a92a94769885da0843af
SHA256 974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c
SHA512 97fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 41fbbb054af69f0141e8fc7480d7f122
SHA1 3613a572b462845d6478a92a94769885da0843af
SHA256 974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c
SHA512 97fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-convert-l1-1-0.dll

MD5 285dcd72d73559678cfd3ed39f81ddad
SHA1 df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a
SHA256 6c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44
SHA512 84ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-convert-l1-1-0.dll

MD5 285dcd72d73559678cfd3ed39f81ddad
SHA1 df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a
SHA256 6c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44
SHA512 84ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-stdio-l1-1-0.dll

MD5 29680d7b1105171116a137450c8bb452
SHA1 492bb8c231aae9d5f5af565abb208a706fb2b130
SHA256 6f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af
SHA512 87dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-stdio-l1-1-0.dll

MD5 29680d7b1105171116a137450c8bb452
SHA1 492bb8c231aae9d5f5af565abb208a706fb2b130
SHA256 6f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af
SHA512 87dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-string-l1-1-0.dll

MD5 f816666e3fc087cd24828943cb15f260
SHA1 eae814c9c41e3d333f43890ed7dafa3575e4c50e
SHA256 45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a
SHA512 6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

memory/1176-133-0x0000000000000000-mapping.dmp

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-heap-l1-1-0.dll

MD5 212d58cefb2347bd694b214a27828c83
SHA1 f0e98e2d594054e8a836bd9c6f68c3fe5048f870
SHA256 8166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989
SHA512 637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-heap-l1-1-0.dll

MD5 212d58cefb2347bd694b214a27828c83
SHA1 f0e98e2d594054e8a836bd9c6f68c3fe5048f870
SHA256 8166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989
SHA512 637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-synch-l1-2-0.dll

MD5 d175430eff058838cee2e334951f6c9c
SHA1 7f17fbdcef12042d215828c1d6675e483a4c62b1
SHA256 1c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a
SHA512 6076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-synch-l1-2-0.dll

MD5 d175430eff058838cee2e334951f6c9c
SHA1 7f17fbdcef12042d215828c1d6675e483a4c62b1
SHA256 1c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a
SHA512 6076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b

memory/2028-134-0x0000000000000000-mapping.dmp

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-file-l2-1-0.dll

MD5 3bf4406de02aa148f460e5d709f4f67d
SHA1 89b28107c39bb216da00507ffd8adb7838d883f6
SHA256 349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e
SHA512 5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-file-l2-1-0.dll

MD5 3bf4406de02aa148f460e5d709f4f67d
SHA1 89b28107c39bb216da00507ffd8adb7838d883f6
SHA256 349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e
SHA512 5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-file-l1-2-0.dll

MD5 35bc1f1c6fbccec7eb8819178ef67664
SHA1 bbcad0148ff008e984a75937aaddf1ef6fda5e0c
SHA256 7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7
SHA512 9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-timezone-l1-1-0.dll

MD5 43e1ae2e432eb99aa4427bb68f8826bb
SHA1 eee1747b3ade5a9b985467512215caf7e0d4cb9b
SHA256 3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c
SHA512 40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-timezone-l1-1-0.dll

MD5 43e1ae2e432eb99aa4427bb68f8826bb
SHA1 eee1747b3ade5a9b985467512215caf7e0d4cb9b
SHA256 3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c
SHA512 40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-file-l1-2-0.dll

MD5 35bc1f1c6fbccec7eb8819178ef67664
SHA1 bbcad0148ff008e984a75937aaddf1ef6fda5e0c
SHA256 7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7
SHA512 9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-processthreads-l1-1-1.dll

MD5 9c9b50b204fcb84265810ef1f3c5d70a
SHA1 0913ab720bd692abcdb18a2609df6a7f85d96db3
SHA256 25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40
SHA512 ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

memory/1896-135-0x0000000000000000-mapping.dmp

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-processthreads-l1-1-1.dll

MD5 9c9b50b204fcb84265810ef1f3c5d70a
SHA1 0913ab720bd692abcdb18a2609df6a7f85d96db3
SHA256 25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40
SHA512 ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

C:\Program Files\Java\jre1.8.0_321\bin\api-ms-win-core-localization-l1-2-0.dll

MD5 8acb83d102dabd9a5017a94239a2b0c6
SHA1 9b43a40a7b498e02f96107e1524fe2f4112d36ae
SHA256 059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413
SHA512 b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

\Program Files\Java\jre1.8.0_321\bin\ucrtbase.dll

MD5 61eb0ad4c285b60732353a0cb5c9b2ab
SHA1 21a1bea01f6ca7e9828a522c696853706d0a457b
SHA256 10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd
SHA512 44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

C:\Program Files\Java\jre1.8.0_321\bin\ucrtbase.DLL

MD5 61eb0ad4c285b60732353a0cb5c9b2ab
SHA1 21a1bea01f6ca7e9828a522c696853706d0a457b
SHA256 10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd
SHA512 44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

\Program Files\Java\jre1.8.0_321\bin\api-ms-win-crt-runtime-l1-1-0.dll

MD5 883120f9c25633b6c688577d024efd12
SHA1 e4fa6254623a2b4cdea61712cdfa9c91aa905f18
SHA256 4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc
SHA512 f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

\Program Files\Java\jre1.8.0_321\bin\vcruntime140.dll

MD5 1453290db80241683288f33e6dd5e80e
SHA1 29fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA256 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA512 4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

C:\Program Files\Java\jre1.8.0_321\bin\VCRUNTIME140.dll

MD5 1453290db80241683288f33e6dd5e80e
SHA1 29fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA256 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA512 4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

memory/1688-137-0x0000000000000000-mapping.dmp

memory/1356-138-0x0000000000000000-mapping.dmp

memory/1700-136-0x0000000000000000-mapping.dmp

memory/1648-139-0x0000000000000000-mapping.dmp

memory/1648-143-0x0000000002250000-0x0000000003250000-memory.dmp

memory/2044-145-0x0000000000000000-mapping.dmp

memory/1716-146-0x0000000000000000-mapping.dmp

memory/1716-154-0x00000000024F0000-0x00000000034F0000-memory.dmp

memory/1920-172-0x0000000000000000-mapping.dmp

memory/456-173-0x0000000000000000-mapping.dmp

memory/456-181-0x0000000002290000-0x0000000003290000-memory.dmp

memory/456-200-0x0000000002290000-0x0000000003290000-memory.dmp

memory/456-201-0x0000000002290000-0x0000000003290000-memory.dmp

memory/1548-202-0x0000000000000000-mapping.dmp

memory/456-204-0x0000000002290000-0x0000000003290000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-30 08:01

Reported

2022-12-30 08:05

Platform

win10v2004-20221111-en

Max time kernel

87s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jds240546828.tmp\jre-8u321-windows-x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe

"C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe"

C:\Users\Admin\AppData\Local\Temp\jds240546828.tmp\jre-8u321-windows-x64.exe

"C:\Users\Admin\AppData\Local\Temp\jds240546828.tmp\jre-8u321-windows-x64.exe"

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 javadl-esd-secure.oracle.com udp
N/A 23.65.205.24:443 javadl-esd-secure.oracle.com tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 20.42.65.89:443 tcp
N/A 104.80.225.205:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/1320-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jds240546828.tmp\jre-8u321-windows-x64.exe

MD5 80afab5be48bacf44155212c817f4e31
SHA1 5a8b12509bdecdb2024a8d00395ca5f24dec63dc
SHA256 fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657
SHA512 a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

C:\Users\Admin\AppData\Local\Temp\jds240546828.tmp\jre-8u321-windows-x64.exe

MD5 80afab5be48bacf44155212c817f4e31
SHA1 5a8b12509bdecdb2024a8d00395ca5f24dec63dc
SHA256 fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657
SHA512 a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 92792f1514358343aabb4f37cb61dd91
SHA1 42aa5dc87b260df9bf1e9ff7e95f5f43e813e49c
SHA256 30b6411b468e291e551dc0961c080e6797c99c794e06fa153b040c9d056d7eea
SHA512 2a11b4bd027796d4a33a162a2a4c62fc2394890e349cddf81a1d0f7b3876cb2fe71785c1c1cecc20f0ccce0cf41b8893e3d7f6b617d49eef0d7adf842d85dae0