Overview
overview
8Static
static
1Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/.git...sample
windows10-1703-x64
3Burpy/Burp...en.jar
windows10-1703-x64
7Burpy/Linux_setup.sh
windows10-1703-x64
3Burpy/Wind...up.ps1
windows10-1703-x64
8Burpy/burp...pro.sh
windows10-1703-x64
3Burpy/keygen.jar
windows10-1703-x64
7Burpy/loader.jar
windows10-1703-x64
7Resubmissions
12-08-2024 17:47
240812-wdcepssark 8Analysis
-
max time kernel
316s -
max time network
317s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12-08-2024 17:47
Static task
static1
Behavioral task
behavioral1
Sample
Burpy/.git/hooks/applypatch-msg.sample
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Burpy/.git/hooks/commit-msg.sample
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Burpy/.git/hooks/fsmonitor-watchman.sample
Resource
win10-20240611-en
Behavioral task
behavioral4
Sample
Burpy/.git/hooks/post-update.sample
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
Burpy/.git/hooks/pre-applypatch.sample
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
Burpy/.git/hooks/pre-commit.sample
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
Burpy/.git/hooks/pre-merge-commit.sample
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
Burpy/.git/hooks/pre-push.sample
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
Burpy/.git/hooks/pre-rebase.sample
Resource
win10-20240611-en
Behavioral task
behavioral10
Sample
Burpy/.git/hooks/pre-receive.sample
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
Burpy/.git/hooks/prepare-commit-msg.sample
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
Burpy/.git/hooks/push-to-checkout.sample
Resource
win10-20240404-en
Behavioral task
behavioral13
Sample
Burpy/.git/hooks/sendemail-validate.sample
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
Burpy/.git/hooks/update.sample
Resource
win10-20240404-en
Behavioral task
behavioral15
Sample
Burpy/BurpLoaderKeygen.jar
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
Burpy/Linux_setup.sh
Resource
win10-20240404-en
Behavioral task
behavioral17
Sample
Burpy/Windows_setup.ps1
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
Burpy/burpsuite_pro.sh
Resource
win10-20240404-en
Behavioral task
behavioral19
Sample
Burpy/keygen.jar
Resource
win10-20240404-en
Behavioral task
behavioral20
Sample
Burpy/loader.jar
Resource
win10-20240404-en
General
-
Target
Burpy/Windows_setup.ps1
-
Size
4KB
-
MD5
a73b48e0fb186611feae995695839cd7
-
SHA1
a01d14bcfbc5c70f5a5bb323a5b3655bdad9fe1b
-
SHA256
5ab8bdffdbec79d415460bea619c42c841d334923ed20b22b03b3c5ece29aba0
-
SHA512
47143cb6eb944e9f57e0dd3e66913da0ccb179edaf85b817ef85f3d20a97c469ef5c399e57e9e82e34ec3377da1a707878354f745fb06eb760f7f4af02a86213
-
SSDEEP
96:+Babm/UoaSkGNe2P02RuPNULrVy/DAiXMP02RutZn:jXtSkw9zQrxXgsZn
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exemsiexec.exeflow pid process 16 1176 powershell.exe 19 2544 msiexec.exe 32 1176 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
jdk-19.exejdk-19.exejava.exejava.exejava.exejava.exepid process 380 jdk-19.exe 2208 jdk-19.exe 4548 java.exe 4580 java.exe 2568 java.exe 2592 java.exe -
Loads dropped DLL 40 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exejava.exejava.exepid process 4064 MsiExec.exe 4064 MsiExec.exe 4064 MsiExec.exe 5064 MsiExec.exe 5064 MsiExec.exe 5064 MsiExec.exe 5064 MsiExec.exe 5064 MsiExec.exe 5064 MsiExec.exe 5064 MsiExec.exe 5064 MsiExec.exe 5064 MsiExec.exe 5064 MsiExec.exe 5064 MsiExec.exe 5064 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 1552 MsiExec.exe 2568 java.exe 2568 java.exe 2568 java.exe 2568 java.exe 2568 java.exe 2568 java.exe 2568 java.exe 2592 java.exe 2568 java.exe 2592 java.exe 2568 java.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in System32 directory 2 IoCs
Processes:
MsiExec.exedescription ioc process File created C:\Windows\system32\WindowsAccessBridge-64.dll MsiExec.exe File opened for modification C:\Windows\system32\WindowsAccessBridge-64.dll MsiExec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MsiExec.exedescription ioc process File created C:\Program Files\Java\jdk-19\bin\api-ms-win-core-heap-l1-1-0.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\include\win32\bridge\AccessBridgePackages.h MsiExec.exe File created C:\Program Files\Java\jdk-19\jmods\java.base.jmod MsiExec.exe File created C:\Program Files\Java\jdk-19\jmods\jdk.crypto.cryptoki.jmod MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\javadoc.exe MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\serialver.exe MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\java.desktop\freetype.md MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.crypto.ec\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\jimage.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\java.instrument\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.incubator.vector\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.internal.le\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.javadoc\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-19\lib\security\cacerts MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\api-ms-win-core-namedpipe-l1-1-0.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\jmods\jdk.jpackage.jmod MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\java.xml\bcel.md MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.crypto.mscapi\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-19\lib\security\blocked.certs MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.naming.dns\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\api-ms-win-core-errorhandling-l1-1-0.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\dt_shmem.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\mlib_image.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\java.se\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-19\jmods\java.scripting.jmod MsiExec.exe File created C:\Program Files\Java\jdk-19\jmods\java.sql.jmod MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.crypto.cryptoki\pkcs11wrapper.md MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.naming.rmi\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\saproc.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\java.security.sasl\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.jartool\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\api-ms-win-core-sysinfo-l1-1-0.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\jmods\java.security.sasl.jmod MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\java.desktop\giflib.md MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.javadoc\jquery.md MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.zipfs\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-19\jmods\jdk.internal.opt.jmod MsiExec.exe File created C:\Program Files\Java\jdk-19\jmods\jdk.jdeps.jmod MsiExec.exe File created C:\Program Files\Java\jdk-19\jmods\jdk.localedata.jmod MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.incubator.vector\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\management_ext.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\java.transaction.xa\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.jstatd\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\java.xml.crypto\santuario.md MsiExec.exe File created C:\Program Files\Java\jdk-19\lib\jfr\profile.jfc MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\api-ms-win-core-memory-l1-1-0.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\api-ms-win-core-string-l1-1-0.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\api-ms-win-crt-process-l1-1-0.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\jmods\jdk.crypto.ec.jmod MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\java.naming\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-19\lib\jfr\default.jfc MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\api-ms-win-crt-stdio-l1-1-0.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\management.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\rmiregistry.exe MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\java.datatransfer\LICENSE MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\fontmanager.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\keytool.exe MsiExec.exe File created C:\Program Files\Java\jdk-19\conf\security\policy\unlimited\default_local.policy MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\java.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\include\jawt.h MsiExec.exe File created C:\Program Files\Java\jdk-19\legal\jdk.management\COPYRIGHT MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\api-ms-win-core-localization-l1-2-0.dll MsiExec.exe File created C:\Program Files\Java\jdk-19\bin\jstatd.exe MsiExec.exe File created C:\Program Files\Java\jdk-19\jmods\java.smartcardio.jmod MsiExec.exe -
Drops file in Windows directory 34 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\e581ce9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI28A8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3817.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3962.tmp msiexec.exe File created C:\Windows\Installer\e581ceb.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3ACD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3610.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3973.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{5E32314F-F4C9-59D1-A229-BC58CEA0D74A} msiexec.exe File opened for modification C:\Windows\Installer\MSI26A0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI29B5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2A92.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3895.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3983.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3984.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI26DF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI28D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2975.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI3206.tmp msiexec.exe File created C:\Windows\Installer\e581ce9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI276D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI27EB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3533.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI217D.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI2869.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI35E0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI38C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2631.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2A52.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3650.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3680.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe -
Modifies data under HKEY_USERS 22 IoCs
Processes:
MsiExec.exemsiexec.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Environment MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\System MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\ProgId = "AppXq0fevzme2pys62n3e0fbqa7peapykr8v" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Printers MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software MsiExec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Hash = "n6MiGKBfJR8=" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\EUDC MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_http = "1" MsiExec.exe -
Modifies registry class 35 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F41323E59C4F1D952A92CB85EC0A7DA4\ToolsFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\java.exe\IsHostApp MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\AuthorizedLUAApp = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A46297B6D117AA8000B0D021009\F41323E59C4F1D952A92CB85EC0A7DA4 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\PackageName = "jdk19.0.264.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\Version = "318767106" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk19.0.2_x64\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\ProductName = "Java(TM) SE Development Kit 19.0.2 (64-bit)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\PackageCode = "B281DDAB94D4DFF4D9529228B6C19A6F" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Applications\java.exe MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\jarfile\shell\open\command MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A46297B6D117AA8000B0D021009 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Media\2 = "DISK1;1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk19.0.2_x64\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F41323E59C4F1D952A92CB85EC0A7DA4 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\ProductIcon = "C:\\Program Files\\Java\\jdk-19\\\\bin\\java.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\javaw.exe\IsHostApp MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\jarfile MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command\ = "\"C:\\Program Files\\Java\\jdk-19\\bin\\javaw.exe\" -jar \"%1\" %*" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\.jar MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Applications\javaw.exe MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exemsiexec.exepid process 1176 powershell.exe 1176 powershell.exe 1176 powershell.exe 912 msiexec.exe 912 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1176 powershell.exe Token: SeSecurityPrivilege 912 msiexec.exe Token: SeShutdownPrivilege 2544 msiexec.exe Token: SeIncreaseQuotaPrivilege 2544 msiexec.exe Token: SeCreateTokenPrivilege 2544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2544 msiexec.exe Token: SeLockMemoryPrivilege 2544 msiexec.exe Token: SeIncreaseQuotaPrivilege 2544 msiexec.exe Token: SeMachineAccountPrivilege 2544 msiexec.exe Token: SeTcbPrivilege 2544 msiexec.exe Token: SeSecurityPrivilege 2544 msiexec.exe Token: SeTakeOwnershipPrivilege 2544 msiexec.exe Token: SeLoadDriverPrivilege 2544 msiexec.exe Token: SeSystemProfilePrivilege 2544 msiexec.exe Token: SeSystemtimePrivilege 2544 msiexec.exe Token: SeProfSingleProcessPrivilege 2544 msiexec.exe Token: SeIncBasePriorityPrivilege 2544 msiexec.exe Token: SeCreatePagefilePrivilege 2544 msiexec.exe Token: SeCreatePermanentPrivilege 2544 msiexec.exe Token: SeBackupPrivilege 2544 msiexec.exe Token: SeRestorePrivilege 2544 msiexec.exe Token: SeShutdownPrivilege 2544 msiexec.exe Token: SeDebugPrivilege 2544 msiexec.exe Token: SeAuditPrivilege 2544 msiexec.exe Token: SeSystemEnvironmentPrivilege 2544 msiexec.exe Token: SeChangeNotifyPrivilege 2544 msiexec.exe Token: SeRemoteShutdownPrivilege 2544 msiexec.exe Token: SeUndockPrivilege 2544 msiexec.exe Token: SeSyncAgentPrivilege 2544 msiexec.exe Token: SeEnableDelegationPrivilege 2544 msiexec.exe Token: SeManageVolumePrivilege 2544 msiexec.exe Token: SeImpersonatePrivilege 2544 msiexec.exe Token: SeCreateGlobalPrivilege 2544 msiexec.exe Token: SeCreateTokenPrivilege 2544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2544 msiexec.exe Token: SeLockMemoryPrivilege 2544 msiexec.exe Token: SeIncreaseQuotaPrivilege 2544 msiexec.exe Token: SeMachineAccountPrivilege 2544 msiexec.exe Token: SeTcbPrivilege 2544 msiexec.exe Token: SeSecurityPrivilege 2544 msiexec.exe Token: SeTakeOwnershipPrivilege 2544 msiexec.exe Token: SeLoadDriverPrivilege 2544 msiexec.exe Token: SeSystemProfilePrivilege 2544 msiexec.exe Token: SeSystemtimePrivilege 2544 msiexec.exe Token: SeProfSingleProcessPrivilege 2544 msiexec.exe Token: SeIncBasePriorityPrivilege 2544 msiexec.exe Token: SeCreatePagefilePrivilege 2544 msiexec.exe Token: SeCreatePermanentPrivilege 2544 msiexec.exe Token: SeBackupPrivilege 2544 msiexec.exe Token: SeRestorePrivilege 2544 msiexec.exe Token: SeShutdownPrivilege 2544 msiexec.exe Token: SeDebugPrivilege 2544 msiexec.exe Token: SeAuditPrivilege 2544 msiexec.exe Token: SeSystemEnvironmentPrivilege 2544 msiexec.exe Token: SeChangeNotifyPrivilege 2544 msiexec.exe Token: SeRemoteShutdownPrivilege 2544 msiexec.exe Token: SeUndockPrivilege 2544 msiexec.exe Token: SeSyncAgentPrivilege 2544 msiexec.exe Token: SeEnableDelegationPrivilege 2544 msiexec.exe Token: SeManageVolumePrivilege 2544 msiexec.exe Token: SeImpersonatePrivilege 2544 msiexec.exe Token: SeCreateGlobalPrivilege 2544 msiexec.exe Token: SeCreateTokenPrivilege 2544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2544 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2544 msiexec.exe 2544 msiexec.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
powershell.exejdk-19.exejdk-19.exemsiexec.exejava.exejava.exedescription pid process target process PID 1176 wrote to memory of 380 1176 powershell.exe jdk-19.exe PID 1176 wrote to memory of 380 1176 powershell.exe jdk-19.exe PID 380 wrote to memory of 2208 380 jdk-19.exe jdk-19.exe PID 380 wrote to memory of 2208 380 jdk-19.exe jdk-19.exe PID 2208 wrote to memory of 2544 2208 jdk-19.exe msiexec.exe PID 2208 wrote to memory of 2544 2208 jdk-19.exe msiexec.exe PID 912 wrote to memory of 4064 912 msiexec.exe MsiExec.exe PID 912 wrote to memory of 4064 912 msiexec.exe MsiExec.exe PID 912 wrote to memory of 4112 912 msiexec.exe srtasks.exe PID 912 wrote to memory of 4112 912 msiexec.exe srtasks.exe PID 912 wrote to memory of 5064 912 msiexec.exe MsiExec.exe PID 912 wrote to memory of 5064 912 msiexec.exe MsiExec.exe PID 912 wrote to memory of 1552 912 msiexec.exe MsiExec.exe PID 912 wrote to memory of 1552 912 msiexec.exe MsiExec.exe PID 1176 wrote to memory of 4548 1176 powershell.exe java.exe PID 1176 wrote to memory of 4548 1176 powershell.exe java.exe PID 1176 wrote to memory of 4580 1176 powershell.exe java.exe PID 1176 wrote to memory of 4580 1176 powershell.exe java.exe PID 4580 wrote to memory of 2568 4580 java.exe java.exe PID 4580 wrote to memory of 2568 4580 java.exe java.exe PID 4548 wrote to memory of 2592 4548 java.exe java.exe PID 4548 wrote to memory of 2592 4548 java.exe java.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Burpy\Windows_setup.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\Burpy\jdk-19.exe"C:\Users\Admin\AppData\Local\Temp\Burpy\jdk-19.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Users\Admin\AppData\Local\Temp\jds240638765.tmp\jdk-19.exe"C:\Users\Admin\AppData\Local\Temp\jds240638765.tmp\jdk-19.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk19.0.2_x64\jdk19.0.264.msi" WRAPPER=14⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2544 -
C:\Program Files\Common Files\Oracle\Java\javapath\java.exe"C:\Program Files\Common Files\Oracle\Java\javapath\java.exe" -jar New-loader.jar2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Program Files\Java\jdk-19\bin\java.exe"C:\Program Files\Java\jdk-19\bin\java.exe" -jar New-loader.jar3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Program Files\Common Files\Oracle\Java\javapath\java.exe"C:\Program Files\Common Files\Oracle\Java\javapath\java.exe" --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED -javaagent:New-loader.jar -noverify -jar burpsuite_pro.jar2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Program Files\Java\jdk-19\bin\java.exe"C:\Program Files\Java\jdk-19\bin\java.exe" --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED -javaagent:New-loader.jar -noverify -jar burpsuite_pro.jar3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 230A418D1F01AB19714D2CDE820D42B0 C2⤵
- Loads dropped DLL
PID:4064 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4112
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 754BC2175FCD2024362BBABCEF8571942⤵
- Loads dropped DLL
PID:5064 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 39D4D4474B3CC760777A84B18CFE3F48 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1552
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3860
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e581cea.rbsFilesize
9KB
MD5f08d4012c6199786fc5b6b273a8a3363
SHA1b02c7a8901aed5312b5bf2db36ed234e2580cee3
SHA25696eb6e9c7e414c787a3fd1b0f100c85bb1dc7f02414d183e9cc887de9925866c
SHA5123ef55b85bd0bef42116de86f1d9c44c1135371f3c0cebaa252eac4028f2cc37bd027148e834d6fe7e00ca83f82c4f6787b77592ba8db2847aa8c14466d6ce4d4
-
C:\Program Files\Java\jdk-19\LICENSEFilesize
6KB
MD57369866495acb2d7e57397f06a3ab0ba
SHA1e75e828ba2898c74b4a682ce5291a69acf9cc55a
SHA2564d156eecbf6ca462d8cf772552fff874b167f87def9566837fb8e4fb347f29a5
SHA5126c1ae5229953259a258bf140241afa9dc50b642dbb5a11c183c8920678292266aecc26dd1254c3ce9184fe08c3068e2183a694a9a06f5972cc535015461ff825
-
C:\Program Files\Java\jdk-19\bin\windowsaccessbridge-64.dllFilesize
71KB
MD5d0f2ded56013e0f7beff01e7955d980c
SHA12c27d8f6bffa6ee538a43daba9cb0fac07abb146
SHA2560a6b0bca5086994476cac894dc945eee43ede4e2f266435b5c812db54fec06f9
SHA51219803c8222f3923d2813187198e79a4d8f35622694a3a36a5c5f43f9cde397f8fdfdd54293dd909897dd56712befe51263cbeb21afb8a390c01410fe0446ff74
-
C:\Program Files\Java\jdk-19\legal\java.logging\COPYRIGHTFilesize
35B
MD54586c3797f538d41b7b2e30e8afebbc9
SHA13419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA2567afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3
-
C:\Program Files\Java\jdk-19\legal\java.logging\LICENSEFilesize
33B
MD516989bab922811e28b64ac30449a5d05
SHA151ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA25686e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA51286571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.urlFilesize
197B
MD58cba0d2ab4d19e447e4d0d7b39186947
SHA162479b2c9ea8191e05da8eeb32210226de1ce16f
SHA2564c087321e392f3c4598ae09b4e70b8fe732bd1401fb3ad21ac5e69c86ac0ac9e
SHA5120dab9f55c23308f87a360c935ebcfe634de431e2b6567d4eb1886f63c032f535dfa75a37aa7ea9b7c386e609e8b5671874500238b7109e19b739dcfb6932a241
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63Filesize
727B
MD5754db6902deeee30ceee464cfc64ab58
SHA1b03d10d92b4ed573c8ca2180f690b8821e55bcfc
SHA256021264df0937503368d5514b20d73bda18309e87425ce22b1130c725bdbe2dea
SHA51257a2e3cebd74730f73a36af929adc7a034451570a9929c90a0478c218f524d787e266f2cfccf3a1f5b4be48fddd4a60266473e73d40eb5fc918c787571492dfd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63Filesize
404B
MD5a77135d5fca053065109b70f7bfb50a7
SHA12479596e92c00eaafaf0c72b5c4aea505ff26822
SHA256ae0023cdf9960088b175726e5c7d84420e66611f297040dcfeef60dc7cf6a505
SHA5122612894e4ea2e9d6c50da50df59ab2c2996677db2e0291957764253beee459c057c20b0ed8850d50ddfdabdce8e7e8ea72c5eea3651f155c692f37ef78d45085
-
C:\Users\Admin\AppData\Local\Temp\JavaLauncher.logFilesize
1014B
MD50a064488cd810ddb9116a39aeda13170
SHA19b06588b9dd55f340d4546a75092a22e86ab92b4
SHA256abd5c5e1212a83b31e3eca8345b17a72dd54eabdfedd1b15d8698a0d4f01e0af
SHA5127570dd17939a663927c015d668adc29e9e72c441a99233be8d559473dce104cd9f925e82fc82046b26101ab1ef43b99123d809d4eeca198bceac499bf29b89ee
-
C:\Users\Admin\AppData\Local\Temp\JavaLauncher.logFilesize
2KB
MD569f6a464aec2c2f903d59b8f4917bf6e
SHA15b3569473a9b5c35742c5133502e8eea83416310
SHA2564655aad210c54f652ca5ae8388c01b0e9793fcbf5900ccbcc416ba11af7a3d94
SHA512bc6a60b5cd7245deaa6faf181c98db0601ae1df71ed05ab905633da33e128ca96b15923dafda472763fc2eec8f54ffb1b2e0157275155ca20bd6eb1569881950
-
C:\Users\Admin\AppData\Local\Temp\JavaLauncher.logFilesize
4KB
MD524277a8cd030344ab56dabeb8fa9b520
SHA1251c30ab62d235a419ba3934d7d8ce51b287c2ef
SHA2566a465c57cd2d014db9553fc8cbcd900722bdb1782d0f453dbd3143d43aef3e72
SHA512d722ea7d0a8ec1325323800dc86ee1185980ce3d377e126cdf30220926386b1cc7871e5313ea22da2fc1d7388c063658320ccd5f4bf4d42a5ffec58136f2f280
-
C:\Users\Admin\AppData\Local\Temp\MSIE5CC.tmpFilesize
894KB
MD5d849eed8fef39365cb0987f2c3d1c26f
SHA125ad42230ba2d0f163649f560ec09250d60f263c
SHA2569ffced196504a78813600ad96108f45ed4667c13dc0ea545b0444d923b871650
SHA5128b418c1f71c6d9b8c922d1634258132a0cc280ff90272b042cbfcea67c8576bb8db38a595fe27d65e90275d9e5d52c8dd5bbdff52e71c5d5f7e576685352184b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3knqtiqm.bhd.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
167KB
MD5e19485e744744d688d5dc402c80d3f31
SHA1defe2d91faa0b01a676a51b798ee839b34919d8a
SHA2561aea5ce915cc55b2955f9797d187e23d60a08bf31cd72d0e80191f7844b3dae7
SHA5129911e1c38bd6e97ea37a9532643981d241fb155a20fd328f25444692007d5fb98cd41aa48b03fbabcf683804f112264bf4385e6a62699de3bf454e0f7507cc50
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
169KB
MD5f799ea244e82d21f130c8fb512ea279e
SHA1909ead7c763644f4ee0d3513f7a4c19d37e81779
SHA256bb0326768a6e4eb2585a811ffa2bcb66809da19fcc6455c7a6dc508be79b0441
SHA512da485b6c1d2c7f1d9e1c254d42bd557dd1ead185a7b847a6a7f51a28346cd9938decd0362a38e4ab376b9fe7c5a253c64528e928d463571d61906ef76604f28e
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
172KB
MD5a27a47dc275104464910403e5041a2b0
SHA1eb254536fccb5d913585aaebc50e9962c52bfc61
SHA256ecfacb6c8ca49da1bde5f6f441272492218e8fda0accea514d169837dc5964e8
SHA512b10046c0d4a126e43e8df8c5e419c0ef06e3da87750185db6ac0e3f72479cef8952dae75c432b9052a06c2f0623f62a96cb8208e471553bad7f4e77365b29025
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
154KB
MD5c93645171964d092402cd8b883a196aa
SHA1d37a985e78ba21da89ae8851b8c6b0b8f4c0b800
SHA256c605e280b41502e327f8a6e7d69f768e59d2e9c61b7e723293b21a9ca6ed357b
SHA5125711452cbeea7a29556c0af8520b0e6a47db322cc9dd7ea48db971bdd213ad3133e9bf58bd88f6b9640c4ea64d1f96d0398d9006d0d1d8ae66faa5cc08459b30
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
161KB
MD50ecc71ebca0bd28eb4329b7c5fec527f
SHA152df7f9ef305aa9fe9f3ebca51afe778b1e47c89
SHA256fecc050654e9e87315e961a39d7f32e85d3c0d5c0620546189255050eec9cb3f
SHA5122c6c649fa58a78b9ba6091899c6508e6224d73149f6b6211668d9418be9965664150c35a89ddd3c5a52306a0d727e2cea3b69114c5458b50c3d19025bda2e5ed
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
26.0MB
MD539e32f2f93cedc92e3e627f848bc72c7
SHA140cc6654a66611780b41dd4ad492921affc92fae
SHA256da636d31a100d811bd451071f2def89914c09855fbe51efce68072e47e5d3cb6
SHA512b327dfeaa6cb755a4a789a50bc333890040cf2368ea88e5e465f9befe3572365892eae694f83828a89272655465c7de8a80cdb1a4fb739c3d42655cf35d100ea
-
\??\Volume{39cd0eda-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{089a6e46-e8f5-44a0-909d-9e881e694243}_OnDiskSnapshotPropFilesize
5KB
MD585b652beaa0ff0f6cfeb129d9ba0ba7a
SHA1792095239fb885a94376fbea84f9c420bd6715f7
SHA256e7ec0c43567a02b215ba9f0ba97000ed46e7480437e1746aa7a1b9967497c4f6
SHA51228e593575f245792e1d96ccc24514a779196ac8b195e1a0025dc3f6f572bcf3c2715f70268f851a349f4b42e96af77f60b8f04d0d32ab2f0a0840add44b4bc6b
-
memory/1176-4-0x00007FFC23353000-0x00007FFC23354000-memory.dmpFilesize
4KB
-
memory/1176-57-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmpFilesize
9.9MB
-
memory/1176-36-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmpFilesize
9.9MB
-
memory/1176-35-0x00007FFC23353000-0x00007FFC23354000-memory.dmpFilesize
4KB
-
memory/1176-32-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmpFilesize
9.9MB
-
memory/1176-10-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmpFilesize
9.9MB
-
memory/1176-9-0x000001C16CE50000-0x000001C16CEC6000-memory.dmpFilesize
472KB
-
memory/1176-8-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmpFilesize
9.9MB
-
memory/1176-5-0x000001C16CD20000-0x000001C16CD42000-memory.dmpFilesize
136KB
-
memory/1176-1030-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmpFilesize
9.9MB