hxxps://drive[.]google[.]com/drive/folders/12_8O2o_9tufEE5Dvup-uVXVdvSsp1JfE

Analysis

max time kernel
144s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-10-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/12_8O2o_9tufEE5Dvup-uVXVdvSsp1JfE

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2752	MsiExec.exe
2296	MsiExec.exe
2152	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
5	drive.google.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\prism_sw.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-processenvironment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-sysinfo-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\awt.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\javafx.fxml\ADDITIONAL_LICENSE_INFO	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\javafx.graphics\ADDITIONAL_LICENSE_INFO	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-util-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\conf\security\policy\README.txt	msiexec.exe
File created	C:\Program Files\JJBotv3\app\jnativehook-2.2.2-sources.jar	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\javafx.controls\ASSEMBLY_EXCEPTION	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.base\wepoll.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-datetime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-console-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\conf\security\policy\unlimited\default_local.policy	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\ucrtbase.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-synch-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\lib\psfont.properties.ja	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.desktop\giflib.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\include\jvmti.h	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\lib\jvm.lib	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\server\jvm.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-util-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\lcms.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\lib\tzdb.dat	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-file-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\lib\tzmappings	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\app\JNativeHook.x86_64.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\app\JJBotv3.cfg	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\conf\security\java.security	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\conf\logging.properties	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\ucrtbase.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\java.exe	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\javafx_iio.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.desktop\LICENSE	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\javafx.graphics\LICENSE	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.xml\bcel.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-libraryloader-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\include\win32\jni_md.h	msiexec.exe
File created	C:\Program Files\JJBotv3\JJBotv3.ico	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.base\LICENSE	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-file-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-console-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.base\asm.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\decora_sse.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\jawt.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.datatransfer\LICENSE	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\jsound.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\javafx_font.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.xml\COPYRIGHT	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\include\sizecalc.h	msiexec.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI83F1.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA1964800F3BF0A86.TMP	msiexec.exe
File created	C:\Windows\Installer\e59143a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\icon1735593305	msiexec.exe
File created	C:\Windows\SystemTemp\~DF81B03AFFF76C33C9.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA83363F219B928C8.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6C685555755472B7.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1871.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\JpARPPRODUCTICON	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI401E.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFFEE3BD98BA1B8B4F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI822A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e59143a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1572.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\JpARPPRODUCTICON	msiexec.exe
File created	C:\Windows\SystemTemp\~DF521B6CDB3728D391.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF36CE2083AF449EC5.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4213.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF87780D098634391D.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e59143c.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6ED6AC00E0BAEB2E.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8D4354610D3EDCC2.TMP	msiexec.exe
File created	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\icon1735593305	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002fc80c284bade0450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002fc80c280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002fc80c28000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2fc80c28000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002fc80c2800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\ProductName = "JJBotv3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\41E9151D0BA2C9837BDA155ED73C2CCD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\ProductIcon = "C:\\Windows\\Installer\\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\\JpARPPRODUCTICON"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B1423C193BBCC4D34B6F4D3AA87894B0\41E9151D0BA2C9837BDA155ED73C2CCD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\41E9151D0BA2C9837BDA155ED73C2CCD\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Version = "16908288"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B1423C193BBCC4D34B6F4D3AA87894B0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\PackageName = "JJBotv3-1.2.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\PackageCode = "DE93FC7454BF4194BB87A0F843899217"	msiexec.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 815002.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\JJBotv3-1.2.msi:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 178492.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2856	msedge.exe
2856	msedge.exe
2008	msedge.exe
2008	msedge.exe
5072	identity_helper.exe
5072	identity_helper.exe
4964	msedge.exe
4964	msedge.exe
3064	msedge.exe
3064	msedge.exe
4104	msiexec.exe
4104	msiexec.exe
4104	msiexec.exe
4104	msiexec.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4104	msiexec.exe
4104	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1872	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1872	msiexec.exe
Token: SeSecurityPrivilege	4104	msiexec.exe
Token: SeCreateTokenPrivilege	1872	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1872	msiexec.exe
Token: SeLockMemoryPrivilege	1872	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1872	msiexec.exe
Token: SeMachineAccountPrivilege	1872	msiexec.exe
Token: SeTcbPrivilege	1872	msiexec.exe
Token: SeSecurityPrivilege	1872	msiexec.exe
Token: SeTakeOwnershipPrivilege	1872	msiexec.exe
Token: SeLoadDriverPrivilege	1872	msiexec.exe
Token: SeSystemProfilePrivilege	1872	msiexec.exe
Token: SeSystemtimePrivilege	1872	msiexec.exe
Token: SeProfSingleProcessPrivilege	1872	msiexec.exe
Token: SeIncBasePriorityPrivilege	1872	msiexec.exe
Token: SeCreatePagefilePrivilege	1872	msiexec.exe
Token: SeCreatePermanentPrivilege	1872	msiexec.exe
Token: SeBackupPrivilege	1872	msiexec.exe
Token: SeRestorePrivilege	1872	msiexec.exe
Token: SeShutdownPrivilege	1872	msiexec.exe
Token: SeDebugPrivilege	1872	msiexec.exe
Token: SeAuditPrivilege	1872	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1872	msiexec.exe
Token: SeChangeNotifyPrivilege	1872	msiexec.exe
Token: SeRemoteShutdownPrivilege	1872	msiexec.exe
Token: SeUndockPrivilege	1872	msiexec.exe
Token: SeSyncAgentPrivilege	1872	msiexec.exe
Token: SeEnableDelegationPrivilege	1872	msiexec.exe
Token: SeManageVolumePrivilege	1872	msiexec.exe
Token: SeImpersonatePrivilege	1872	msiexec.exe
Token: SeCreateGlobalPrivilege	1872	msiexec.exe
Token: SeBackupPrivilege	4140	vssvc.exe
Token: SeRestorePrivilege	4140	vssvc.exe
Token: SeAuditPrivilege	4140	vssvc.exe
Token: SeBackupPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeBackupPrivilege	480	srtasks.exe
Token: SeRestorePrivilege	480	srtasks.exe
Token: SeSecurityPrivilege	480	srtasks.exe
Token: SeTakeOwnershipPrivilege	480	srtasks.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeBackupPrivilege	480	srtasks.exe
Token: SeRestorePrivilege	480	srtasks.exe
Token: SeSecurityPrivilege	480	srtasks.exe
Token: SeTakeOwnershipPrivilege	480	srtasks.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
1872	msiexec.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe
2008	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 3992	2008	msedge.exe	80
PID 2008 wrote to memory of 3992	2008	msedge.exe	80
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 3592	2008	msedge.exe	81
PID 2008 wrote to memory of 2856	2008	msedge.exe	82
PID 2008 wrote to memory of 2856	2008	msedge.exe	82
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83
PID 2008 wrote to memory of 1092	2008	msedge.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/12_8O2o_9tufEE5Dvup-uVXVdvSsp1JfE
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb74643cb8,0x7ffb74643cc8,0x7ffb74643cd8
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\JJBotv3-1.2.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:4276
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\JJBotv3-1.2.msi"
  2⤵
  - Enumerates connected drives
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6652 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12097437171704084128,9358307095275637472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4012
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\JJBotv3-1.2.msi"
  2⤵
  - Enumerates connected drives
  PID:2528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4024

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:480
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 267AD2D6CC611B4167653D36CDB4FB30
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2752
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 12DF72813AC1CF7A4D06351AA090FB73
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2296
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BEFC3AA80AFE504DDB98A5317DB8294A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59143b.rbs

Filesize
54KB

MD5
fdf125257b78da46e34afd3ed4274d8d

SHA1
4464d982da94ca429ed1b519b04057f351483367

SHA256
3dd0accdf1bb7b940132ab0a6d23eab8e5b6fe281d6156a72f36cf7d89ee4348

SHA512
74d7dbf5a3bee11014d4665d1ed7e2380f26e9ffc402df3f8c5c430fc452617f10ecc16408c0709df9734453f0463902dbbe5ca6726302db5a0ffeba24572fc3

Download Submit
C:\Config.Msi\e59143d.rbs

Filesize
3KB

MD5
05b5fceec3e0386af680f85045ecf2f6

SHA1
b2ae7aaf7fa00be4d00175a83f7a920496fc6f64

SHA256
4cbbb5d2707f69906bfb6e6baa0dff9aa86a9a51207468b06755c0c69a542e47

SHA512
c8eeba73a832d5ded6cffbdf82ef0c438905e93d2aa1a16bb192dd6ca449425b593e40a0b07d0ccf0574ecf9a5cd498476a4089cf7eb32025bff4fc00c3b4bfb

Download Submit
C:\Config.Msi\e59143e.rbs

Filesize
3KB

MD5
e79518cfdb9313fa38f0b154e56ceeee

SHA1
590a9133c3edb9ecd2a8dee167d0eb466a3e6525

SHA256
4e7b1bf99d44dd3804558101b0b7a00e2c9d03008cf13f8d2687b3dc028f25e4

SHA512
5b32307e8b0a02b08a053b35eee77a39b2d8b07ec164c28e2ec5d2bffa3afbf85d390d843c1ae9188bdd8c87d66bbc4a466a6ee47b49939662a3fd10bb2ff852

Download Submit
C:\Program Files\JJBotv3\JJBotv3.exe

Filesize
566KB

MD5
ccfc78420b2af4397bc801d6984cb233

SHA1
634b548812570b28eaf01ddd7dc5e8b1c778332f

SHA256
cf890ee78014d4d0c072bc7a7ac84c90f9d25eb837b70b892ef1be4c876214fe

SHA512
47b84cd94df6c31b9e6024eb13550bd98a377d073bb30b31e3d11f1e6007560a47c83e6dadbc16897a3f87512503fe52fdf30c50e96a4aefc1672e46fabc592b

Download Submit
C:\Program Files\JJBotv3\runtime\legal\java.desktop\COPYRIGHT

Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Program Files\JJBotv3\runtime\legal\java.xml\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
28KB

MD5
78fbaa6c69ccc961b8ec438a8588001b

SHA1
990c7f85fd6739a39ceb934cacbddd8ca7672627

SHA256
708cc85c1b714f37d78a73e237276b2525f644e3e5ab935d7671368f21c2d4d9

SHA512
c9b167bc97e6a65745576831721bc21c1ebb4ea9545643f2af6e7b4879b5930db85991013a12a8debf645f3b152b9c27afa619c245e21d35d9cd66b1347a0aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6320343f81b0195ca596123c0498d8c7

SHA1
0b8ce405d58fddf5c5a153de02091ee595624644

SHA256
cb63be8f2253f716b84ba34884606017a4d357dda888e3905075065a77f6bcce

SHA512
566f64f06a65b41c41f2b6607343b27260d425ca9eacf6ff276690019f439c548b32e2433ff1958d692a2c61b649dcee22ea208319a7fd318a8e8e848cff8806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
66f6cd10c7785c70e1347687258ebabb

SHA1
470f920b2600a78ef2101a1af01d726d59f22a49

SHA256
3b35132a15ab343459ad05019d04117a785e53c5a5817ee2cf466429ffaee41e

SHA512
a06b69ae4f70970ce1dd991deb0763b4f1e56952abee969ac6498fe7ec68ac3d9851ebd1dc8e5e0feced0e188bb79925d6d24fadb2fce2ce5a9f46d86d6ac483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
886bb61c3d30759195d8c1919ff4752d

SHA1
93e93473f1ef5c7cc6bfedf0d406c88492082755

SHA256
d505337837c135534d32a8b730a4435f9d51a1b3cb954f341acdef00eeb8fe73

SHA512
d2ef436dea5e732f9f52b7e213d99b35bbdc0ecdaa73f32c280ef90d35ff274f7efe857db46d9b3b0f4feb1f60d4d051fa839fee47bb7633acc6d3920d653dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
a4a475c89b21d90321e098f3af84901d

SHA1
2e5db17b31a728aa0f0afa9f29c3ce05fc1a2908

SHA256
7a3fa4a0339c25f69b73de7c72ccdc23df58bb7b7790fdbdf1fdd6e4d3ad6d2c

SHA512
5072c8054b31c5df84410892a6383584878611a46a0453c98111347203f9538bcf5da018a6f11c50e2fa7838bfc45073f3ef7a4de59bcc9ce27131177e248e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
559a5d5bf02d8b077a7cb5029c18280f

SHA1
b80cb0aee9c4c1f653b523b0eea8df2d75b0ea07

SHA256
f25d4d80aeec233b329854751e0a19c533806fae7512dbcc9b04cccbf0f5f5a2

SHA512
d507b69aa18a02ae1835069189217d8aea1afa9c4dfdf5d8aba2f7b1508eec16c3396ba43bf5a483be38bd0a99bc83751e928fa7b0aa2f60710bbb90fca82dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eead1fbba5e2fe26da345a33abc16d1e

SHA1
71a2278071f01f43ddf73a5a226bcbbd56bf9019

SHA256
a77a3ca63d6be0c70d39ab60621bc29686d8ab002a393f09cc4c0699d20f8988

SHA512
60e16d3c1e7ff2905ad1073e33b74e881a5e8403574675ef73881ada4a68cfbfaae808479ae14769abebcdf3099805d7909dab50d04e023b94817906a73a23b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
86624216719da8183f9e75fbd6f14b73

SHA1
9bfb9435b366c69c86fb33ec36f79293f258b014

SHA256
17f067c0da045f959c9b0872173cb1f2d5f41cf59a8611d7ddaf4a1a757092ed

SHA512
62f09a2c802fd818eb1c86fb3fc9a127de6fa344d5490e37ce59dc7de3315cbe1ec1fe019af42229be990f684c4a275cb96ba68d7c77393a01dd87aa1d0d0b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0f8bf4f1ec036e16df5a5f46e8d7427e

SHA1
915329bd78f5135a3d4bc183ce783d543923d10b

SHA256
a13aa629f503111a1d8d4c90510c8a272ab14a13396a107a32f47d5bb24f78fe

SHA512
3b0694b0ea71df970c9321b5eca2b49624896654389b7bddb5ad62851b4fd26a1bb2b1769457047df3668c6291fda8bad97e9b384a169805e786fc7a5d4eda79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9092c05d961a4e63d6d60e279be5008d

SHA1
45cc89e0ca406d196e8612ce11b9cd39ec0b272b

SHA256
7743a0a438b6fe53864a6cc87482b8b07e372cc1c8d795ab250dc2ac2556cf4b

SHA512
a71d69f7166aad6f94b06229aa069a08633d5aa8546bbf9fa336c09a0324db920a3e813189d2c3c5a4245ccd262984745b7b29b653bf018564e58caf069050a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587f1e.TMP

Filesize
1KB

MD5
fa1a4bc905bf16e8edd22bafe3c82b84

SHA1
34d78a80ca5055292d1f4ba8bc79b0db28c420cf

SHA256
659fc585019e53fdf1b5a95d83a62ef4ca4dca1b9f7bf032e5e1f33c4c186d58

SHA512
935d6423bfa3acde9adc4009a5f636b13e6fdf47dbad8399cf1356b5901d65907b6ab85da1a577bbd44fa2d13e8cf992b66d869ae5729d7fb9b03c217ee4c69c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8157531d6d190d3cc629a1773eee78f8

SHA1
cb6398c625c5d75fd5d3d7247e5b6594516b9067

SHA256
30570d9fea302b1cf73fa292c3f44af5b45d6b1331fc41e7ccb8116972ba69cb

SHA512
785017e43a383db35737c99c92473b33c3699cc5cdcfb2c9058e8ddb0cc9bc6914b3cff49b07622261c77f8e5710af9061c5b5a4fa68abc10bc8a9b1d176cfda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cbb71b1fe4b50c4af59ea8b0f2e36120

SHA1
d6b8502e712d1a30b4151b75b5862df0e5960ede

SHA256
629eb0be08f37d60dd566e0e86ce723b52f6b3978487efa452948b288a0383ff

SHA512
6d0643f3a639cffbe9e6aaece6ab7a29ad755fda014d39d0cd4fe928213cbb7ccc1fdfeb4d1d174b4845515845c70fc551f08b52c98cc385f6f5a4ed577913e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7924500055d33b0e366740eaedab76f8

SHA1
282efc7178dc79f84e0b3e72ec079b5d8a2d4aca

SHA256
4dec0763ce5c14c2117bce2ddf40d656208f8e80aa294250f922fe4eb4902102

SHA512
6100f74827790a728e5fc4756a150d23751c6af1119622a76ec3af5b5bd53b25a7966a12b4b14f5fd48e7af82bef022f467cd278fe9ac7ae896b11454354049a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\2a92bee0-499f-48ef-97fa-b77cdee8f0c9.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Downloads\JJBotv3-1.2.msi:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 815002.crdownload

Filesize
34.7MB

MD5
a1b837172ef0f284c54d0f9238b6c6bc

SHA1
bc489940ab5cde8429914e6e86321e5fb9c0038d

SHA256
af86c253f2f1715e5b83543eb5c8162e2749b3380f6a5445583a971091ea24cb

SHA512
223f71fc235136bb14b4fb03cf2d8f4e70a54d7ae1376cf8b133249873722617cf9c04b2cdfe3217cbbcb45e3d05891a92bac45c2dc27d6158b3944873a5e4a3

Download Submit
C:\Windows\Installer\MSI1572.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
4efd5e5af77a5a34fa846e2882510b26

SHA1
8479c421135c72c96912900f500bb46107a46a32

SHA256
063008fdd362e279b22bc70300ee3a78ae9732245dd65ade5712ebae9ced7d21

SHA512
f784c1b7f18cb96547a41e16c74a4619f0cd8cc63009cf500ce7500e620fc42c61196928564b1571bb9c4307ca49a45ecf8f72dffb4cb253b5a6b5f2e09cc11e

Download Submit
\??\Volume{280cc82f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9dec7590-7349-4acf-b371-fbc6daff3df2}_OnDiskSnapshotProp

Filesize
6KB

MD5
f4abf5dbcde5e14c7004e6a6407c07b6

SHA1
90180729e6483442a4e3b8073026daed2c928b43

SHA256
952a5b361af11ea54c295bda32e3cfd186609424785c4a4d1542cb275b97521c

SHA512
6bf46ea5d05dc0588ec456d74aaff22b70cf0063778edaf45e4f7a025ca889d34e9503fe52b98c4c2a83e0eba3ceb7674417542ae37e55ca8420f8132aa72a80

Download Submit