5da1ed1fa59fe6b26615347b83820e693f2a8eec1c95c05bd3f5d9e12b00cd3a

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54 45 53 54/jdk-8u191-windows-i586.exe
Size

197.3MB
MD5

50cfd28a3a3243bc5e9be096a3b9fd97
SHA1

bc8f26edb5d1b6d93459405da76bc52c9b882e69
SHA256

a92fce986622e9846b93e396a7eda6214e7f7ea90860794c934f423c10813622
SHA512

859e7cc427a5ea990dd3b5301d0bb68aceac9b32f62363d5d21ed90ad45a7a7912d201dc276786bfcfb18a8683776623c7b78c4ad06c4f8002033bfaa6e8855e
SSDEEP

6291456:TRcAp+FfSMhbAOo8ZycQv15tZ8YpG+sdjjceHAk8iaKmh:TRcAp4SWAURo5MAHojjjHEiaT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
2100	jdk-8u191-windows-i586.exe
3648	unpack200.exe
4424	unpack200.exe
448	unpack200.exe
644	unpack200.exe
2260	unpack200.exe
4444	unpack200.exe
3456	unpack200.exe
3156	unpack200.exe
4208	javaw.exe
1536	jre.exe

Loads dropped DLL 40 IoCs

pid	Process
4512	MsiExec.exe
4512	MsiExec.exe
4512	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
2320	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3488	MsiExec.exe
3648	unpack200.exe
4424	unpack200.exe
448	unpack200.exe
644	unpack200.exe
2260	unpack200.exe
4444	unpack200.exe
3456	unpack200.exe
3156	unpack200.exe
4208	javaw.exe
4208	javaw.exe
4208	javaw.exe
4208	javaw.exe
4208	javaw.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
14	2012	msiexec.exe
16	2012	msiexec.exe
18	2012	msiexec.exe
21	2012	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\org-openide-dialogs.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\java_crw_demo.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\deploy\messages.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\sa-jdi.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\LICENSE	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\verify.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\fonts\LucidaSansRegular.ttf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\profiler\lib\deployed\jdk15\windows\profilerinterface.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-crt-private-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\config\Modules\org-openide-actions.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\deploy\[email protected]	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\bin\kinit.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\glib-lite.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\ssvagent.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\THIRDPARTYLICENSEREADME.txt	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	MsiExec.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIFBFB.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ed5f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16E3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1644.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1526.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFACE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI69F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA7F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD37.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCE8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1683.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB0D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB5D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC4A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1567.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16F4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1716.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{32A3A4F4-B792-11D6-A78A-00B0D0180191}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1577.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1705.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ed5d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ed5d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1556.tmp	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdk-8u191-windows-i586.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdk-8u191-windows-i586.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\System	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Console	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Environment	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\EUDC	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\javaw.exe	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\PublicjreFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\2 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Version = "134219638"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\PackageName = "jdk1.8.0_191.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile\shell\open\command	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\4 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.jar	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A23297B6D117AA8000B0D810000\4F4A3A23297B6D117AA8000B0D811019	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command\ = "\"C:\\Program Files\\Java\\jdk-1.8\\bin\\javaw.exe\" -jar \"%1\" %*"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\ToolsFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk1.8.0_191\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\ProductName = "Java SE Development Kit 8 Update 191"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\PackageCode = "E663C303E21155C42B46898EBE586277"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\SourceFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\ProductIcon = "C:\\Program Files (x86)\\Java\\jdk1.8.0_191\\\\bin\\javaws.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\java.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A23297B6D117AA8000B0D810000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\3 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\java.exe\IsHostApp	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk1.8.0_191\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\javaw.exe\IsHostApp	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4836	msiexec.exe
4836	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeSecurityPrivilege	4836	msiexec.exe
Token: SeCreateTokenPrivilege	2012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2012	msiexec.exe
Token: SeLockMemoryPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeMachineAccountPrivilege	2012	msiexec.exe
Token: SeTcbPrivilege	2012	msiexec.exe
Token: SeSecurityPrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeLoadDriverPrivilege	2012	msiexec.exe
Token: SeSystemProfilePrivilege	2012	msiexec.exe
Token: SeSystemtimePrivilege	2012	msiexec.exe
Token: SeProfSingleProcessPrivilege	2012	msiexec.exe
Token: SeIncBasePriorityPrivilege	2012	msiexec.exe
Token: SeCreatePagefilePrivilege	2012	msiexec.exe
Token: SeCreatePermanentPrivilege	2012	msiexec.exe
Token: SeBackupPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeDebugPrivilege	2012	msiexec.exe
Token: SeAuditPrivilege	2012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2012	msiexec.exe
Token: SeChangeNotifyPrivilege	2012	msiexec.exe
Token: SeRemoteShutdownPrivilege	2012	msiexec.exe
Token: SeUndockPrivilege	2012	msiexec.exe
Token: SeSyncAgentPrivilege	2012	msiexec.exe
Token: SeEnableDelegationPrivilege	2012	msiexec.exe
Token: SeManageVolumePrivilege	2012	msiexec.exe
Token: SeImpersonatePrivilege	2012	msiexec.exe
Token: SeCreateGlobalPrivilege	2012	msiexec.exe
Token: SeCreateTokenPrivilege	2012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2012	msiexec.exe
Token: SeLockMemoryPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeMachineAccountPrivilege	2012	msiexec.exe
Token: SeTcbPrivilege	2012	msiexec.exe
Token: SeSecurityPrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeLoadDriverPrivilege	2012	msiexec.exe
Token: SeSystemProfilePrivilege	2012	msiexec.exe
Token: SeSystemtimePrivilege	2012	msiexec.exe
Token: SeProfSingleProcessPrivilege	2012	msiexec.exe
Token: SeIncBasePriorityPrivilege	2012	msiexec.exe
Token: SeCreatePagefilePrivilege	2012	msiexec.exe
Token: SeCreatePermanentPrivilege	2012	msiexec.exe
Token: SeBackupPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeDebugPrivilege	2012	msiexec.exe
Token: SeAuditPrivilege	2012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2012	msiexec.exe
Token: SeChangeNotifyPrivilege	2012	msiexec.exe
Token: SeRemoteShutdownPrivilege	2012	msiexec.exe
Token: SeUndockPrivilege	2012	msiexec.exe
Token: SeSyncAgentPrivilege	2012	msiexec.exe
Token: SeEnableDelegationPrivilege	2012	msiexec.exe
Token: SeManageVolumePrivilege	2012	msiexec.exe
Token: SeImpersonatePrivilege	2012	msiexec.exe
Token: SeCreateGlobalPrivilege	2012	msiexec.exe
Token: SeCreateTokenPrivilege	2012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2012	msiexec.exe
Token: SeLockMemoryPrivilege	2012	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2012	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1536	jre.exe
1536	jre.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 2100	4912	jdk-8u191-windows-i586.exe	84
PID 4912 wrote to memory of 2100	4912	jdk-8u191-windows-i586.exe	84
PID 4912 wrote to memory of 2100	4912	jdk-8u191-windows-i586.exe	84
PID 2100 wrote to memory of 2012	2100	jdk-8u191-windows-i586.exe	85
PID 2100 wrote to memory of 2012	2100	jdk-8u191-windows-i586.exe	85
PID 2100 wrote to memory of 2012	2100	jdk-8u191-windows-i586.exe	85
PID 4836 wrote to memory of 4512	4836	msiexec.exe	91
PID 4836 wrote to memory of 4512	4836	msiexec.exe	91
PID 4836 wrote to memory of 4512	4836	msiexec.exe	91
PID 4836 wrote to memory of 1984	4836	msiexec.exe	107
PID 4836 wrote to memory of 1984	4836	msiexec.exe	107
PID 4836 wrote to memory of 2320	4836	msiexec.exe	111
PID 4836 wrote to memory of 2320	4836	msiexec.exe	111
PID 4836 wrote to memory of 2320	4836	msiexec.exe	111
PID 4836 wrote to memory of 3488	4836	msiexec.exe	113
PID 4836 wrote to memory of 3488	4836	msiexec.exe	113
PID 4836 wrote to memory of 3488	4836	msiexec.exe	113
PID 3488 wrote to memory of 3648	3488	MsiExec.exe	114
PID 3488 wrote to memory of 3648	3488	MsiExec.exe	114
PID 3488 wrote to memory of 3648	3488	MsiExec.exe	114
PID 3488 wrote to memory of 4424	3488	MsiExec.exe	116
PID 3488 wrote to memory of 4424	3488	MsiExec.exe	116
PID 3488 wrote to memory of 4424	3488	MsiExec.exe	116
PID 3488 wrote to memory of 448	3488	MsiExec.exe	118
PID 3488 wrote to memory of 448	3488	MsiExec.exe	118
PID 3488 wrote to memory of 448	3488	MsiExec.exe	118
PID 3488 wrote to memory of 644	3488	MsiExec.exe	120
PID 3488 wrote to memory of 644	3488	MsiExec.exe	120
PID 3488 wrote to memory of 644	3488	MsiExec.exe	120
PID 3488 wrote to memory of 2260	3488	MsiExec.exe	122
PID 3488 wrote to memory of 2260	3488	MsiExec.exe	122
PID 3488 wrote to memory of 2260	3488	MsiExec.exe	122
PID 3488 wrote to memory of 4444	3488	MsiExec.exe	124
PID 3488 wrote to memory of 4444	3488	MsiExec.exe	124
PID 3488 wrote to memory of 4444	3488	MsiExec.exe	124
PID 3488 wrote to memory of 3456	3488	MsiExec.exe	126
PID 3488 wrote to memory of 3456	3488	MsiExec.exe	126
PID 3488 wrote to memory of 3456	3488	MsiExec.exe	126
PID 3488 wrote to memory of 3156	3488	MsiExec.exe	128
PID 3488 wrote to memory of 3156	3488	MsiExec.exe	128
PID 3488 wrote to memory of 3156	3488	MsiExec.exe	128
PID 4836 wrote to memory of 4208	4836	msiexec.exe	130
PID 4836 wrote to memory of 4208	4836	msiexec.exe	130
PID 4836 wrote to memory of 4208	4836	msiexec.exe	130
PID 2012 wrote to memory of 1536	2012	msiexec.exe	131
PID 2012 wrote to memory of 1536	2012	msiexec.exe	131
PID 2012 wrote to memory of 1536	2012	msiexec.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\54 45 53 54\jdk-8u191-windows-i586.exe
"C:\Users\Admin\AppData\Local\Temp\54 45 53 54\jdk-8u191-windows-i586.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\jds240617421.tmp\jdk-8u191-windows-i586.exe
  "C:\Users\Admin\AppData\Local\Temp\jds240617421.tmp\jdk-8u191-windows-i586.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\jdk1.8.0_191.msi" WRAPPER=1
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Program Files (x86)\Java\jdk1.8.0_191\jre.exe
      "C:\Program Files (x86)\Java\jdk1.8.0_191\\jre.exe" LAUNCHEDFROMJDK=1 NOSTARTMENU=0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1536

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4A0E5B9B271F8798D0CB8EC0D68E4ADD C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4512
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 68D357CA174A309AE54C0299638C4474
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2320
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 800371072075D3217CDA2718DC8229AF E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\lib/tools.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\lib/tools.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3648
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/plugin.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4424
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/javaws.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:448
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/deploy.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:644
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/rt.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2260
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/jsse.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4444
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/charsets.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3456
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/ext/localedata.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3156
- C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\javaw.exe
  "C:\Program Files (x86)\Java\jdk1.8.0_191\\jre\bin\javaw.exe" -Xshare:dump
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ed5e.rbs

Filesize
11KB

MD5
f112f5960840ca0b7e8d14126a1887ef

SHA1
3ebe9a022abb25b662b3dcc3af3a7ad81604c44c

SHA256
831f282ff233bca65c51c1ef6a20b9f9f22dbdc12eac8ba59da0c87b6cfa4b6f

SHA512
126ba24ed22ad1da4f3e889498b6665efc9d2c42278c49351a9bb7f53b8a4400b7cace9373c099c0a7f221a2f78971c3874e4ca2d6d44fe6b1e36089ae628585

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
b35adb5213ca9657e911e9befb180842

SHA1
8d80da0c92c1269b610b03cc8061556004898c85

SHA256
9a96d0daf98aa6fb4aa530d399c742c66121b0bdae4a1f7ffa22d2135e1df7fd

SHA512
82112691ba9b49c3e335e7eb7a426f5d24072c72424612b0d07863560fd37042b6408317db9bd973280eb17e100ec25d3ce18cc6eeedc57c27d338fa517ea6fa

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

Filesize
8KB

MD5
1fabf1d6edd14f933014d5557c7b7522

SHA1
67958aa114880c281036cc14a4e53fa123c4d9ad

SHA256
5f7d79ccbca7bdd2d9e036984a8a60c6bb9051411a740dc538f36f882f983b6e

SHA512
4c4f2caafc7ea9e97303f31c6f6a192a64fea4f24cc9d071b8339a519c1ea7f951e14571c9e9a23eee140fb676c7b213dc25828b274639046d9e01f6cd85dd3b

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

Filesize
57B

MD5
adf99b54fd6f317b611320564167c305

SHA1
d3d80dd39b686e04bf31db6ac9335084e841ef73

SHA256
1b68454d53e781f8793547fde8fcb2f3b03b5c8134f37b9d8c4045cb8a5473f3

SHA512
65fb44cdaf01632d60ecf3b49ab1eb661982ee8b6a430dcf6d1e75789787c9e7356754cd071421ca44a1b32ab918be97a630b1b0ca722383eea56d40fa131642

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
7KB

MD5
36f381cc8f60a659777f1133a006de4f

SHA1
b70e38fecb27a4de0776951a919bf072e601690e

SHA256
a3f56fee6bf824076f7599298272225f054dabac6a45b517eedfedc1f37d3c16

SHA512
dc1afd3b53c97c090c3baae27ef50531b27ce72509fbe2d3d4e53b99bcf7d555d13a7545a072c518e446bc433c2cf14300bb149e784a1db841ef9c3f3dd0efae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
543ff9c4bb3fd6f4d35c0a80ba5533fc

SHA1
e318b6209faeffe8cde2dba71f226d2b161729af

SHA256
40c04d540c3d7d80564f34af3a512036bdd8e17b4ca74ba3b7e45d6d93466bcd

SHA512
6257994ac1ec8b99edcf0d666838a9874031a500adac9383d9b4242edc6c6ffec48f230740d443c1088aa911a36de26e7ce3b97313e3d36b00aede5352a8cf5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1958C8FC5F0E0F8549703D0A9B9309B5

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4

Filesize
92KB

MD5
2490403d578f1880648f8e05e241af81

SHA1
219c02c8ec14dd11e6e7d81f02c9523ffe023445

SHA256
40b069b9339d6a36925ec3d1af079b634d90e9c607040edff1959fa49c0ec29c

SHA512
01a8324f89004818bc978a9fa1d040ed0b8be757e41b4fe5d52bc14b84927ae8723413a09513391c93d7ec2ec0b8c8d6966ea608a640e3647856788b58e649df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
76d047f0d8905ab2e9ab2788550be6d6

SHA1
6721f6d96acf01352b58e551debc2b2f6efb988b

SHA256
f140b49878ece40eb8192ccd4c14e712cdf96960ea26deca958a7b039bcded91

SHA512
b5aec2beec87a4f151aabe0e58f75ca341bbdea14e212bd52afe6b2d5883c741d448bb417be71f7f70d78c087b5cdbc79eb79ee3c4ad9369f7155a81100b9cbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
4a1ff14a01005acd238da61b6fd85f48

SHA1
0f9a17e3c042ea0592c1636110cb4bae44e8b60c

SHA256
231b0f201da73470746e696b082f78eac45028babe0a911228e900afa35ce493

SHA512
258305e2239cb160bf550ff1c7334bddb5a8c1fdcab96721735593da4712833b04ae3860afaeaee12d8f8880f1452bba17ddc9acdd754e5f9542ba007b831a07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1958C8FC5F0E0F8549703D0A9B9309B5

Filesize
402B

MD5
db1b350b5c490170899c3be4a4d11513

SHA1
cbc92ca15d1d70f6c9331f2e27a3c37f4c3aeb45

SHA256
dd50b3ab02b59835782815c601e60bb73346d0a2dea8a7fca2105c37634af230

SHA512
4a4f3c4de0538afdd31d7c3c2bf0d6823e75c7470c20c1257b81fe5c4994958949e10cb27eb05458e1d88b201a8b7f009686b3ee537ad40ab8fd4d8b57172508

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4

Filesize
170B

MD5
e46614e50fadcaaf01cd3b23b8dff677

SHA1
2aa33c7614a307e30abba568dc70713c057cac88

SHA256
fc9b7c288b60d32afa264f19953eb032b963fc25b60cc1313d7b56fb987c19a2

SHA512
3932c6c8de6adada9327b3553701dd8fe9e9224f755859b79c84f0c04c9192bd49fdd8f305be77f92e995c04f9d257ab86bae193a73faf4733ecbe42a7629a1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\jdk1.8.0_191.msi

Filesize
948KB

MD5
84f5b7ada4e0c06a2aae07a8419c9f64

SHA1
ed8e9b61e4967b0608406f1255e3e2dbfee3cf0b

SHA256
530f769f400f371383aa1ffaab30b46791a3bb5ea8e9304e3efe9ef419a7faa0

SHA512
84a341cd6ad2e6b560f40792042e60d4d68cdc5cfefee7a85f28a55077aa872dcaa16e27b4a95bb7fe2516a4fe3b0e714c746b69cb826b5bddef8a659fcde38c

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\ss180191.cab

Filesize
18.8MB

MD5
13b35ab0d36be2f7c0f82de8beda0478

SHA1
04768f9d3affc6150bae2f6020072439cff65fe6

SHA256
6ddf1feb791d0bcdedd835713f96e0f40bf69c49e2632c40a56696ee0618b2d9

SHA512
54cf32cd5bf049cc24996b2f99dd27f0a349327f82ea669c673911d1697ca49a99bf099e9d7eb1089921a13ecc17dd8b6f8f136c452d0515d15a510815bfd6a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\sz180191.cab

Filesize
1KB

MD5
6ddd9f7229af91f72510332059768b7f

SHA1
2ca8b4863afc1d44352b35601dbfa652838baed2

SHA256
3a8f0955ee74c76f0879bcc3eb2c56c573c59a37be1e725846858ecf6ae455ac

SHA512
4351a88404f80cbb197dda565a27ea8e8e1d9a206207ff6469f1768080c5f8a00067488733f6470c028e6f15b9158ec47bc3052e1cab77ae7a8dc5358acaccd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9887.tmp

Filesize
565KB

MD5
4ca39f5a1af6d35e41170e8c30a8391e

SHA1
0ba37cf6d207c5401fc24687ae35fd6c93f10b79

SHA256
32b059eb787925202eebe00ab45312f8484a9dc09c0b76df6a7b38a161133457

SHA512
a4bcf340581edee8ad0fabaa9ee93be726d199022f8e7fc64aa88fb52cf713cb5be99cf2b8618aad3a7ac3b1715f1629394e8d8caed0ae113fea5b1674d13c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
3d96534aadf4a8133ef3fca06a416270

SHA1
c4437197575c5d0598c9641367ce2577250cf2e1

SHA256
a933fcc9ec3452c3b9b37e3f7c8536eb3940a1fc905b6767fc491fb06e586165

SHA512
77cd7b05d5afdbec35c068a1079a68af8cea5eaea08e430d877d53a63bdcd0337b7bd2dabeb2a330dcc66c82eb0db66c53fe4f84e81ec5f9e94dc69e381585f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
172KB

MD5
ef41e63d976d7979dfa5825fa8a1f474

SHA1
5890ba3c0f98dccbcc83d6c6f9429b9777cf21fb

SHA256
fc37b4178cf2d4d701eac8a3d268480853b063f35917069f8ac3792720d3b88d

SHA512
0eee3ceac2be12a2818b051f2cb3ca0e1d65898d7541b4478c56c012980e9b2e4097f7dd7e01239cf31ff6071dda5e78aa27698af9c6fba03a4eda19b80b0ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
172KB

MD5
245c856bd44792de3570c63f084e8025

SHA1
03748809363db82e08e4bb7a49b4f17763596525

SHA256
796634e4a0375231ab90977ad8351706968973294c00cd37e0ab87a136641c9a

SHA512
b94827693888e6abfa5481a9824cbc48391f76d6481368eca9f517b90daf790cee9f97cbc7df312a67109f6fa4c1fa67bca6dcda2af8505eeaebcad1be7ef771

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5568e623-b252-47f8-b127-0eec8b877dfe}_OnDiskSnapshotProp

Filesize
6KB

MD5
7cc73c1c59c6a0e6e978ecb333eda89e

SHA1
38de264f10aa7292a0d3058f6e7a729d4a8d6c19

SHA256
7e50a47adcda426ba69c5341cb831fab7d2db6033bc67e5aaa3eb1e7a2282dba

SHA512
c0c2a5230224a1a8450a261209f1f90e510d5e73c3ba97da95d35fce91aa714de29a1e52c298e1c1153fd87c3e3d9de58b6e8c53144a31a73cd539292bd34c5b

Download Submit
memory/4208-1902-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download