5da1ed1fa59fe6b26615347b83820e693f2a8eec1c95c05bd3f5d9e12b00cd3a

Analysis

max time kernel
142s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54 45 53 54/jdk-8u191-windows-i586.exe
Size

197.3MB
MD5

50cfd28a3a3243bc5e9be096a3b9fd97
SHA1

bc8f26edb5d1b6d93459405da76bc52c9b882e69
SHA256

a92fce986622e9846b93e396a7eda6214e7f7ea90860794c934f423c10813622
SHA512

859e7cc427a5ea990dd3b5301d0bb68aceac9b32f62363d5d21ed90ad45a7a7912d201dc276786bfcfb18a8683776623c7b78c4ad06c4f8002033bfaa6e8855e
SSDEEP

6291456:TRcAp+FfSMhbAOo8ZycQv15tZ8YpG+sdjjceHAk8iaKmh:TRcAp4SWAURo5MAHojjjHEiaT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
4832	jdk-8u191-windows-i586.exe
3004	unpack200.exe
5092	unpack200.exe
3424	unpack200.exe
4604	unpack200.exe
5108	unpack200.exe
4828	unpack200.exe
4724	unpack200.exe
2680	unpack200.exe
2516	javaw.exe
3032	jre.exe

Loads dropped DLL 40 IoCs

pid	Process
2148	MsiExec.exe
2148	MsiExec.exe
2148	MsiExec.exe
4416	MsiExec.exe
4416	MsiExec.exe
4416	MsiExec.exe
4416	MsiExec.exe
4416	MsiExec.exe
4416	MsiExec.exe
4416	MsiExec.exe
4416	MsiExec.exe
4416	MsiExec.exe
4416	MsiExec.exe
4416	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
4776	MsiExec.exe
3004	unpack200.exe
5092	unpack200.exe
3424	unpack200.exe
4604	unpack200.exe
5108	unpack200.exe
4828	unpack200.exe
4724	unpack200.exe
2680	unpack200.exe
2516	javaw.exe
2516	javaw.exe
2516	javaw.exe
2516	javaw.exe
2516	javaw.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
14	1240	msiexec.exe
16	1240	msiexec.exe
18	1240	msiexec.exe
20	1240	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\jfr\default.jfc	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\ir.idl	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.2.174165.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.2.174165\schema\triggerEvaluators.exsd	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\config\Modules\org-openide-text.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.2.174165\schema\triggerActionExceptionHandlers.exsd	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\jsse.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\ext\dnsns.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\tzdb.dat	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.2.174165.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.2.174165.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.2.174165\html\dcommon\gifs\conticon.gif	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\cmm\CIEXYZ.pf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.2.174165\html\preface.htm	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\bin\javapackager.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.2.174165.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.2.174165.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.2.174165.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\bin\serialver.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.2.174165.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\org-netbeans-core-execution.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\deploy\messages_it.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\bin\extcheck.exe	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\fontmanager.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\plugin.jar	unpack200.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.2.174165\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\fonts\LucidaBrightRegular.ttf	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\management-agent.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml	MsiExec.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE8A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFAA3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFAD3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE17.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE68.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA13.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB23.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID98.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID47.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA73.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE47.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{32A3A4F4-B792-11D6-A78A-00B0D0180191}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57eeb5.msi	msiexec.exe
File created	C:\Windows\Installer\e57eeb7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID77.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID97.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE89.tmp	msiexec.exe
File created	C:\Windows\Installer\e57eeb5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF666.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9B4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA43.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFAF3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB43.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI343.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE79.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF955.tmp	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdk-8u191-windows-i586.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdk-8u191-windows-i586.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Printers	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\EUDC	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\System	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Console	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Environment	MsiExec.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk1.8.0_191\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\2 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\java.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile\shell\open\command	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.jar	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\PackageCode = "E663C303E21155C42B46898EBE586277"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A23297B6D117AA8000B0D810000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\PackageName = "jdk1.8.0_191.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\javaw.exe\IsHostApp	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command\ = "\"C:\\Program Files\\Java\\jdk-1.8\\bin\\javaw.exe\" -jar \"%1\" %*"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\PublicjreFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Version = "134219638"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk1.8.0_191\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\4 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\java.exe\IsHostApp	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\javaw.exe	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\ToolsFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\ProductName = "Java SE Development Kit 8 Update 191"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A23297B6D117AA8000B0D810000\4F4A3A23297B6D117AA8000B0D811019	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\3 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\SourceFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\ProductIcon = "C:\\Program Files (x86)\\Java\\jdk1.8.0_191\\\\bin\\javaws.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\InstanceType = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4684	msiexec.exe
4684	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1240	msiexec.exe
Token: SeSecurityPrivilege	4684	msiexec.exe
Token: SeCreateTokenPrivilege	1240	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1240	msiexec.exe
Token: SeLockMemoryPrivilege	1240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1240	msiexec.exe
Token: SeMachineAccountPrivilege	1240	msiexec.exe
Token: SeTcbPrivilege	1240	msiexec.exe
Token: SeSecurityPrivilege	1240	msiexec.exe
Token: SeTakeOwnershipPrivilege	1240	msiexec.exe
Token: SeLoadDriverPrivilege	1240	msiexec.exe
Token: SeSystemProfilePrivilege	1240	msiexec.exe
Token: SeSystemtimePrivilege	1240	msiexec.exe
Token: SeProfSingleProcessPrivilege	1240	msiexec.exe
Token: SeIncBasePriorityPrivilege	1240	msiexec.exe
Token: SeCreatePagefilePrivilege	1240	msiexec.exe
Token: SeCreatePermanentPrivilege	1240	msiexec.exe
Token: SeBackupPrivilege	1240	msiexec.exe
Token: SeRestorePrivilege	1240	msiexec.exe
Token: SeShutdownPrivilege	1240	msiexec.exe
Token: SeDebugPrivilege	1240	msiexec.exe
Token: SeAuditPrivilege	1240	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1240	msiexec.exe
Token: SeChangeNotifyPrivilege	1240	msiexec.exe
Token: SeRemoteShutdownPrivilege	1240	msiexec.exe
Token: SeUndockPrivilege	1240	msiexec.exe
Token: SeSyncAgentPrivilege	1240	msiexec.exe
Token: SeEnableDelegationPrivilege	1240	msiexec.exe
Token: SeManageVolumePrivilege	1240	msiexec.exe
Token: SeImpersonatePrivilege	1240	msiexec.exe
Token: SeCreateGlobalPrivilege	1240	msiexec.exe
Token: SeCreateTokenPrivilege	1240	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1240	msiexec.exe
Token: SeLockMemoryPrivilege	1240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1240	msiexec.exe
Token: SeMachineAccountPrivilege	1240	msiexec.exe
Token: SeTcbPrivilege	1240	msiexec.exe
Token: SeSecurityPrivilege	1240	msiexec.exe
Token: SeTakeOwnershipPrivilege	1240	msiexec.exe
Token: SeLoadDriverPrivilege	1240	msiexec.exe
Token: SeSystemProfilePrivilege	1240	msiexec.exe
Token: SeSystemtimePrivilege	1240	msiexec.exe
Token: SeProfSingleProcessPrivilege	1240	msiexec.exe
Token: SeIncBasePriorityPrivilege	1240	msiexec.exe
Token: SeCreatePagefilePrivilege	1240	msiexec.exe
Token: SeCreatePermanentPrivilege	1240	msiexec.exe
Token: SeBackupPrivilege	1240	msiexec.exe
Token: SeRestorePrivilege	1240	msiexec.exe
Token: SeShutdownPrivilege	1240	msiexec.exe
Token: SeDebugPrivilege	1240	msiexec.exe
Token: SeAuditPrivilege	1240	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1240	msiexec.exe
Token: SeChangeNotifyPrivilege	1240	msiexec.exe
Token: SeRemoteShutdownPrivilege	1240	msiexec.exe
Token: SeUndockPrivilege	1240	msiexec.exe
Token: SeSyncAgentPrivilege	1240	msiexec.exe
Token: SeEnableDelegationPrivilege	1240	msiexec.exe
Token: SeManageVolumePrivilege	1240	msiexec.exe
Token: SeImpersonatePrivilege	1240	msiexec.exe
Token: SeCreateGlobalPrivilege	1240	msiexec.exe
Token: SeCreateTokenPrivilege	1240	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1240	msiexec.exe
Token: SeLockMemoryPrivilege	1240	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1240	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3032	jre.exe
3032	jre.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4832	2320	jdk-8u191-windows-i586.exe	82
PID 2320 wrote to memory of 4832	2320	jdk-8u191-windows-i586.exe	82
PID 2320 wrote to memory of 4832	2320	jdk-8u191-windows-i586.exe	82
PID 4832 wrote to memory of 1240	4832	jdk-8u191-windows-i586.exe	83
PID 4832 wrote to memory of 1240	4832	jdk-8u191-windows-i586.exe	83
PID 4832 wrote to memory of 1240	4832	jdk-8u191-windows-i586.exe	83
PID 4684 wrote to memory of 2148	4684	msiexec.exe	86
PID 4684 wrote to memory of 2148	4684	msiexec.exe	86
PID 4684 wrote to memory of 2148	4684	msiexec.exe	86
PID 4684 wrote to memory of 4436	4684	msiexec.exe	97
PID 4684 wrote to memory of 4436	4684	msiexec.exe	97
PID 4684 wrote to memory of 4416	4684	msiexec.exe	99
PID 4684 wrote to memory of 4416	4684	msiexec.exe	99
PID 4684 wrote to memory of 4416	4684	msiexec.exe	99
PID 4684 wrote to memory of 4776	4684	msiexec.exe	101
PID 4684 wrote to memory of 4776	4684	msiexec.exe	101
PID 4684 wrote to memory of 4776	4684	msiexec.exe	101
PID 4776 wrote to memory of 3004	4776	MsiExec.exe	102
PID 4776 wrote to memory of 3004	4776	MsiExec.exe	102
PID 4776 wrote to memory of 3004	4776	MsiExec.exe	102
PID 4776 wrote to memory of 5092	4776	MsiExec.exe	104
PID 4776 wrote to memory of 5092	4776	MsiExec.exe	104
PID 4776 wrote to memory of 5092	4776	MsiExec.exe	104
PID 4776 wrote to memory of 3424	4776	MsiExec.exe	107
PID 4776 wrote to memory of 3424	4776	MsiExec.exe	107
PID 4776 wrote to memory of 3424	4776	MsiExec.exe	107
PID 4776 wrote to memory of 4604	4776	MsiExec.exe	109
PID 4776 wrote to memory of 4604	4776	MsiExec.exe	109
PID 4776 wrote to memory of 4604	4776	MsiExec.exe	109
PID 4776 wrote to memory of 5108	4776	MsiExec.exe	111
PID 4776 wrote to memory of 5108	4776	MsiExec.exe	111
PID 4776 wrote to memory of 5108	4776	MsiExec.exe	111
PID 4776 wrote to memory of 4828	4776	MsiExec.exe	113
PID 4776 wrote to memory of 4828	4776	MsiExec.exe	113
PID 4776 wrote to memory of 4828	4776	MsiExec.exe	113
PID 4776 wrote to memory of 4724	4776	MsiExec.exe	115
PID 4776 wrote to memory of 4724	4776	MsiExec.exe	115
PID 4776 wrote to memory of 4724	4776	MsiExec.exe	115
PID 4776 wrote to memory of 2680	4776	MsiExec.exe	117
PID 4776 wrote to memory of 2680	4776	MsiExec.exe	117
PID 4776 wrote to memory of 2680	4776	MsiExec.exe	117
PID 4684 wrote to memory of 2516	4684	msiexec.exe	119
PID 4684 wrote to memory of 2516	4684	msiexec.exe	119
PID 4684 wrote to memory of 2516	4684	msiexec.exe	119
PID 1240 wrote to memory of 3032	1240	msiexec.exe	120
PID 1240 wrote to memory of 3032	1240	msiexec.exe	120
PID 1240 wrote to memory of 3032	1240	msiexec.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\54 45 53 54\jdk-8u191-windows-i586.exe
"C:\Users\Admin\AppData\Local\Temp\54 45 53 54\jdk-8u191-windows-i586.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\jds240619812.tmp\jdk-8u191-windows-i586.exe
  "C:\Users\Admin\AppData\Local\Temp\jds240619812.tmp\jdk-8u191-windows-i586.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\jdk1.8.0_191.msi" WRAPPER=1
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Program Files (x86)\Java\jdk1.8.0_191\jre.exe
      "C:\Program Files (x86)\Java\jdk1.8.0_191\\jre.exe" LAUNCHEDFROMJDK=1 NOSTARTMENU=0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3032

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8DEE7F47B9192C2648D0FCA7717B51F4 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4436
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DD0DF3E594729E8877D006C94CBEF3B6
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4416
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CF2D813B07D7F5AF98399A6A494C0FAE E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\lib/tools.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\lib/tools.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/plugin.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:5092
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/javaws.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3424
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/deploy.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4604
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/rt.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5108
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/jsse.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4828
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/charsets.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4724
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/ext/localedata.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2680
- C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\javaw.exe
  "C:\Program Files (x86)\Java\jdk1.8.0_191\\jre\bin\javaw.exe" -Xshare:dump
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57eeb6.rbs

Filesize
11KB

MD5
216c8b9e80a3e45dac706d41bada8a3e

SHA1
6b832ba5ffab2ab7a2b7d35d2a3319797c145ed0

SHA256
65407a121e342abdca23b4d752f0de12be57aef000f1942bb3f35e5addec4b3f

SHA512
44d5cfd531cfe83750c3f24013ecff000beee7a4bca787ef110f8431e29262a7242dcb5a449e982645d8c5fe08a942350027333d652a20551de72aeabe53676a

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
b35adb5213ca9657e911e9befb180842

SHA1
8d80da0c92c1269b610b03cc8061556004898c85

SHA256
9a96d0daf98aa6fb4aa530d399c742c66121b0bdae4a1f7ffa22d2135e1df7fd

SHA512
82112691ba9b49c3e335e7eb7a426f5d24072c72424612b0d07863560fd37042b6408317db9bd973280eb17e100ec25d3ce18cc6eeedc57c27d338fa517ea6fa

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

Filesize
8KB

MD5
1fabf1d6edd14f933014d5557c7b7522

SHA1
67958aa114880c281036cc14a4e53fa123c4d9ad

SHA256
5f7d79ccbca7bdd2d9e036984a8a60c6bb9051411a740dc538f36f882f983b6e

SHA512
4c4f2caafc7ea9e97303f31c6f6a192a64fea4f24cc9d071b8339a519c1ea7f951e14571c9e9a23eee140fb676c7b213dc25828b274639046d9e01f6cd85dd3b

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

Filesize
57B

MD5
adf99b54fd6f317b611320564167c305

SHA1
d3d80dd39b686e04bf31db6ac9335084e841ef73

SHA256
1b68454d53e781f8793547fde8fcb2f3b03b5c8134f37b9d8c4045cb8a5473f3

SHA512
65fb44cdaf01632d60ecf3b49ab1eb661982ee8b6a430dcf6d1e75789787c9e7356754cd071421ca44a1b32ab918be97a630b1b0ca722383eea56d40fa131642

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
7KB

MD5
36f381cc8f60a659777f1133a006de4f

SHA1
b70e38fecb27a4de0776951a919bf072e601690e

SHA256
a3f56fee6bf824076f7599298272225f054dabac6a45b517eedfedc1f37d3c16

SHA512
dc1afd3b53c97c090c3baae27ef50531b27ce72509fbe2d3d4e53b99bcf7d555d13a7545a072c518e446bc433c2cf14300bb149e784a1db841ef9c3f3dd0efae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
543ff9c4bb3fd6f4d35c0a80ba5533fc

SHA1
e318b6209faeffe8cde2dba71f226d2b161729af

SHA256
40c04d540c3d7d80564f34af3a512036bdd8e17b4ca74ba3b7e45d6d93466bcd

SHA512
6257994ac1ec8b99edcf0d666838a9874031a500adac9383d9b4242edc6c6ffec48f230740d443c1088aa911a36de26e7ce3b97313e3d36b00aede5352a8cf5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_1958C8FC5F0E0F8549703D0A9B9309B5

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4

Filesize
92KB

MD5
2490403d578f1880648f8e05e241af81

SHA1
219c02c8ec14dd11e6e7d81f02c9523ffe023445

SHA256
40b069b9339d6a36925ec3d1af079b634d90e9c607040edff1959fa49c0ec29c

SHA512
01a8324f89004818bc978a9fa1d040ed0b8be757e41b4fe5d52bc14b84927ae8723413a09513391c93d7ec2ec0b8c8d6966ea608a640e3647856788b58e649df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
032f107efcb72d39cb34887e8a4a3549

SHA1
5c8fe774bf3f83624fa7561c02649bcf343fefa3

SHA256
f5017d350c05fb1bcd611045b18c5c232589afdc589caf4c8db39240961dc18c

SHA512
9fac7c9f7ca26d60beb035303cfedbaf602720ced06b49a69c99cd181b8eeabbbb3f4621a7c0f390080f10e6956197f393abbf57601bb48a5791782fe7232198

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
cacc8dd8b8562ebdb5615bcd7e36e0be

SHA1
8619924d7040c9289482093f3b68de904d8fe890

SHA256
1227a3e5dd2d0922b0c39436a40d91dd5838cc8ae950c7a3d27215cff5c252e0

SHA512
052a83360cfe6b9c231ffe48cc09c04e4da47bc757035ceedb6077d6fc43b8048d038bb2fd0a52b529bb8851385863f478314750593476e5f9fef0e2a982250f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1958C8FC5F0E0F8549703D0A9B9309B5

Filesize
402B

MD5
94e26da38392c3024113586e9c85c93d

SHA1
ef008e3f8dd9067c17f55090dde4c9caffebff85

SHA256
798c95c877d2e4d73a10cfa81614a8d29d1b2b7fc2ac2c8d0ce7f1074000412c

SHA512
ded77eecb247df6f8530345866c51692ada4c22112578b7b01eb4f6233017b51e0296c8f88737f47a4945456ba75ed194a82aadf25764fc3c53ace405fe9fc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4

Filesize
170B

MD5
1ae35ea9cb989990eed40df1c3316cc5

SHA1
305e46398ca29ecd179fa91d13f62a0f51784b89

SHA256
b44c3000f154e7070ac6160ec8726208c866c483a2c6e3e428ac88a1759a80f5

SHA512
d876e1dee79f05bd122dc1239ec1a4fea1abc156cbccbfac6e01a4d61e6fa16de22a30a35cf5b74a979cb6ac6398c199da24eb283756c78d5af477af58391155

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\jdk1.8.0_191.msi

Filesize
948KB

MD5
84f5b7ada4e0c06a2aae07a8419c9f64

SHA1
ed8e9b61e4967b0608406f1255e3e2dbfee3cf0b

SHA256
530f769f400f371383aa1ffaab30b46791a3bb5ea8e9304e3efe9ef419a7faa0

SHA512
84a341cd6ad2e6b560f40792042e60d4d68cdc5cfefee7a85f28a55077aa872dcaa16e27b4a95bb7fe2516a4fe3b0e714c746b69cb826b5bddef8a659fcde38c

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\ss180191.cab

Filesize
18.8MB

MD5
13b35ab0d36be2f7c0f82de8beda0478

SHA1
04768f9d3affc6150bae2f6020072439cff65fe6

SHA256
6ddf1feb791d0bcdedd835713f96e0f40bf69c49e2632c40a56696ee0618b2d9

SHA512
54cf32cd5bf049cc24996b2f99dd27f0a349327f82ea669c673911d1697ca49a99bf099e9d7eb1089921a13ecc17dd8b6f8f136c452d0515d15a510815bfd6a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\sz180191.cab

Filesize
1KB

MD5
6ddd9f7229af91f72510332059768b7f

SHA1
2ca8b4863afc1d44352b35601dbfa652838baed2

SHA256
3a8f0955ee74c76f0879bcc3eb2c56c573c59a37be1e725846858ecf6ae455ac

SHA512
4351a88404f80cbb197dda565a27ea8e8e1d9a206207ff6469f1768080c5f8a00067488733f6470c028e6f15b9158ec47bc3052e1cab77ae7a8dc5358acaccd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA0C4.tmp

Filesize
565KB

MD5
4ca39f5a1af6d35e41170e8c30a8391e

SHA1
0ba37cf6d207c5401fc24687ae35fd6c93f10b79

SHA256
32b059eb787925202eebe00ab45312f8484a9dc09c0b76df6a7b38a161133457

SHA512
a4bcf340581edee8ad0fabaa9ee93be726d199022f8e7fc64aa88fb52cf713cb5be99cf2b8618aad3a7ac3b1715f1629394e8d8caed0ae113fea5b1674d13c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
172KB

MD5
8ec939eadda9f0d40a75efadbdcad9af

SHA1
3400913fa8dddbb144f4dc2001d56b312a38c619

SHA256
6204af61d399c19b24290af9db517a3f7675cb9249733ce775eb6f278331b493

SHA512
8399b2afdc30288e7dc1f0e9c17e445689d3c4324b3c6dbbe1a1a2ad9ca98bd2da4d16385260f47b0f5d00c38d09d67c8d5f3778340bdb038a68add554978545

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
172KB

MD5
bcef465c168ca310050c01ffbbcd0f5c

SHA1
045714af1c696131169a2fb899ccb04d5d275014

SHA256
55b361ef61dda17fd0e2633960782ab1bf0a3d1f1b81014f10459929be4e02ef

SHA512
8f6c7c939bbb5c3d0ca74dea0b69f33b367985118738783dc7d367773b495e1592a35408aaa8e54072d64e02526902e5e98af6e9467cd69158f60871357b8587

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
593f8017a26063115931d9a002bdd9da

SHA1
105e4d0a63667b8776e02ee753583acb442e29f6

SHA256
e42cfbee4e0df1eff9b2a9c80e177749bb5c37e72a7a9426b6d96d742e90a43c

SHA512
a7cbb249d22e44d1b484e543e6a30879d16fe8b11e41c86bb8c8acea92d1f01de5f383ba8c576bdc6dd9aa45f2e343c3d3ecd026af365460bfdbfd91a5a590e9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
eacd6950d592fbafec9676c93072b9a9

SHA1
8f1e2033e81919303eaabfec0546b2c28a65a1ab

SHA256
9c6bad4106f14336d06f42a07dc24aebfcedcba631b47c8a79408c16573e1a06

SHA512
378fd6c7d83eadbb9ebcf7dd8cc6757d2f9f943ea3e1ed53e37c2ba92ac23642691653a8f1d603f0bfa2be74205530e523ae7db7b6001f159b7bf77679bd29cf

Download Submit
\??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bda4a007-9c5b-4c05-965b-5b0bdaebd617}_OnDiskSnapshotProp

Filesize
6KB

MD5
9eb6f31316882b4df82bef6d2482ef93

SHA1
7f80d97ac8dcfb8852769a3136bddd495fcc10ba

SHA256
81965867534e8ea923b6e9f1f35b4d302e5e037587c99c6f4757b02c8be24b9f

SHA512
dbab1c2a03d67e77ea35fde66207e39368d83dab71a29c5f80e02489f973798dc36a1ba6ea3d3f5f7cdb7f6b96998bba2c2bf3c85d0c56764e1ff913f321bf39

Download Submit
memory/2516-1902-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download