5da1ed1fa59fe6b26615347b83820e693f2a8eec1c95c05bd3f5d9e12b00cd3a

Analysis

max time kernel
151s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-12-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54 45 53 54/jdk-8u191-windows-i586.exe
Size

197.3MB
MD5

50cfd28a3a3243bc5e9be096a3b9fd97
SHA1

bc8f26edb5d1b6d93459405da76bc52c9b882e69
SHA256

a92fce986622e9846b93e396a7eda6214e7f7ea90860794c934f423c10813622
SHA512

859e7cc427a5ea990dd3b5301d0bb68aceac9b32f62363d5d21ed90ad45a7a7912d201dc276786bfcfb18a8683776623c7b78c4ad06c4f8002033bfaa6e8855e
SSDEEP

6291456:TRcAp+FfSMhbAOo8ZycQv15tZ8YpG+sdjjceHAk8iaKmh:TRcAp4SWAURo5MAHojjjHEiaT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
5112	jdk-8u191-windows-i586.exe
2800	unpack200.exe
4032	unpack200.exe
4220	unpack200.exe
5104	unpack200.exe
3920	unpack200.exe
420	unpack200.exe
1592	unpack200.exe
2540	unpack200.exe
3876	javaw.exe
1324	jre.exe

Loads dropped DLL 40 IoCs

pid	Process
2704	MsiExec.exe
2704	MsiExec.exe
2704	MsiExec.exe
3536	MsiExec.exe
3536	MsiExec.exe
3536	MsiExec.exe
3536	MsiExec.exe
3536	MsiExec.exe
3536	MsiExec.exe
3536	MsiExec.exe
3536	MsiExec.exe
3536	MsiExec.exe
3536	MsiExec.exe
3536	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
888	MsiExec.exe
2800	unpack200.exe
4032	unpack200.exe
4220	unpack200.exe
5104	unpack200.exe
3920	unpack200.exe
420	unpack200.exe
1592	unpack200.exe
2540	unpack200.exe
3876	javaw.exe
3876	javaw.exe
3876	javaw.exe
3876	javaw.exe
3876	javaw.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	1848	msiexec.exe
3	1848	msiexec.exe
5	1848	msiexec.exe
6	1848	msiexec.exe
7	1848	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\jsse.pack	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\j2pcsc.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\security\policy\unlimited\local_policy.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\org-openide-windows.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\prism_d3d.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\flavormap.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.2.174165\META-INF\MANIFEST.MF	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.2.174165.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\deploy\messages_zh_CN.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\net.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.2.174165\feature.properties	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.2.174165\icons\send-email-16.png	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.2.174165.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.2.174165.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\core\core.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\management.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\THIRDPARTYLICENSEREADME.txt	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\core\locale\core_ja.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\fontconfig.properties.src	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\org-netbeans-api-visual.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\release	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\dt_shmem.dll	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\jre\lib\images\cursors\win32_MoveDrop32x32.gif	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar	MsiExec.exe
File created	C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar	MsiExec.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI578.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI588.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI607.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{32A3A4F4-B792-11D6-A78A-00B0D0180191}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE0D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI609.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e148.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE40.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e14a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF847.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF455EC38248E2200D.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE1E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE30.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE51.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE62.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI61A.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCAB9D9522FB1C221.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE83D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED4F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE61.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI519.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63D.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9071B61ECA56C6CD.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e148.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA25C82D7941864E0.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDDC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE2F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI608.tmp	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpack200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdk-8u191-windows-i586.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdk-8u191-windows-i586.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002fc80c284bade0450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002fc80c280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002fc80c28000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2fc80c28000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002fc80c2800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Console	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Environment	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\EUDC	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\System	MsiExec.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\3 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\javaw.exe	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\PackageCode = "E663C303E21155C42B46898EBE586277"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A23297B6D117AA8000B0D810000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\2 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command\ = "\"C:\\Program Files\\Java\\jdk-1.8\\bin\\javaw.exe\" -jar \"%1\" %*"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\ProductName = "Java SE Development Kit 8 Update 191"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\java.exe	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\ToolsFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk1.8.0_191\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\4 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\PublicjreFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A23297B6D117AA8000B0D810000\4F4A3A23297B6D117AA8000B0D811019	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\PackageName = "jdk1.8.0_191.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Version = "134219638"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk1.8.0_191\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\java.exe\IsHostApp	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile\shell\open\command	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\javaw.exe\IsHostApp	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4F4A3A23297B6D117AA8000B0D811019\SourceFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\ProductIcon = "C:\\Program Files (x86)\\Java\\jdk1.8.0_191\\\\bin\\javaws.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4F4A3A23297B6D117AA8000B0D811019\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.jar	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3496	msiexec.exe
3496	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1848	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1848	msiexec.exe
Token: SeSecurityPrivilege	3496	msiexec.exe
Token: SeCreateTokenPrivilege	1848	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1848	msiexec.exe
Token: SeLockMemoryPrivilege	1848	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1848	msiexec.exe
Token: SeMachineAccountPrivilege	1848	msiexec.exe
Token: SeTcbPrivilege	1848	msiexec.exe
Token: SeSecurityPrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeLoadDriverPrivilege	1848	msiexec.exe
Token: SeSystemProfilePrivilege	1848	msiexec.exe
Token: SeSystemtimePrivilege	1848	msiexec.exe
Token: SeProfSingleProcessPrivilege	1848	msiexec.exe
Token: SeIncBasePriorityPrivilege	1848	msiexec.exe
Token: SeCreatePagefilePrivilege	1848	msiexec.exe
Token: SeCreatePermanentPrivilege	1848	msiexec.exe
Token: SeBackupPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeShutdownPrivilege	1848	msiexec.exe
Token: SeDebugPrivilege	1848	msiexec.exe
Token: SeAuditPrivilege	1848	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1848	msiexec.exe
Token: SeChangeNotifyPrivilege	1848	msiexec.exe
Token: SeRemoteShutdownPrivilege	1848	msiexec.exe
Token: SeUndockPrivilege	1848	msiexec.exe
Token: SeSyncAgentPrivilege	1848	msiexec.exe
Token: SeEnableDelegationPrivilege	1848	msiexec.exe
Token: SeManageVolumePrivilege	1848	msiexec.exe
Token: SeImpersonatePrivilege	1848	msiexec.exe
Token: SeCreateGlobalPrivilege	1848	msiexec.exe
Token: SeCreateTokenPrivilege	1848	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1848	msiexec.exe
Token: SeLockMemoryPrivilege	1848	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1848	msiexec.exe
Token: SeMachineAccountPrivilege	1848	msiexec.exe
Token: SeTcbPrivilege	1848	msiexec.exe
Token: SeSecurityPrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeLoadDriverPrivilege	1848	msiexec.exe
Token: SeSystemProfilePrivilege	1848	msiexec.exe
Token: SeSystemtimePrivilege	1848	msiexec.exe
Token: SeProfSingleProcessPrivilege	1848	msiexec.exe
Token: SeIncBasePriorityPrivilege	1848	msiexec.exe
Token: SeCreatePagefilePrivilege	1848	msiexec.exe
Token: SeCreatePermanentPrivilege	1848	msiexec.exe
Token: SeBackupPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeShutdownPrivilege	1848	msiexec.exe
Token: SeDebugPrivilege	1848	msiexec.exe
Token: SeAuditPrivilege	1848	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1848	msiexec.exe
Token: SeChangeNotifyPrivilege	1848	msiexec.exe
Token: SeRemoteShutdownPrivilege	1848	msiexec.exe
Token: SeUndockPrivilege	1848	msiexec.exe
Token: SeSyncAgentPrivilege	1848	msiexec.exe
Token: SeEnableDelegationPrivilege	1848	msiexec.exe
Token: SeManageVolumePrivilege	1848	msiexec.exe
Token: SeImpersonatePrivilege	1848	msiexec.exe
Token: SeCreateGlobalPrivilege	1848	msiexec.exe
Token: SeCreateTokenPrivilege	1848	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1848	msiexec.exe
Token: SeLockMemoryPrivilege	1848	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1848	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1324	jre.exe
1324	jre.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 5112	1992	jdk-8u191-windows-i586.exe	77
PID 1992 wrote to memory of 5112	1992	jdk-8u191-windows-i586.exe	77
PID 1992 wrote to memory of 5112	1992	jdk-8u191-windows-i586.exe	77
PID 5112 wrote to memory of 1848	5112	jdk-8u191-windows-i586.exe	78
PID 5112 wrote to memory of 1848	5112	jdk-8u191-windows-i586.exe	78
PID 5112 wrote to memory of 1848	5112	jdk-8u191-windows-i586.exe	78
PID 3496 wrote to memory of 2704	3496	msiexec.exe	82
PID 3496 wrote to memory of 2704	3496	msiexec.exe	82
PID 3496 wrote to memory of 2704	3496	msiexec.exe	82
PID 3496 wrote to memory of 3148	3496	msiexec.exe	86
PID 3496 wrote to memory of 3148	3496	msiexec.exe	86
PID 3496 wrote to memory of 3536	3496	msiexec.exe	88
PID 3496 wrote to memory of 3536	3496	msiexec.exe	88
PID 3496 wrote to memory of 3536	3496	msiexec.exe	88
PID 3496 wrote to memory of 888	3496	msiexec.exe	89
PID 3496 wrote to memory of 888	3496	msiexec.exe	89
PID 3496 wrote to memory of 888	3496	msiexec.exe	89
PID 888 wrote to memory of 2800	888	MsiExec.exe	90
PID 888 wrote to memory of 2800	888	MsiExec.exe	90
PID 888 wrote to memory of 2800	888	MsiExec.exe	90
PID 888 wrote to memory of 4032	888	MsiExec.exe	92
PID 888 wrote to memory of 4032	888	MsiExec.exe	92
PID 888 wrote to memory of 4032	888	MsiExec.exe	92
PID 888 wrote to memory of 4220	888	MsiExec.exe	94
PID 888 wrote to memory of 4220	888	MsiExec.exe	94
PID 888 wrote to memory of 4220	888	MsiExec.exe	94
PID 888 wrote to memory of 5104	888	MsiExec.exe	96
PID 888 wrote to memory of 5104	888	MsiExec.exe	96
PID 888 wrote to memory of 5104	888	MsiExec.exe	96
PID 888 wrote to memory of 3920	888	MsiExec.exe	98
PID 888 wrote to memory of 3920	888	MsiExec.exe	98
PID 888 wrote to memory of 3920	888	MsiExec.exe	98
PID 888 wrote to memory of 420	888	MsiExec.exe	100
PID 888 wrote to memory of 420	888	MsiExec.exe	100
PID 888 wrote to memory of 420	888	MsiExec.exe	100
PID 888 wrote to memory of 1592	888	MsiExec.exe	102
PID 888 wrote to memory of 1592	888	MsiExec.exe	102
PID 888 wrote to memory of 1592	888	MsiExec.exe	102
PID 888 wrote to memory of 2540	888	MsiExec.exe	104
PID 888 wrote to memory of 2540	888	MsiExec.exe	104
PID 888 wrote to memory of 2540	888	MsiExec.exe	104
PID 3496 wrote to memory of 3876	3496	msiexec.exe	106
PID 3496 wrote to memory of 3876	3496	msiexec.exe	106
PID 3496 wrote to memory of 3876	3496	msiexec.exe	106
PID 1848 wrote to memory of 1324	1848	msiexec.exe	107
PID 1848 wrote to memory of 1324	1848	msiexec.exe	107
PID 1848 wrote to memory of 1324	1848	msiexec.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\54 45 53 54\jdk-8u191-windows-i586.exe
"C:\Users\Admin\AppData\Local\Temp\54 45 53 54\jdk-8u191-windows-i586.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\jds240617406.tmp\jdk-8u191-windows-i586.exe
  "C:\Users\Admin\AppData\Local\Temp\jds240617406.tmp\jdk-8u191-windows-i586.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\jdk1.8.0_191.msi" WRAPPER=1
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Program Files (x86)\Java\jdk1.8.0_191\jre.exe
      "C:\Program Files (x86)\Java\jdk1.8.0_191\\jre.exe" LAUNCHEDFROMJDK=1 NOSTARTMENU=0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1324

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 394353CDED06D29E617DA2A5C1E98268 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3148
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24CCDB367B9B3BB84D648EEFB08A2465
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3536
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2828091029AA9121C2CBF774924DA195 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\lib/tools.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\lib/tools.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2800
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/plugin.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/plugin.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4032
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/javaws.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/javaws.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4220
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/deploy.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/deploy.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5104
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/rt.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/rt.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3920
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/jsse.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/jsse.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:420
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/charsets.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/charsets.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1592
- - C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe
    "C:\Program Files (x86)\Java\jdk1.8.0_191\bin\unpack200.exe" -r "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/ext/localedata.pack" "C:\Program Files (x86)\Java\jdk1.8.0_191\jre/lib/ext/localedata.jar"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2540
- C:\Program Files (x86)\Java\jdk1.8.0_191\jre\bin\javaw.exe
  "C:\Program Files (x86)\Java\jdk1.8.0_191\\jre\bin\javaw.exe" -Xshare:dump
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e149.rbs

Filesize
11KB

MD5
b249d51d4ef9a6468b5ca03ac87f6684

SHA1
cd21710e0e77ff6451aad10e416d6bbb61dfc608

SHA256
fd7764b21f4b1223f7c146713a589e5b2cef890bedaff51c0ec283d056a99754

SHA512
eb028455758df2883e2238bc0604a060ccf9695f88470f30561937b80550c2090964da60af9f5b94d1c7316e29643fcfc2d33b99581dc50d948a308f5e065855

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
b35adb5213ca9657e911e9befb180842

SHA1
8d80da0c92c1269b610b03cc8061556004898c85

SHA256
9a96d0daf98aa6fb4aa530d399c742c66121b0bdae4a1f7ffa22d2135e1df7fd

SHA512
82112691ba9b49c3e335e7eb7a426f5d24072c72424612b0d07863560fd37042b6408317db9bd973280eb17e100ec25d3ce18cc6eeedc57c27d338fa517ea6fa

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

Filesize
8KB

MD5
1fabf1d6edd14f933014d5557c7b7522

SHA1
67958aa114880c281036cc14a4e53fa123c4d9ad

SHA256
5f7d79ccbca7bdd2d9e036984a8a60c6bb9051411a740dc538f36f882f983b6e

SHA512
4c4f2caafc7ea9e97303f31c6f6a192a64fea4f24cc9d071b8339a519c1ea7f951e14571c9e9a23eee140fb676c7b213dc25828b274639046d9e01f6cd85dd3b

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

Filesize
57B

MD5
adf99b54fd6f317b611320564167c305

SHA1
d3d80dd39b686e04bf31db6ac9335084e841ef73

SHA256
1b68454d53e781f8793547fde8fcb2f3b03b5c8134f37b9d8c4045cb8a5473f3

SHA512
65fb44cdaf01632d60ecf3b49ab1eb661982ee8b6a430dcf6d1e75789787c9e7356754cd071421ca44a1b32ab918be97a630b1b0ca722383eea56d40fa131642

Download Submit
C:\Program Files (x86)\Java\jdk1.8.0_191\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
7KB

MD5
36f381cc8f60a659777f1133a006de4f

SHA1
b70e38fecb27a4de0776951a919bf072e601690e

SHA256
a3f56fee6bf824076f7599298272225f054dabac6a45b517eedfedc1f37d3c16

SHA512
dc1afd3b53c97c090c3baae27ef50531b27ce72509fbe2d3d4e53b99bcf7d555d13a7545a072c518e446bc433c2cf14300bb149e784a1db841ef9c3f3dd0efae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
543ff9c4bb3fd6f4d35c0a80ba5533fc

SHA1
e318b6209faeffe8cde2dba71f226d2b161729af

SHA256
40c04d540c3d7d80564f34af3a512036bdd8e17b4ca74ba3b7e45d6d93466bcd

SHA512
6257994ac1ec8b99edcf0d666838a9874031a500adac9383d9b4242edc6c6ffec48f230740d443c1088aa911a36de26e7ce3b97313e3d36b00aede5352a8cf5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4

Filesize
92KB

MD5
2490403d578f1880648f8e05e241af81

SHA1
219c02c8ec14dd11e6e7d81f02c9523ffe023445

SHA256
40b069b9339d6a36925ec3d1af079b634d90e9c607040edff1959fa49c0ec29c

SHA512
01a8324f89004818bc978a9fa1d040ed0b8be757e41b4fe5d52bc14b84927ae8723413a09513391c93d7ec2ec0b8c8d6966ea608a640e3647856788b58e649df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
6b7d01b1963dc0cd3a8d65fc31640247

SHA1
a36d386b98746d59a7122a17707353fe5807caca

SHA256
1e4d28a852ed654f8a634545ca23f04de52883d69d99f2673e7ad3c5ca218d58

SHA512
60bdbcd5797bfdf3918765e1a01ba4605cb1c8442f5fff0a239d21ecbca5aeb00438005f2de927524b66f88a8f519f76f3ff372450008746e7309a86e0d652ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
48b837c59c3a5e73c6535d928dc3a08d

SHA1
678de01fe24c8300ee2bb7da2f79c4419b9062c6

SHA256
56d59015a7771e09982ebdc03beb8dd9e34dd20d66b35a99267537fe4b75898b

SHA512
9ede3db0abea2b079135bf426e83b28a47a94a4b56c02650e9a405ae951b9a949f05b595b23c5ac3be3b7b2be8c9ebeee97b4a1c5aa3c5ed644dc146dd985b3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_1958C8FC5F0E0F8549703D0A9B9309B5

Filesize
402B

MD5
93133aea051fc1dd5dc2166df4bb1e14

SHA1
19bdf6b122530c309f39f8321eb844a7eea41938

SHA256
c1e0f0aba1694d96fb4815120371224f8dc0a9b2e05d94acea87c48584fe7fdb

SHA512
8b0251a64788d4a750ccedefdb5ede4d8050aad8802508eb03c44284bfa30c67c387746775ee7a153d45c13990db35f9d1445729d5d54a59c77fca785406b079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4

Filesize
170B

MD5
0d734a5b31e32c243fd4176d2eb45ba6

SHA1
8ef67ae345d69fe57fee4d65aed0b38b5262c0e6

SHA256
6b51d134305330112bbfa64e2cd04747efb0015ad40831c17a66c9db392fca6a

SHA512
1e60b0ad1d011d001eee6ba03342bf57435bc5f8c86ad2a2ca82981df2c9abf6e3f4f885ad51c8ee009d893b20ac2c9d62e6a4bd677dabafb697d23a03f4213d

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\jdk1.8.0_191.msi

Filesize
948KB

MD5
84f5b7ada4e0c06a2aae07a8419c9f64

SHA1
ed8e9b61e4967b0608406f1255e3e2dbfee3cf0b

SHA256
530f769f400f371383aa1ffaab30b46791a3bb5ea8e9304e3efe9ef419a7faa0

SHA512
84a341cd6ad2e6b560f40792042e60d4d68cdc5cfefee7a85f28a55077aa872dcaa16e27b4a95bb7fe2516a4fe3b0e714c746b69cb826b5bddef8a659fcde38c

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\ss180191.cab

Filesize
18.8MB

MD5
13b35ab0d36be2f7c0f82de8beda0478

SHA1
04768f9d3affc6150bae2f6020072439cff65fe6

SHA256
6ddf1feb791d0bcdedd835713f96e0f40bf69c49e2632c40a56696ee0618b2d9

SHA512
54cf32cd5bf049cc24996b2f99dd27f0a349327f82ea669c673911d1697ca49a99bf099e9d7eb1089921a13ecc17dd8b6f8f136c452d0515d15a510815bfd6a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_191\sz180191.cab

Filesize
1KB

MD5
6ddd9f7229af91f72510332059768b7f

SHA1
2ca8b4863afc1d44352b35601dbfa652838baed2

SHA256
3a8f0955ee74c76f0879bcc3eb2c56c573c59a37be1e725846858ecf6ae455ac

SHA512
4351a88404f80cbb197dda565a27ea8e8e1d9a206207ff6469f1768080c5f8a00067488733f6470c028e6f15b9158ec47bc3052e1cab77ae7a8dc5358acaccd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI98D5.tmp

Filesize
565KB

MD5
4ca39f5a1af6d35e41170e8c30a8391e

SHA1
0ba37cf6d207c5401fc24687ae35fd6c93f10b79

SHA256
32b059eb787925202eebe00ab45312f8484a9dc09c0b76df6a7b38a161133457

SHA512
a4bcf340581edee8ad0fabaa9ee93be726d199022f8e7fc64aa88fb52cf713cb5be99cf2b8618aad3a7ac3b1715f1629394e8d8caed0ae113fea5b1674d13c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
8526786f63f614f7a2919cb0a52487b9

SHA1
92fe506231b0017d04f9605f0cd178ee32fd3391

SHA256
3f64d9690425845e0eca5e3fe1fd14db571680ff50cdb71097dff7aa327448cd

SHA512
6c4eead6369600cf7300a46dd1c4a97e1627db330ef710e550188e37c127ecae5f4bde7c4f9b72fac84ca081304bb42e82e9372a05de43bf69d154936ce2a919

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
173KB

MD5
64538c99a5312405cb0c6ee7ff34b263

SHA1
e830cbe788938758bf6b6da46340571e448068b4

SHA256
ab9589a77a89bf0996660ed09e042cbb65b01819049e65b055b1fe3b0c959c12

SHA512
f54bea5e388dbb3112895e1895366ed7f4d01753580b603f7dcec8fee74ca1e890a5e2cfb877ff4f3d8f44576b41be7b1e0f23f20c61a026a4775b4ba1fd7c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
172KB

MD5
87d82ab7ce0808308caf51fbc7031f1d

SHA1
ec38114a70296c93562217933f703eb659732368

SHA256
7eb31fb9efbc852555f531c6e0952b3cd2802651b528b0b788bd797f657fc7af

SHA512
7547101274f52d1d05e4de2369fc1063760a0aa752e34b7041409159e347a03bc9c06a54d77fa4710df935a4b94ee5e1236539c9d70f3ea10caa6a1572fbf984

Download Submit
memory/3876-1904-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download