Windows Analysis Report
EYOFFTITMDLXZJFFCCGFDTBIY.msi

Overview

General Information

Sample name: EYOFFTITMDLXZJFFCCGFDTBIY.msi
Analysis ID: 1500453
MD5: dde14d0e46b12f8a8c0cd770b905162c
SHA1: a2d8c6e6bd927d1905bd174303a1dc5facf25590
SHA256: a75287cc1412efff5df14e6e8a59cf38bdb3e2fbd60f19126671fe5493cee47b
Tags: 147-45-116-5msi
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Creates autostart registry keys to launch java
Found suspicious ZIP file
Java source code contains very large array initializations
Checks for available system drives (often done to infect USB drives)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\plugin2\msvcr100.dll Jump to behavior
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava_crw_demo\java_crw_demo.pdb source: java_crw_demo.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\jre-image\bin\javaws.pdbPfC source: javaws.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: ktab.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libfontmanager\fontmanager.pdb@ source: fontmanager.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\tmp\eula\obj\eula.pdb source: eula.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: javaws.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libsunmscapi\sunmscapi.pdb source: sunmscapi.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: servertool.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: java-rmi.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\tmp\eula\obj\eula.pdb0 source: eula.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: orbd.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libzip\zip.pdb source: zip.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libfontmanager\fontmanager.pdb source: fontmanager.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libunpack\unpack.pdb source: unpack.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: pack200.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb9' source: w2k_lsa_auth.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava_crw_demo\java_crw_demo.pdb98 source: java_crw_demo.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: rmid.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libdt_shmem\dt_shmem.pdb source: dt_shmem.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\jre-image\bin\deploy.pdb source: deploy.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: EYOFFTITMDLXZJFFCCGFDTBIY.msi, MSID248.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb source: w2k_lsa_auth.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: policytool.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdbP*A source: jp2launcher.exe.2.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: jfxwebkit.dll.2.dr String found in binary or memory: ftp://http://base%.20s%ddefault%d%.20scopying
Source: gstreamer-lite.dll.2.dr String found in binary or memory: http://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer.
Source: gstreamer-lite.dll.2.dr String found in binary or memory: http://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer.GStreamer
Source: gstreamer-lite.dll.2.dr String found in binary or memory: http://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer.Internal
Source: gstreamer-lite.dll.2.dr String found in binary or memory: http://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer.This
Source: gstreamer-lite.dll.2.dr String found in binary or memory: http://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer.Your
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://exslt.org/common
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://exslt.org/commonnode-setdata-typexsltDoSortFunction:
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://icl.com/saxon
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://icl.com/saxonorg.apache.xalan.xslt.extensions.RedirectxsltDocumentElem:
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://ocsp.thawte.com0
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://s2.symcb.com0
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://sv.symcd.com0&
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://tools.ietf.org/html/rfc3986#section-2.1.
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTD
Source: gstreamer-lite.dll.2.dr String found in binary or memory: http://www.ifpi.org/isrc/
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://www.jclark.com/xt
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://www.khronos.org/registry/typedarray/specs/latest/#7
Source: ffjcext.zip.2.dr String found in binary or memory: http://www.mozilla.org/2004/em-rdf#
Source: ffjcext.zip.2.dr String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://xmlsoft.org/XSLT/
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://xmlsoft.org/XSLT/Templates:
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://xmlsoft.org/XSLT/namespace
Source: jfxwebkit.dll.2.dr String found in binary or memory: http://xmlsoft.org/XSLT/namespacehttp://www.jclark.com/xtxpath
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: servertool.exe.2.dr, zip.dll.2.dr, java-rmi.exe.2.dr, prism_d3d.dll.2.dr, java.exe.2.dr, dt_shmem.dll.2.dr, java_crw_demo.dll.2.dr, glass.dll.2.dr, prism_common.dll.2.dr, pack200.exe.2.dr, sunmscapi.dll.2.dr, eula.dll.2.dr, unpack200.exe.2.dr, ktab.exe.2.dr, gstreamer-lite.dll.2.dr, policytool.exe.2.dr, unpack.dll.2.dr, deploy.dll.2.dr, ssvagent.exe.2.dr, orbd.exe.2.dr, jp2launcher.exe.2.dr String found in binary or memory: https://d.symcb.com/rpa0

System Summary
barindex
Found suspicious ZIP file
Source: ffjcext.zip.2.dr Zip Entry: {CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}/chrome/content/ffjcext/ffjcext.js
Java source code contains very large array initializations
Source: access-bridge.jar.2.dr, com/sun/deploy/resources/Deployment.java Large array initialization: getContents: array initializer size 1606
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\55c72a.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID15C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID218.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID248.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID278.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID2B8.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{2D10371B-AC7F-42E1-BF25-D954CE17B240} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID430.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSID15C.tmp Jump to behavior
Sample file is different than original file name gathered from version info
Source: EYOFFTITMDLXZJFFCCGFDTBIY.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs EYOFFTITMDLXZJFFCCGFDTBIY.msi
Source: classification engine Classification label: mal52.winMSI@4/150@0/0
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CMLD4C7.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF1127732E3C763095.TMP Jump to behavior
Source: jfxwebkit.dll.2.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: jfxwebkit.dll.2.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: jfxwebkit.dll.2.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: jfxwebkit.dll.2.dr Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: jfxwebkit.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: jfxwebkit.dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: jfxwebkit.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: jfxwebkit.dll.2.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: jfxwebkit.dll.2.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: jfxwebkit.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: jfxwebkit.dll.2.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: jfxwebkit.dll.2.dr Binary or memory string: CREATE TABLE Origins (origin TEXT UNIQUE ON CONFLICT REPLACE, path TEXT);
Source: jfxwebkit.dll.2.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\EYOFFTITMDLXZJFFCCGFDTBIY.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 03C0057B2BCA561143D0212352BCB168
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 03C0057B2BCA561143D0212352BCB168 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: EYOFFTITMDLXZJFFCCGFDTBIY.msi Static file information: File size 67692544 > 1048576
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\plugin2\msvcr100.dll Jump to behavior
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava_crw_demo\java_crw_demo.pdb source: java_crw_demo.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\jre-image\bin\javaws.pdbPfC source: javaws.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: ktab.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libfontmanager\fontmanager.pdb@ source: fontmanager.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\tmp\eula\obj\eula.pdb source: eula.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: javaws.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libsunmscapi\sunmscapi.pdb source: sunmscapi.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: servertool.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: java-rmi.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\tmp\eula\obj\eula.pdb0 source: eula.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: orbd.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libzip\zip.pdb source: zip.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libfontmanager\fontmanager.pdb source: fontmanager.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libunpack\unpack.pdb source: unpack.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: pack200.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb9' source: w2k_lsa_auth.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava_crw_demo\java_crw_demo.pdb98 source: java_crw_demo.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: rmid.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libdt_shmem\dt_shmem.pdb source: dt_shmem.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\jre-image\bin\deploy.pdb source: deploy.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: EYOFFTITMDLXZJFFCCGFDTBIY.msi, MSID248.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb source: w2k_lsa_auth.dll.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: policytool.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdbP*A source: jp2launcher.exe.2.dr
PE file contains sections with non-standard names
Source: jfxwebkit.dll.2.dr Static PE information: section name: .unwante
Source: prism_sw.dll.2.dr Static PE information: section name: _RDATA
Source: msvcr100.dll.2.dr Static PE information: section name: .text entropy: 6.90903234258047
Source: msvcr120.dll.2.dr Static PE information: section name: .text entropy: 6.95576372950548
Source: msvcr100.dll0.2.dr Static PE information: section name: .text entropy: 6.90903234258047
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID278.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jfr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\unpack.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\JAWTAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\Data.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID2B8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\client\jvm.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javafx_font.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\plugin2\npjp2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\rmid.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javaw.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jdwp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\hprof.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\instrument.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\dt_shmem.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\JavaAccessBridge.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\JavaAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\verify.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\plugin2\msvcr100.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\sunec.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jfxwebkit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\dcpr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\fontmanager.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\dtplugin\npdeployJava1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javafx_font_t2k.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\glib-lite.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\keytool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\JAWTAccessBridge.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\splashscreen.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jpeg.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\servertool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\java.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\java_crw_demo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javacpl.cpl Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jawt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jjs.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jaas_nt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\kcms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\lcms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\fxplugins.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\ssv.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\deploy.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\prism_sw.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\dt_socket.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\nio.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jp2iexp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\eula.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jli.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\orbd.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID218.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\prism_d3d.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\npt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javafx_iio.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\prism_common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\j2pcsc.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\gstreamer-lite.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\java.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\zip.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\msvcr120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\policytool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\dtplugin\deployJava1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\msvcp120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\unpack200.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\bci.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jsound.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\decora_sse.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID15C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\awt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID248.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\glass.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jsdt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\resource.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jfxmedia.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jsoundds.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\t2k.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\kinit.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\WindowsAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\klist.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\WindowsAccessBridge.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\wsdetect.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\mlib_image.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\net.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\pack200.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jp2native.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jp2ssv.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\msvcr100.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\ktab.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\sunmscapi.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javaws.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID278.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID15C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID218.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID248.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID2B8.tmp Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javacpl.cpl Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys to launch java
Source: C:\Windows\System32\msiexec.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1003\Components\42112CAB75FB99A42AA1B59724538D4F B17301D2F7CA1E24FB529D45EC712B04 C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javaw.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID278.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jfr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\unpack.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\JAWTAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\Data.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID2B8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\client\jvm.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javafx_font.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\rmid.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\plugin2\npjp2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javaw.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jdwp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\hprof.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\instrument.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\dt_shmem.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\JavaAccessBridge.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\JavaAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\verify.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\plugin2\msvcr100.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\sunec.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jfxwebkit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\dcpr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\fontmanager.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\dtplugin\npdeployJava1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javafx_font_t2k.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\glib-lite.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\keytool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\JAWTAccessBridge.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\splashscreen.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jpeg.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\java.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\servertool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\java_crw_demo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javacpl.cpl Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jawt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jjs.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jaas_nt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\kcms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\lcms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\ssv.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\fxplugins.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\deploy.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\prism_sw.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\dt_socket.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\nio.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jp2iexp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\eula.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jli.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\orbd.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID218.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\prism_d3d.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\npt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\prism_common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javafx_iio.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\j2pcsc.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\gstreamer-lite.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\java.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\zip.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\msvcr120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\policytool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\dtplugin\deployJava1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\msvcp120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\unpack200.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\bci.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jsound.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\decora_sse.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID15C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\awt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID248.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\glass.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jsdt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\resource.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jfxmedia.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jsoundds.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\kinit.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\t2k.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\WindowsAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\klist.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\wsdetect.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\WindowsAccessBridge.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\mlib_image.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\pack200.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\net.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jp2ssv.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jp2native.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\msvcr100.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\ktab.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\sunmscapi.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\New Ar\New Ar\dist\jre\bin\javaws.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Source: deploy.dll.2.dr Binary or memory string: [mwndProcID was NULL in mainLoop()wndProc(JIJJ)JNULL != hIcon../../src/common/windows/native/WindowsJavaTrayIcon.cppTrayNotifyWndShell_TrayWndUnable to Start Java Plug-in Control Panel%s\javacpl.exeJava Sys Tray
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1500453 Sample: EYOFFTITMDLXZJFFCCGFDTBIY.msi Startdate: 28/08/2024 Architecture: WINDOWS Score: 52 22 Found suspicious ZIP file 2->22 24 Java source code contains very large array initializations 2->24 6 msiexec.exe 128 183 2->6         started        10 msiexec.exe 2 2->10         started        process3 file4 14 C:\Windows\Installer\MSID2B8.tmp, PE32 6->14 dropped 16 C:\Windows\Installer\MSID278.tmp, PE32 6->16 dropped 18 C:\Windows\Installer\MSID248.tmp, PE32 6->18 dropped 20 96 other files (none is malicious) 6->20 dropped 26 Creates autostart registry keys to launch java 6->26 12 msiexec.exe 6->12         started        signatures5 process6
No contacted IP infos