File name:	jre-8u431-windows-x64.exe
Full analysis:	https://app.any.run/tasks/60d50897-46dc-4acb-b832-77f7efac3265
Verdict:	Malicious activity
Analysis date:	October 20, 2024, 06:25:33
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-scr
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	FFEB97A82F30DD074B5CE8F22EA8D471
SHA1:	64D3D90A74623824854E187DB734B787C6259FFA
SHA256:	6E6E541BC5B96EF69EBAF247D8CF9BFB0EB8B6FEE289A9F163DB74B08983CEEC
SSDEEP:	393216:M4dkwuiNurrQBnZtKdH9I6qfzotexeIU2UlQgwHVAbpG6QkLoGbS61G+Y8CAbul:MjINUQBnYpCCeYI/UlQpHVAb+pUbQWe

.exe	\|	Win32 EXE PECompact compressed (generic) (53.4)
.exe	\|	Win64 Executable (generic) (35.5)
.exe	\|	Win32 Executable (generic) (5.8)
.exe	\|	Generic Win/DOS Executable (2.5)
.exe	\|	DOS Executable Generic (2.5)

MachineType:	AMD AMD64
TimeStamp:	2024:09:30 08:52:03+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.36
CodeSize:	262656
InitializedDataSize:	68974592
UninitializedDataSize:	-
EntryPoint:	0x19564
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	8.0.4310.10
ProductVersionNumber:	8.0.4310.10
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Oracle Corporation
FileDescription:	Java Platform SE binary
FileVersion:	8.0.4310.10
FullVersion:	1.8.0_431-b10
InternalName:	Setup Launcher
LegalCopyright:	Copyright © 2024
OriginalFileName:	wrapper_jre_offline.exe
ProductName:	Java Platform SE 8 U431
ProductVersion:	8.0.4310.10


(PID) Process:	(3728) jre-8u431-windows-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft
Operation:	delete value	Name:	InstallStatus
Value:
(PID) Process:	(3728) jre-8u431-windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3728) jre-8u431-windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3728) jre-8u431-windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3728) jre-8u431-windows-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy
Operation:	write	Name:	Country
Value: MY
(PID) Process:	(3728) jre-8u431-windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFavoritesInitialSelection
Value:
(PID) Process:	(3728) jre-8u431-windows-x64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFeedsInitialSelection
Value:
(PID) Process:	(3728) jre-8u431-windows-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy
Operation:	write	Name:	PostStatusUrl
Value: https://sjremetrics.java.com/b/ss//6
(PID) Process:	(3728) jre-8u431-windows-x64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy
Operation:	write	Name:	Method
Value: joff
(PID) Process:	(4676) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 44120000C30907FAB822DB01

PID	Process	Filename		Type
4304	jre-8u431-windows-x64.exe	C:\Users\admin\AppData\Local\Temp\jds590171.tmp\jds590187.tmp		—
		MD5:—	SHA256:—
4304	jre-8u431-windows-x64.exe	C:\Users\admin\AppData\Local\Temp\jds590171.tmp\jre-8u431-windows-x64.exe		—
		MD5:—	SHA256:—
3728	jre-8u431-windows-x64.exe	C:\Users\admin\AppData\LocalLow\Oracle\Java\jre1.8.0_431_x64\jre1.8.0_43164.msi		—
		MD5:—	SHA256:—
4676	msiexec.exe	C:\Windows\Installer\93c9f.msi		—
		MD5:—	SHA256:—
4676	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:611F206D1CE400FC1F15C0791F428108	SHA256:F9FFCF08B834675E19913B2FDCEC42932E2DDBD6878F625BD8103236E7A84B07
4676	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:2989455F86A88EF4E0195017B10A96A2	SHA256:22334481A1D0CE5C6C1BD0B761ED62D1C30062ECD1B2E3967BE61F38B8778012
4304	jre-8u431-windows-x64.exe	C:\Users\admin\AppData\Local\Temp\jusched.log		text
		MD5:30CFEC8972BE55F26257151FB3949521	SHA256:03338F5365A742520179D4786AD01C8E040C589217A3E96B7200BE9BCC0F24ED
4676	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:DC6C041B73067F8DC2BA4562B29EDFFE	SHA256:8A5CA51443DF9CA9E82793434AC8BD7D1EDC0561D92B14BB552B52EE716A5E06
4676	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		der
		MD5:06DDD1D63258CFDB247A4C342E06F8DE	SHA256:7ABEF69DA1F46CF322E26D3760147ED096516E5000DD11FAF76F380A83E39FD2
3728	jre-8u431-windows-x64.exe	C:\Users\admin\AppData\LocalLow\Oracle\Java\jre1.8.0_431_x64\Java3BillDevices.png		image
		MD5:8E52EFC6798ED074072F527309A1BA25	SHA256:12491EBC4EB99BF014D3BC44F770114BDE013E84CBEC2633303559A8C6E5F991

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	OPTIONS	204	52.5.13.197:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=MY&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	—	—	—
—	—	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	HEAD	200	23.56.205.197:443	https://rps-svcs.oracle.com/services/countrylookup	unknown	—	—	—
4676	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
—	—	GET	200	52.5.13.197:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=MY&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	binary	5.22 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	104.126.37.123:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6944	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5488	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
www.bing.com	104.126.37.123 104.126.37.155 104.126.37.161 104.126.37.139 104.126.37.128 104.126.37.160 104.126.37.146 104.126.37.153 104.126.37.137 104.126.37.162 104.126.37.185 104.126.37.163 104.126.37.171 104.126.37.170 104.126.37.178 104.126.37.179 104.126.37.177	whitelisted
google.com	216.58.212.174	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
javadl-esd-secure.oracle.com	104.102.54.38	whitelisted
rps-svcs.oracle.com	104.102.54.38	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
www.java.com	104.126.37.185 104.126.37.145	whitelisted
self.events.data.microsoft.com	40.79.167.8	whitelisted

General Info

jre-8u431-windows-x64.exe

FFEB97A82F30DD074B5CE8F22EA8D471

64D3D90A74623824854E187DB734B787C6259FFA

6E6E541BC5B96EF69EBAF247D8CF9BFB0EB8B6FEE289A9F163DB74B08983CEEC

393216:M4dkwuiNurrQBnZtKdH9I6qfzotexeIU2UlQgwHVAbpG6QkLoGbS61G+Y8CAbul:MjINUQBnYpCCeYI/UlQpHVAb+pUbQWe

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Checks for Java to be installed

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Reads the Windows owner or organization settings

The process drops C-runtime libraries

Reads Mozilla Firefox installation path

Process drops legitimate windows executable

Executable content was dropped or overwritten

Creates/Modifies COM task schedule object

INFO

Reads the computer name

Checks supported languages

Reads Environment values

Create files in a temporary directory

Reads the machine GUID from the registry

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

The process uses the downloaded file

Application launched itself

Executable content was dropped or overwritten

Reads CPU info

Starts application with an unusual extension

Creates files in the program directory

Creates a software uninstall entry

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats