Malware Analysis Report

2024-11-16 13:15

Sample ID 240624-3ywseayfrc
Target 0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118
SHA256 f869428f2794f4eb2a288895089f1f93c7df1c25e5d24ea3601a21558be69496
Tags
sality backdoor evasion persistence privilege_escalation trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f869428f2794f4eb2a288895089f1f93c7df1c25e5d24ea3601a21558be69496

Threat Level: Known bad

The file 0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence privilege_escalation trojan upx

Windows security bypass

Modifies firewall policy service

Sality

UAC bypass

Disables Task Manager via registry modification

Disables RegEdit via registry modification

UPX packed file

Loads dropped DLL

Executes dropped EXE

Windows security modification

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Event Triggered Execution: Installer Packages

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies registry class

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 23:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 23:55

Reported

2024-06-24 23:58

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f7659e6.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235615136.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615214.0\mfc80CHT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615043.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.manifest C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235615355.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615136.0\mfcm80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615214.0\mfc80CHS.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615324.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\b25099274a207264182f8181add555d0\8.0.56336\ul_ATL80.dll.97F81AF1_0E47_DC99_FF1F_C8B3B9A1E18E C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235615214.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235615370.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615043.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615043.0\ATL80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615324.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.manifest C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7659e6.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615214.0\mfc80JPN.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615214.0\mfc80KOR.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI62BA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615214.0\mfc80FRA.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615355.0\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235615043.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615355.1\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235615324.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235615355.1 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615136.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615136.0\mfcm80u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615214.0\mfc80ITA.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615370.0\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\b25099274a207264182f8181add555d0\8.0.56336 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7659e3.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615136.0\mfc80u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615339.0\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7659e8.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615370.0\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235615339.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7659e3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5B69.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615136.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615214.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615214.0\mfc80ENU.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615355.1\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615136.0\mfc80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615355.0\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\b25099274a207264182f8181add555d0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615324.0\vcomp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615339.0\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615214.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615214.0\mfc80DEU.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235615214.0\mfc80ESP.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\b25099274a207264182f8181add555d0\8.0.56336\ul_ATL80.dll.97F81AF1_0E47_DC99_FF1F_C8B3B9A1E18E C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\PackageCode = "ECF0C5769D85D534A98DCACD5B08A8A3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Language = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Version = "134274064" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Features\b25099274a207264182f8181add555d0 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0\VC_Redist C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\ProductName = "Microsoft Visual C++ 2005 Redistributable" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\PackageName = "vcredist.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\b25099274a207264182f8181add555d0 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\b25099274a207264182f8181add555d0 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1640 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1640 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1640 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 1640 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 1640 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 1640 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 1640 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 1640 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 1640 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 1640 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE C:\Windows\SysWOW64\msiexec.exe
PID 1640 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1640 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1640 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1640 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 1640 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 1640 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 1640 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 2596 wrote to memory of 264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2596 wrote to memory of 264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2596 wrote to memory of 264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2596 wrote to memory of 264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2596 wrote to memory of 264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2596 wrote to memory of 264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2596 wrote to memory of 264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE

C:\Windows\SysWOW64\msiexec.exe

msiexec /i vcredist.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C4" "0000000000000584"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E9BA54F3DCF1F50E4947DF4DA8C985D0

Network

N/A

Files

memory/1640-0-0x0000000001000000-0x00000000012AC000-memory.dmp

memory/1640-1-0x0000000000840000-0x0000000000AEC000-memory.dmp

memory/1640-6-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-4-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-2-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-12-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1112-13-0x0000000000530000-0x0000000000532000-memory.dmp

memory/1640-27-0x00000000007A0000-0x00000000007A2000-memory.dmp

memory/1640-26-0x00000000007A0000-0x00000000007A2000-memory.dmp

memory/1640-10-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-25-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1640-23-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1640-22-0x00000000007A0000-0x00000000007A2000-memory.dmp

memory/1640-8-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-7-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-5-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-11-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-9-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-28-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-29-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-30-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-31-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-32-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-34-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-35-0x00000000026B0000-0x000000000373E000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE

MD5 1f8e9fec647700b21d45e6cda97c39b7
SHA1 037288ee51553f84498ae4873c357d367d1a3667
SHA256 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161
SHA512 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad

memory/1640-38-0x0000000001001000-0x0000000001002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi

MD5 dc1ab7ce3b89fc7cac369d8b246cdafe
SHA1 c9a2d5a312f770189c4b65cb500905e4773c14ad
SHA256 dde77dd3473d3d07c459f17cd267f96f19264f976f2fcc85b4bbbecf26487560
SHA512 e554b8b36a7a853d4e6efb4e6faf2d784f41e8d26edafbb1689a944bf0a7a4b58258d820a3fada1496b8c8d295d8771fc713b29127d54a3fbc317659b7565cbe

memory/1640-52-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-54-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-56-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2524-77-0x0000000000180000-0x0000000000182000-memory.dmp

memory/2868-78-0x00000000004C0000-0x00000000004C2000-memory.dmp

memory/1640-79-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-58-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/2524-76-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2868-70-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/1640-81-0x00000000026B0000-0x000000000373E000-memory.dmp

memory/1640-83-0x00000000026B0000-0x000000000373E000-memory.dmp

\Windows\Installer\MSI5B69.tmp

MD5 85221b3bcba8dbe4b4a46581aa49f760
SHA1 746645c92594bfc739f77812d67cfd85f4b92474
SHA256 f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cab

MD5 aa85aa3738acfe30e197d9dfd5c3428d
SHA1 7f3ee53bd967265afe32b31d75b4f6c47363654a
SHA256 af3560ef0c55c7e4eff2170c63e7860498b5830e405a3841f96c91601e62e108
SHA512 e1bf248d6425f6ba91bf0a1f3d364321b09477af9be2f31f8bf6d92defbaddfbab8f3e6284262742378f1f87d60d06eee3b98fb081e60f9fb6f19c1797489861

memory/1640-216-0x0000000001000000-0x00000000012AC000-memory.dmp

memory/1640-217-0x00000000026B0000-0x000000000373E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 23:55

Reported

2024-06-24 23:58

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

127s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI4E79.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622786.0\mfc80ITA.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622958.1\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235622880.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622786.0\mfc80CHT.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235622958.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622677.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622677.0\mfc80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622786.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.manifest C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235622583.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622677.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622786.0\mfc80DEU.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235622677.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e584c46.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622615.0\msvcr80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622677.0\mfcm80u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622786.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622786.0\mfc80ENU.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235622943.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
File created C:\Windows\Installer\e584c46.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622583.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622615.0\msvcm80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622786.0\mfc80CHS.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235622943.1 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622583.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622880.0\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622958.0\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235622958.1 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622677.0\mfc80u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622583.0\ATL80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622943.1\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622958.1\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622786.0\mfc80KOR.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622943.0\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622943.1\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{7299052b-02a4-4627-81f2-1818da5d550d} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5659.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622677.0\mfcm80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622880.0\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235622786.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622786.0\mfc80FRA.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e584c4a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235622615.0 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622615.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622615.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622865.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622786.0\mfc80ESP.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622786.0\mfc80JPN.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622865.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.manifest C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622943.0\8.0.50727.762.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622958.0\8.0.50727.762.policy C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\InstallTemp\20240624235622865.0 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622615.0\msvcp80.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\WinSxS\InstallTemp\20240624235622865.0\vcomp.dll C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0\VC_Redist C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Language = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Version = "134274064" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\ProductName = "Microsoft Visual C++ 2005 Redistributable" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\PackageCode = "ECF0C5769D85D534A98DCACD5B08A8A3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\b25099274a207264182f8181add555d0 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\PackageName = "vcredist.msi" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4496 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4496 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 4496 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 4496 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4496 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 4496 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4496 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4496 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 4496 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4496 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4496 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4496 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4496 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4496 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4496 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4496 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4496 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4496 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4496 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4496 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 4496 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 4496 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 2160 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2160 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2160 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE C:\Windows\SysWOW64\msiexec.exe
PID 4496 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4496 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4496 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 4496 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 4496 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4496 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 4496 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4496 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4496 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 4496 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4496 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4496 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4496 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4496 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4496 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4496 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4496 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4496 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4496 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4496 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4496 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4496 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 4496 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
PID 4496 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 4496 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SysWOW64\msiexec.exe
PID 4496 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4496 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4496 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 4496 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 4496 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4496 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 4496 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4496 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4496 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 4496 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4496 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4496 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4496 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff8390dceb8,0x7ff8390dcec4,0x7ff8390dced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2264,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=2556 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2400,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=2672 /prefetch:8

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0b62366d1ddb33c5c1345caae5046d14_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=1324 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE

C:\Windows\SysWOW64\msiexec.exe

msiexec /i vcredist.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8462B4464F6DF244B3A8D00049BA62C4

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/4496-0-0x0000000001000000-0x00000000012AC000-memory.dmp

memory/4496-1-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-3-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-7-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-4-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-11-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/4496-13-0x0000000003B20000-0x0000000003B21000-memory.dmp

memory/4496-12-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/4496-6-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-15-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-14-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-16-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-8-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-9-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/4496-5-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-18-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-17-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-19-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-20-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-21-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-23-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-24-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-27-0x0000000001001000-0x0000000001002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE

MD5 1f8e9fec647700b21d45e6cda97c39b7
SHA1 037288ee51553f84498ae4873c357d367d1a3667
SHA256 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161
SHA512 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi

MD5 dc1ab7ce3b89fc7cac369d8b246cdafe
SHA1 c9a2d5a312f770189c4b65cb500905e4773c14ad
SHA256 dde77dd3473d3d07c459f17cd267f96f19264f976f2fcc85b4bbbecf26487560
SHA512 e554b8b36a7a853d4e6efb4e6faf2d784f41e8d26edafbb1689a944bf0a7a4b58258d820a3fada1496b8c8d295d8771fc713b29127d54a3fbc317659b7565cbe

memory/4496-32-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-38-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-39-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2308-45-0x0000000004E90000-0x0000000004E91000-memory.dmp

memory/2308-44-0x0000000004D00000-0x0000000004D02000-memory.dmp

memory/2160-46-0x00000000006A0000-0x00000000006A2000-memory.dmp

memory/2160-42-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/4496-48-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-49-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-52-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-54-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-56-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-58-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-65-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-67-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-70-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-69-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-76-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-77-0x00000000026C0000-0x000000000374E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cab

MD5 aa85aa3738acfe30e197d9dfd5c3428d
SHA1 7f3ee53bd967265afe32b31d75b4f6c47363654a
SHA256 af3560ef0c55c7e4eff2170c63e7860498b5830e405a3841f96c91601e62e108
SHA512 e1bf248d6425f6ba91bf0a1f3d364321b09477af9be2f31f8bf6d92defbaddfbab8f3e6284262742378f1f87d60d06eee3b98fb081e60f9fb6f19c1797489861

memory/4496-84-0x00000000026C0000-0x000000000374E000-memory.dmp

C:\Windows\Installer\MSI4E79.tmp

MD5 85221b3bcba8dbe4b4a46581aa49f760
SHA1 746645c92594bfc739f77812d67cfd85f4b92474
SHA256 f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

memory/4496-90-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-91-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-92-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-123-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-139-0x0000000003A90000-0x0000000003A92000-memory.dmp

memory/4496-140-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/4496-141-0x00000000026C0000-0x000000000374E000-memory.dmp

C:\Config.Msi\e584c49.rbs

MD5 1fcbd159a01bd06c72418cd6f20bf7b8
SHA1 4ba17d9415738dbb393e265c808bfa70711b1060
SHA256 8c633411cac33fc5e39257676d3d344ce6c23b07265f644df4f91a018edd540b
SHA512 95d093fba52d862de170c6ac124fcc087256a9750b39ba606823462a4fc211d8ecd997c798eb1a007afd6ceb22488ddcf9c1704cdba3a11bc5ea477a505dee59

memory/4496-213-0x0000000001000000-0x00000000012AC000-memory.dmp

memory/4496-214-0x00000000026C0000-0x000000000374E000-memory.dmp

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 92cd459d0446babfe8283f77baa9c7a9
SHA1 5b002a629809aa7b7c32e67332180eead795d757
SHA256 95167bb5124e1ef42b4bebaa7854297c64002637bf986959bbeb56edcd652bd6
SHA512 ea2a009e4a4343776b4b47454aead06c1b980c70a6a52f2f4b690eb10415ee7a3a503ef05c09d61f6042dfe9ce0e3c5cf1b51144d7a66a50172e97867a27ddae

\??\Volume{8a2ad7b7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cbf8f2d6-123b-4620-b090-0e8047bb8d95}_OnDiskSnapshotProp

MD5 359e236441a6fb85985afbd1b114cf4b
SHA1 8e4407830ce085d3d658f4448f1ebec2e5913fc2
SHA256 11a674406bb0759c2ce5b25ce6c4ef9735a9280bc741e52b8236bddfc53662da
SHA512 80113f37e3e84133e0755f76b500b2126901341268b3f8e94f39389a9e977c3d18e676cd0782673691ed594234656043d318ac7758a2dbbd6fe2e3aea3ee585c