Analysis Overview
SHA256
fb76a02ffa6e3ef8c141e7994f808e76013e4e39f03a2c2f4cffeec8fcbd6e45
Threat Level: Likely malicious
The file 1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
Modifies file permissions
Enumerates connected drives
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Blocklisted process makes network request
Drops file in Windows directory
Drops file in Program Files directory
Loads dropped DLL
Executes dropped EXE
System Location Discovery: System Language Discovery
Event Triggered Execution: Installer Packages
Modifies data under HKEY_USERS
Modifies registry class
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 04:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 04:58
Reported
2024-10-07 05:01
Platform
win7-20240704-en
Max time kernel
143s
Max time network
118s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSID91D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{5D86D587-6E45-4779-B228-F0B6F5F1B880}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Installer\f76d5b9.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76d5b6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID8DE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDB32.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76d5b7.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76d5b6.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76d5b7.ipi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Loads dropped DLL
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\PackageCode = "7938FBA7517767846B9F436057651832" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Version = "134217999" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\785D68D554E697742B820F6B5F1F8B08 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\785D68D554E697742B820F6B5F1F8B08 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\PackageName = "1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\785D68D554E697742B820F6B5F1F8B08\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\ProductIcon = "C:\\Windows\\Installer\\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\\Logo.ico" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\ProductName = "Oracle Java SE" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5CD7A724035F599F8E182447BABECF0E
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 86FCAA2751854922C254FCA327E9A563 M Global\MSI0000
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| GB | 2.18.63.21:80 | repository.certum.pl | tcp |
| US | 8.8.8.8:53 | websekir.com | udp |
| N/A | 127.0.0.1:49411 | tcp | |
| N/A | 127.0.0.1:49414 | tcp | |
| N/A | 127.0.0.1:49417 | tcp | |
| N/A | 127.0.0.1:49420 | tcp | |
| N/A | 127.0.0.1:49423 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabD423.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD445.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F
| MD5 | 72c94296623ee6ccc1508425f2d69711 |
| SHA1 | a14427e2235bcfbdd1317f0264cf041d6b25375a |
| SHA256 | 1a11db32375a1d55fbddd5b17bd3f14c52c0d493a89c1e14c92b061a3d06e590 |
| SHA512 | 3dc0467ed73d4c5f747a2426dba23e65adb4789f65724757021255e6012caa0d28282c5c0fc9fe9ad97c05a1a77c3389191b64dfd7885a57ea2fa958adf40082 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e7b7fc4b4d91c41e41a6b1b0ec978a45 |
| SHA1 | f2561674eac817b6f4a817619c8c3b4cd7303522 |
| SHA256 | 285b0afd758f3ff51f8c4ba8e13dcb1d9e5a24a84cb977b69b494786ac638060 |
| SHA512 | b6a92e2ba6698c958aca7c297f6002723482bbf46c672c1c4db6fb5c3365f0f77551a56c63a9ab44e3095ac8497187fc0477b9abc866545960919aa0612a35d4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F
| MD5 | d5e98140c51869fc462c8975620faa78 |
| SHA1 | 07e032e020b72c3f192f0628a2593a19a70f069e |
| SHA256 | 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e |
| SHA512 | 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105 |
C:\Windows\Installer\MSID91D.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
| MD5 | 4fd1d700b7a3bb98e3bff8aaf3b1f26a |
| SHA1 | 031abd17460bc4330aa0f46be504969acf8f00fb |
| SHA256 | 7f42b07d07d9ad8889bfcc6fc8b49b921674d399360206c50331e269962575db |
| SHA512 | 4192f9ff958985f2bdae4f7461cdafee2956641a7c8763e999abbe6c42096698b2c7ce8da36fcf0184012820e68be0ee00ebb67d984718cd4f278a24db9c2bff |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll
| MD5 | 9dda681b0406c3575e666f52cbde4f80 |
| SHA1 | 1951c5b2c689534cdc2fbfbc14abbf9600a66086 |
| SHA256 | 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3 |
| SHA512 | 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll
| MD5 | e008fbfdea1bf873f3d94d74c1cf7935 |
| SHA1 | 2a2af5e9084e7b55cdd5d01df342b02c1917573c |
| SHA256 | 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b |
| SHA512 | 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | fb0ca6cbfff46be87ad729a1c4fde138 |
| SHA1 | 2c302d1c535d5c40f31c3a75393118b40e1b2af9 |
| SHA256 | 1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df |
| SHA512 | 99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | c9a55de62e53d747c5a7fddedef874f9 |
| SHA1 | c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad |
| SHA256 | b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b |
| SHA512 | adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll
| MD5 | 3f224766fe9b090333fdb43d5a22f9ea |
| SHA1 | 548d1bb707ae7a3dfccc0c2d99908561a305f57b |
| SHA256 | ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357 |
| SHA512 | c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 23bd405a6cfd1e38c74c5150eec28d0a |
| SHA1 | 1d3be98e7dfe565e297e837a7085731ecd368c7b |
| SHA256 | a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41 |
| SHA512 | c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 6e704280d632c2f8f2cadefcae25ad85 |
| SHA1 | 699c5a1c553d64d7ff3cf4fe57da72bb151caede |
| SHA256 | 758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893 |
| SHA512 | ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 95c5b49af7f2c7d3cd0bc14b1e9efacb |
| SHA1 | c400205c81140e60dffa8811c1906ce87c58971e |
| SHA256 | ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1 |
| SHA512 | f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll
| MD5 | 79ee4a2fcbe24e9a65106de834ccda4a |
| SHA1 | fd1ba674371af7116ea06ad42886185f98ba137b |
| SHA256 | 9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613 |
| SHA512 | 6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 1776a2b85378b27825cf5e5a3a132d9a |
| SHA1 | 626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df |
| SHA256 | 675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee |
| SHA512 | 541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll
| MD5 | ad99c2362f64cde7756b16f9a016a60f |
| SHA1 | 07c9a78ee658bfa81db61dab039cffc9145cc6cb |
| SHA256 | 73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa |
| SHA512 | 9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | d5166ab3034f0e1aa679bfa1907e5844 |
| SHA1 | 851dd640cb34177c43b5f47b218a686c09fa6b4c |
| SHA256 | 7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5 |
| SHA512 | 8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 9ddea3cc96e0fdd3443cc60d649931b3 |
| SHA1 | af3cb7036318a8427f20b8561079e279119dca0e |
| SHA256 | b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5 |
| SHA512 | 1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll
| MD5 | 1e109b1d40efcfec81a5d43d318cbb26 |
| SHA1 | 03aae193dc36d70fb34257d1276666e988b4a222 |
| SHA256 | 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69 |
| SHA512 | 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 034379bcea45eb99db8cdfeacbc5e281 |
| SHA1 | bbf93d82e7e306e827efeb9612e8eab2b760e2b7 |
| SHA256 | 8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65 |
| SHA512 | 7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 228c6bbe1bce84315e4927392a3baee5 |
| SHA1 | ba274aa567ad1ec663a2f9284af2e3cb232698fb |
| SHA256 | ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065 |
| SHA512 | 37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 9b79fda359a269c63dcac69b2c81caa4 |
| SHA1 | a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb |
| SHA256 | 4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138 |
| SHA512 | e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 39325e5f023eb564c87d30f7e06dff23 |
| SHA1 | 03dd79a7fbe3de1a29359b94ba2d554776bdd3fe |
| SHA256 | 56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a |
| SHA512 | 087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8da414c3524a869e5679c0678d1640c1 |
| SHA1 | 60cf28792c68e9894878c31b323e68feb4676865 |
| SHA256 | 39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672 |
| SHA512 | 6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 70e9104e743069b573ca12a3cd87ec33 |
| SHA1 | 4290755b6a49212b2e969200e7a088d1713b84a2 |
| SHA256 | 7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95 |
| SHA512 | e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll
| MD5 | b3c188281aa3998f49391da0c3b52b8e |
| SHA1 | 67e6f1eb07861dddde3df9d266f683cb0331d433 |
| SHA256 | 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46 |
| SHA512 | 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll
| MD5 | 888aa12cc20f645dd2fc04f52e453bc6 |
| SHA1 | b19e790c9e6ceface9cdd41a24518d6e4a953b23 |
| SHA256 | 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb |
| SHA512 | f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3 |
C:\Config.Msi\f76d5b8.rbs
| MD5 | 1a3821670061e62edb80b5f046b7ad50 |
| SHA1 | 7b36cabfbfeded52947d5e3895ee25c68fd56d03 |
| SHA256 | 2a9965a26a4b16ff85c8e8ff6ae5d0648b6dfe648f371d95bdeada91ac01ab08 |
| SHA512 | 8fe28c37551ef83e06cb54250453815e3304c26a793793d8be7af8a4281b80cef9777d40257975fe5b9550d1219102fac2f47f08eab3430f97830f311cd42887 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
| MD5 | 96b62cfb83cf0e9790a3ef939173ee31 |
| SHA1 | 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1 |
| SHA256 | 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23 |
| SHA512 | d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b |
C:\Windows\Installer\f76d5b6.msi
| MD5 | 1b9aac91eee54cffc5e27c374a11a99b |
| SHA1 | dcadbc0f895816c6c403f06b3f8e12f279a6cf7c |
| SHA256 | fb76a02ffa6e3ef8c141e7994f808e76013e4e39f03a2c2f4cffeec8fcbd6e45 |
| SHA512 | 19bc82314eed220bb34c0d467185fec9ed5cda022f9efe05e56acad7bdecd33b4e3013317707911e645df44bd6c412fd1fc16dc6261ee2c7cc2dd0f747eaf36f |
\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll
| MD5 | 37a407be4d9bb791e2fa1f326c7bb961 |
| SHA1 | 614fdf4b66a07cd35c42a00da48a4ed2ebc109be |
| SHA256 | 9bbbb0f33fc963ef049b8103d294de36a97c6c9393eacca16857755b2765edd5 |
| SHA512 | ac49930e57ecb496e07573ea1b3b7c28d2c26ce198db789f32a6b5c21d85a5d244b567319116416b94a53e978cdf5bb87c89d0475a7dde9d3f549ed44edc1e2f |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll
| MD5 | e7fcab954f116c8bb4b006145c20dd23 |
| SHA1 | 91ee70a33ab12618f0f0ec229de4583d9aa52a8a |
| SHA256 | e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2 |
| SHA512 | d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9 |
memory/2092-220-0x000007FEF58E0000-0x000007FEF5D60000-memory.dmp
memory/2092-221-0x000007FEF58E0000-0x000007FEF5D60000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 04:58
Reported
2024-10-07 05:01
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
128s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\SourceHash{5D86D587-6E45-4779-B228-F0B6F5F1B880} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{5D86D587-6E45-4779-B228-F0B6F5F1B880}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5B5B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6000.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e585908.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5A7F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e585908.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5F24.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58590a.msi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Netflix Activator\Active = "Yes" | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\785D68D554E697742B820F6B5F1F8B08 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\ProductName = "Oracle Java SE" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\PackageName = "1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\785D68D554E697742B820F6B5F1F8B08 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\PackageCode = "7938FBA7517767846B9F436057651832" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\ProductIcon = "C:\\Windows\\Installer\\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\\Logo.ico" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\785D68D554E697742B820F6B5F1F8B08\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Version = "134217999" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 01143F2FDA5C79D5CCB5D1273349C961
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3490A9C956A4FC4C03E74238C34E96D3 E Global\MSI0000
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"
C:\Windows\syswow64\cmd.exe
"cmd.exe" /C "C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\smartscreen.exe" /a
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /reset
C:\Windows\SysWOW64\taskkill.exe
taskkill /im smartscreen.exe /f
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4092,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".dll""
C:\Windows\SysWOW64\cmd.exe
cmd /c powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
Register.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| GB | 2.18.63.53:80 | repository.certum.pl | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.63.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.63.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.63.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | websekir.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | websekir.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | websekir.com | udp |
| US | 8.8.8.8:53 | websekir.com | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | websekir.com | udp |
| N/A | 127.0.0.1:50438 | tcp | |
| N/A | 127.0.0.1:50450 | tcp | |
| N/A | 127.0.0.1:50458 | tcp | |
| N/A | 127.0.0.1:50461 | tcp | |
| N/A | 127.0.0.1:50464 | tcp | |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B
| MD5 | 04127ae9ffefef2d0c6e2b0940262e56 |
| SHA1 | 78e0c8f0a65f533d0eee6c1fee555d6f5e5cc855 |
| SHA256 | e69ce4132f973abb4c4775e6c555fb88d2d1c556c0036a0a9cd4271a57294fa3 |
| SHA512 | 4c2b03617a21607323c2bdab12ed012fa66e1e3fb05b3ca545e154c9d97ca03dc94c255c4bc48a4c127d714dd5b9542491b7efbaf2de3bb8a5b67edada8713ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B
| MD5 | e22e48cb1b26bf8dd97314b2d21676d4 |
| SHA1 | efbb1857394d1166aa0b8c71a20674cfedf9faab |
| SHA256 | 74be3f71da4c1b8ccb24a26bc1fdd42187308c7792d9aa45c4fcbcb1748afb51 |
| SHA512 | 11d56e475fa986d5d0f9a8fd52b8e3197b05b7ef78b7ffb9a896e69710eaf8f34503ba39bae40c891e2c10df7cb689c285e306a18f524c67367396397dea1c6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4
| MD5 | 7e609cb788612b7de4bfd2e19ebf6ff4 |
| SHA1 | 10720164c06e6464f5c6c3c4c54f48019578633c |
| SHA256 | 7756b92245f83743c6bf5b5a82e88493f128aba60d46635e29e53c493f9a9e16 |
| SHA512 | 619b2d045fe447e6661ded55dd75e78933645155422f39d63c5576c5f45fb8d90e9955d6d1afa05f82d8d5eee05ae8a6992f5f261c315354325a0709362cc17a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4
| MD5 | 4daf20835f87faa3774a35850b921aeb |
| SHA1 | 7fbb96f3b550265619038ab14ba518c81193b156 |
| SHA256 | 852b6dc61f267bf2a1f73f1b1471e3c5ef7b8052363051b9e646778b0f9f7e89 |
| SHA512 | 567351176fc881faa18c2d87b20648ea03e469960340ef05576de673eb685ec6c7a1d1a2308da4bc0e4997d4d99f023013d36881f3effc41fefed06f23183504 |
C:\Windows\Installer\MSI5B5B.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
| MD5 | 4fd1d700b7a3bb98e3bff8aaf3b1f26a |
| SHA1 | 031abd17460bc4330aa0f46be504969acf8f00fb |
| SHA256 | 7f42b07d07d9ad8889bfcc6fc8b49b921674d399360206c50331e269962575db |
| SHA512 | 4192f9ff958985f2bdae4f7461cdafee2956641a7c8763e999abbe6c42096698b2c7ce8da36fcf0184012820e68be0ee00ebb67d984718cd4f278a24db9c2bff |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll
| MD5 | e008fbfdea1bf873f3d94d74c1cf7935 |
| SHA1 | 2a2af5e9084e7b55cdd5d01df342b02c1917573c |
| SHA256 | 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b |
| SHA512 | 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll
| MD5 | 1e109b1d40efcfec81a5d43d318cbb26 |
| SHA1 | 03aae193dc36d70fb34257d1276666e988b4a222 |
| SHA256 | 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69 |
| SHA512 | 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll
| MD5 | 9dda681b0406c3575e666f52cbde4f80 |
| SHA1 | 1951c5b2c689534cdc2fbfbc14abbf9600a66086 |
| SHA256 | 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3 |
| SHA512 | 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll
| MD5 | b3c188281aa3998f49391da0c3b52b8e |
| SHA1 | 67e6f1eb07861dddde3df9d266f683cb0331d433 |
| SHA256 | 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46 |
| SHA512 | 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll
| MD5 | 888aa12cc20f645dd2fc04f52e453bc6 |
| SHA1 | b19e790c9e6ceface9cdd41a24518d6e4a953b23 |
| SHA256 | 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb |
| SHA512 | f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat
| MD5 | 0a16033c7df6ba580e33c66fed1a12d7 |
| SHA1 | 50fc0b9f740a9e82717f2370fe0a15e937a84208 |
| SHA256 | 08d68557b06a5cb43ce2719bf82dd2fee6bd78a58c88a37e5ee5d54b2ea14623 |
| SHA512 | c252e11099d52bc57bd49ce5732a7cd5fcbd155b36e0b0b27a3e8a3023949708362e4156e09f467b35c27543a652173a8dbe29da13dbdb23ecd2354c95569b44 |
memory/4168-81-0x0000000002F80000-0x0000000002FB6000-memory.dmp
memory/4476-82-0x00000000050B0000-0x00000000056D8000-memory.dmp
memory/4168-83-0x0000000005460000-0x0000000005482000-memory.dmp
memory/4168-84-0x0000000005500000-0x0000000005566000-memory.dmp
memory/4168-85-0x0000000005570000-0x00000000055D6000-memory.dmp
memory/4136-91-0x0000000005770000-0x0000000005AC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpaqroz1.3to.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4476-115-0x0000000005E00000-0x0000000005E4C000-memory.dmp
memory/4476-114-0x0000000005DE0000-0x0000000005DFE000-memory.dmp
memory/4136-117-0x000000006FEF0000-0x000000006FF3C000-memory.dmp
memory/4476-127-0x000000006FEF0000-0x000000006FF3C000-memory.dmp
memory/4476-137-0x0000000006380000-0x000000000639E000-memory.dmp
memory/4136-116-0x0000000006D10000-0x0000000006D42000-memory.dmp
memory/4476-138-0x0000000006DD0000-0x0000000006E73000-memory.dmp
memory/4476-140-0x0000000007100000-0x000000000711A000-memory.dmp
memory/4136-139-0x00000000076C0000-0x0000000007D3A000-memory.dmp
memory/4476-141-0x0000000007160000-0x000000000716A000-memory.dmp
memory/4168-142-0x000000006FEF0000-0x000000006FF3C000-memory.dmp
memory/4476-152-0x0000000007390000-0x0000000007426000-memory.dmp
memory/4476-153-0x0000000007300000-0x0000000007311000-memory.dmp
memory/4476-154-0x0000000007330000-0x000000000733E000-memory.dmp
memory/4476-155-0x0000000007340000-0x0000000007354000-memory.dmp
memory/4136-156-0x00000000073D0000-0x00000000073EA000-memory.dmp
memory/4476-157-0x0000000007380000-0x0000000007388000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b2b9ff2c145337128f783526494c9ff9 |
| SHA1 | d47a519f1bafcf00cc4278557f10cb9ab76b71d2 |
| SHA256 | 52336abbcfd8ca97c86b32016d82fe217c022410d67e870b94a1cbf992002be1 |
| SHA512 | 74cd75289b081b940c54333579b62328a93421858f7e1884866f652cd796b2f8bda63d67c995c136fb08256fc73f6561c9c4f85260a1e76674c8dda6361306bb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fbe47712c0d0502f91c7e7dd597e40d8 |
| SHA1 | d1b83bc96dffe6457b5a38d616e07f249eaba862 |
| SHA256 | 18dee4e21454a732c02f3fd9160097b7200fd86b2bffdc58ed8fa881a8aee07e |
| SHA512 | b0cedc8ef7ab3c6667b9ddd82fc2e8bd36988266c2004492e9a2d54f37b4b05eec616b3dd12a0fe1152fbc3bec80b535eb9ba24135daaee0b5a728dd8ebea279 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
| MD5 | 96b62cfb83cf0e9790a3ef939173ee31 |
| SHA1 | 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1 |
| SHA256 | 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23 |
| SHA512 | d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll
| MD5 | 37a407be4d9bb791e2fa1f326c7bb961 |
| SHA1 | 614fdf4b66a07cd35c42a00da48a4ed2ebc109be |
| SHA256 | 9bbbb0f33fc963ef049b8103d294de36a97c6c9393eacca16857755b2765edd5 |
| SHA512 | ac49930e57ecb496e07573ea1b3b7c28d2c26ce198db789f32a6b5c21d85a5d244b567319116416b94a53e978cdf5bb87c89d0475a7dde9d3f549ed44edc1e2f |
memory/1708-172-0x0000000005820000-0x0000000005B74000-memory.dmp
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll
| MD5 | e7fcab954f116c8bb4b006145c20dd23 |
| SHA1 | 91ee70a33ab12618f0f0ec229de4583d9aa52a8a |
| SHA256 | e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2 |
| SHA512 | d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9 |
memory/3556-267-0x0000000005CD0000-0x0000000005D1C000-memory.dmp
memory/3012-295-0x00007FFFAE850000-0x00007FFFAECD0000-memory.dmp
memory/4700-332-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/3208-352-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/3556-342-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/4700-362-0x0000000006ED0000-0x0000000006F73000-memory.dmp
memory/3480-367-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/1708-363-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/1472-383-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/460-393-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/656-403-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/4788-413-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/2364-423-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/3480-433-0x0000000007780000-0x0000000007791000-memory.dmp
memory/2768-434-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/2780-444-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/1944-454-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/4528-465-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/2648-464-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/1708-484-0x00000000075F0000-0x0000000007604000-memory.dmp
memory/2028-485-0x000000006F880000-0x000000006F8CC000-memory.dmp
memory/2888-495-0x000000006F880000-0x000000006F8CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5f6f0e0984c0b6dcec31f023737e8b5 |
| SHA1 | 41b34655b06ee441e83d2e49849ae98ef25a5d9c |
| SHA256 | f332af5214bc4b69be5b4b3630f9d9116d53ae1921bf6a529fe0f80585a6ad4f |
| SHA512 | 5a9be5c39d48aed821d4e8354595ba6092861354ce8d994887cf97bc852fc78b8d296e1b9fa9b5faa84b5fa3b272dc3d5cd9652142ee4390836deca33e124fdf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dab10d3080602098adba1e0255cf67b8 |
| SHA1 | 84125cdb7e1cc1b5e78d3e9fb6cdade0b3892616 |
| SHA256 | 71f1747148cc6b4d9d1f9143811f665159724e5317d61b24c64f97f72af085ba |
| SHA512 | 12aadaefcd0de0c4c38bb2ff9b46fb1320e36595c5dc5d4c03ee746f33329e68691493dd6bb48434f17916efb37e145ba998192d031f88e225bb8d036340c516 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e0cd15f84cfb0aa488291a72c078a42e |
| SHA1 | 8d323fa8b706089cbe994412b7a9679b92e9012a |
| SHA256 | 7a56c475a07fbccb1d9b47be42b55b6a4dd4868c72d2d334e293363ee2ea45c2 |
| SHA512 | 8ca5187bfbf4de2e89b7c9c4c304e1b27a10bfc12d4adf8a2761bbc05e2d38bc83fdcfe207fb0677da6e372c399a3cd6d6b023714d4818c9ffe0235d49b66986 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bb320cd089730e66e642d0c98b73d9f0 |
| SHA1 | b9949270e2d869c30a4d7cdc62e84a824cca9817 |
| SHA256 | d9e0684d8b45c970357d24b90ac4ff45c6377933219e27120141738a7ba4eed7 |
| SHA512 | 5bd3b8b8425bb037dcab3bbdb8710be1d8ddda60adbffd64f22b6cac8a2eb4ac9e23e362098e053149fa2a330221c46a32aa8833d4c6d8a8721cf46e870b5e39 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8144d412a903bf7821b988bb2fe48f61 |
| SHA1 | d3737045e10eea75773d3e63d611e219e62498fc |
| SHA256 | 6d8144fef8c2c677ca68a0f996d5807a4cc30454868da17b542cd553133d7023 |
| SHA512 | dc7f372d5dab5d65a5f604de67c121ce3d2a66b41e6467716cad6eb749c5ee5ede04cf2658765a8b6bd2ff973a31a47fe517a02c2f828cd954d280ea85083673 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dccd5a333faf5f98ce313729f7434321 |
| SHA1 | 6194fed4bf7c93281121574aff82eddc8f6b8d8e |
| SHA256 | ab1879448b2bc67dc0d42bfb387d1124ff652fd63282a11d8bfbba1516f7bb87 |
| SHA512 | b7822244d57b47184edfccd1c96740875b65470e0d217705ea230f6bd35faf99343dca1e59a300d02526cbe902f569bfaa57cec1e1f800e9b0c4f9158d74535b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 31df5c77060be7239e4665bd8c9ab59b |
| SHA1 | 05115d49dacffd9c635c9cc40b515dcdce9394d2 |
| SHA256 | 6aec21073088df33161ef3d9a1cacd117dcde172d98a14bca62bcebf0eb989f8 |
| SHA512 | 95f5137ea2f6f77562ad23427156fa0f7189998905e0d6c9ac026ed392741b624055b1400657100e9a8ecb642b1dee4176416de22c51a4f0425263407d1f2d89 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6a96b9095dce915a585266fc7220e983 |
| SHA1 | b49424e68db3e836bc6d5fbec446a08acddaaf6e |
| SHA256 | 7cacdb020d5ae59dec096dff0890c38c43ebda36190cda440603c1db100c8eb6 |
| SHA512 | 06b34115d1011c122b8949caf69789f5057c5c7a09f47e65a61d492795da92b619d0663b9da06bea1e13e047a02ca80c5a8964e65294bae96c4ff5adb9c8a48e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a522803731bf20138335266c89589792 |
| SHA1 | eb19f8e3b770966c02c2476e536267e6dd05057f |
| SHA256 | ad82b902b0b1e18a10302034d9ae7cd41ac925b65207290a5a4ce2a3b6dd748a |
| SHA512 | 261ebcb5f8659c06d8957a870daf7b9933619a5c535eb7a8d9fd593a6ee31437a75b7fdf64acda931e451eb54b7ea1adcf8eee5324df316336c64769b1fb2e68 |
C:\Config.Msi\e585909.rbs
| MD5 | 43fef200a91829434a5cc7ac7178d13c |
| SHA1 | 0dcdefa85bad0309b183c5f5276c1031e737b687 |
| SHA256 | 4dc595898010dced1a7fd6f47ac1d3bbf41fe29fa2472aed9a650ba112732c31 |
| SHA512 | 13b6abb9659dd92feb96ca1ae6b8d7707909a48f11601b4d154b1f80605c59a8f5d637fe5b5eab44c4db1ceed391d2cd9f13df402726c1f434350aae0e393ba2 |
C:\Windows\Installer\e585908.msi
| MD5 | 1b9aac91eee54cffc5e27c374a11a99b |
| SHA1 | dcadbc0f895816c6c403f06b3f8e12f279a6cf7c |
| SHA256 | fb76a02ffa6e3ef8c141e7994f808e76013e4e39f03a2c2f4cffeec8fcbd6e45 |
| SHA512 | 19bc82314eed220bb34c0d467185fec9ed5cda022f9efe05e56acad7bdecd33b4e3013317707911e645df44bd6c412fd1fc16dc6261ee2c7cc2dd0f747eaf36f |
memory/3012-547-0x00007FFFAE850000-0x00007FFFAECD0000-memory.dmp