Malware Analysis Report

2024-12-07 14:53

Sample ID 241007-fl9geaxcjl
Target 1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118
SHA256 fb76a02ffa6e3ef8c141e7994f808e76013e4e39f03a2c2f4cffeec8fcbd6e45
Tags
discovery persistence privilege_escalation defense_evasion execution exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fb76a02ffa6e3ef8c141e7994f808e76013e4e39f03a2c2f4cffeec8fcbd6e45

Threat Level: Likely malicious

The file 1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence privilege_escalation defense_evasion execution exploit

Command and Scripting Interpreter: PowerShell

Possible privilege escalation attempt

Modifies file permissions

Enumerates connected drives

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Blocklisted process makes network request

Drops file in Windows directory

Drops file in Program Files directory

Loads dropped DLL

Executes dropped EXE

System Location Discovery: System Language Discovery

Event Triggered Execution: Installer Packages

Modifies data under HKEY_USERS

Modifies registry class

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 04:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 04:58

Reported

2024-10-07 05:01

Platform

win7-20240704-en

Max time kernel

143s

Max time network

118s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSID91D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{5D86D587-6E45-4779-B228-F0B6F5F1B880}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Installer\f76d5b9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\Logo.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76d5b6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID8DE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDB32.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\Logo.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76d5b7.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76d5b6.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76d5b7.ipi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\PackageCode = "7938FBA7517767846B9F436057651832" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Version = "134217999" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\785D68D554E697742B820F6B5F1F8B08 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\785D68D554E697742B820F6B5F1F8B08 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\PackageName = "1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\785D68D554E697742B820F6B5F1F8B08\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\ProductIcon = "C:\\Windows\\Installer\\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\\Logo.ico" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\ProductName = "Oracle Java SE" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\syswow64\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 1344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 1344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 1344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 1344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 1344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 1344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 1344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 2300 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2868 wrote to memory of 1516 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 2868 wrote to memory of 1516 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 2868 wrote to memory of 1516 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 2868 wrote to memory of 1516 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5CD7A724035F599F8E182447BABECF0E

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 86FCAA2751854922C254FCA327E9A563 M Global\MSI0000

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 repository.certum.pl udp
GB 2.18.63.21:80 repository.certum.pl tcp
US 8.8.8.8:53 websekir.com udp
N/A 127.0.0.1:49411 tcp
N/A 127.0.0.1:49414 tcp
N/A 127.0.0.1:49417 tcp
N/A 127.0.0.1:49420 tcp
N/A 127.0.0.1:49423 tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabD423.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD445.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 72c94296623ee6ccc1508425f2d69711
SHA1 a14427e2235bcfbdd1317f0264cf041d6b25375a
SHA256 1a11db32375a1d55fbddd5b17bd3f14c52c0d493a89c1e14c92b061a3d06e590
SHA512 3dc0467ed73d4c5f747a2426dba23e65adb4789f65724757021255e6012caa0d28282c5c0fc9fe9ad97c05a1a77c3389191b64dfd7885a57ea2fa958adf40082

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7b7fc4b4d91c41e41a6b1b0ec978a45
SHA1 f2561674eac817b6f4a817619c8c3b4cd7303522
SHA256 285b0afd758f3ff51f8c4ba8e13dcb1d9e5a24a84cb977b69b494786ac638060
SHA512 b6a92e2ba6698c958aca7c297f6002723482bbf46c672c1c4db6fb5c3365f0f77551a56c63a9ab44e3095ac8497187fc0477b9abc866545960919aa0612a35d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

C:\Windows\Installer\MSID91D.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

MD5 4fd1d700b7a3bb98e3bff8aaf3b1f26a
SHA1 031abd17460bc4330aa0f46be504969acf8f00fb
SHA256 7f42b07d07d9ad8889bfcc6fc8b49b921674d399360206c50331e269962575db
SHA512 4192f9ff958985f2bdae4f7461cdafee2956641a7c8763e999abbe6c42096698b2c7ce8da36fcf0184012820e68be0ee00ebb67d984718cd4f278a24db9c2bff

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll

MD5 9dda681b0406c3575e666f52cbde4f80
SHA1 1951c5b2c689534cdc2fbfbc14abbf9600a66086
SHA256 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3
SHA512 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll

MD5 e008fbfdea1bf873f3d94d74c1cf7935
SHA1 2a2af5e9084e7b55cdd5d01df342b02c1917573c
SHA256 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b
SHA512 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll

MD5 fb0ca6cbfff46be87ad729a1c4fde138
SHA1 2c302d1c535d5c40f31c3a75393118b40e1b2af9
SHA256 1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df
SHA512 99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll

MD5 c9a55de62e53d747c5a7fddedef874f9
SHA1 c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad
SHA256 b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b
SHA512 adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll

MD5 3f224766fe9b090333fdb43d5a22f9ea
SHA1 548d1bb707ae7a3dfccc0c2d99908561a305f57b
SHA256 ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357
SHA512 c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll

MD5 23bd405a6cfd1e38c74c5150eec28d0a
SHA1 1d3be98e7dfe565e297e837a7085731ecd368c7b
SHA256 a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41
SHA512 c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll

MD5 6e704280d632c2f8f2cadefcae25ad85
SHA1 699c5a1c553d64d7ff3cf4fe57da72bb151caede
SHA256 758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893
SHA512 ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll

MD5 95c5b49af7f2c7d3cd0bc14b1e9efacb
SHA1 c400205c81140e60dffa8811c1906ce87c58971e
SHA256 ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1
SHA512 f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll

MD5 79ee4a2fcbe24e9a65106de834ccda4a
SHA1 fd1ba674371af7116ea06ad42886185f98ba137b
SHA256 9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613
SHA512 6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll

MD5 1776a2b85378b27825cf5e5a3a132d9a
SHA1 626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df
SHA256 675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee
SHA512 541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll

MD5 ad99c2362f64cde7756b16f9a016a60f
SHA1 07c9a78ee658bfa81db61dab039cffc9145cc6cb
SHA256 73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa
SHA512 9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll

MD5 d5166ab3034f0e1aa679bfa1907e5844
SHA1 851dd640cb34177c43b5f47b218a686c09fa6b4c
SHA256 7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5
SHA512 8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll

MD5 9ddea3cc96e0fdd3443cc60d649931b3
SHA1 af3cb7036318a8427f20b8561079e279119dca0e
SHA256 b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5
SHA512 1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll

MD5 1e109b1d40efcfec81a5d43d318cbb26
SHA1 03aae193dc36d70fb34257d1276666e988b4a222
SHA256 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69
SHA512 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll

MD5 034379bcea45eb99db8cdfeacbc5e281
SHA1 bbf93d82e7e306e827efeb9612e8eab2b760e2b7
SHA256 8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65
SHA512 7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 228c6bbe1bce84315e4927392a3baee5
SHA1 ba274aa567ad1ec663a2f9284af2e3cb232698fb
SHA256 ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065
SHA512 37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll

MD5 9b79fda359a269c63dcac69b2c81caa4
SHA1 a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb
SHA256 4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138
SHA512 e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll

MD5 39325e5f023eb564c87d30f7e06dff23
SHA1 03dd79a7fbe3de1a29359b94ba2d554776bdd3fe
SHA256 56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a
SHA512 087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll

MD5 8da414c3524a869e5679c0678d1640c1
SHA1 60cf28792c68e9894878c31b323e68feb4676865
SHA256 39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672
SHA512 6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll

MD5 70e9104e743069b573ca12a3cd87ec33
SHA1 4290755b6a49212b2e969200e7a088d1713b84a2
SHA256 7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95
SHA512 e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll

MD5 b3c188281aa3998f49391da0c3b52b8e
SHA1 67e6f1eb07861dddde3df9d266f683cb0331d433
SHA256 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46
SHA512 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll

MD5 888aa12cc20f645dd2fc04f52e453bc6
SHA1 b19e790c9e6ceface9cdd41a24518d6e4a953b23
SHA256 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb
SHA512 f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3

C:\Config.Msi\f76d5b8.rbs

MD5 1a3821670061e62edb80b5f046b7ad50
SHA1 7b36cabfbfeded52947d5e3895ee25c68fd56d03
SHA256 2a9965a26a4b16ff85c8e8ff6ae5d0648b6dfe648f371d95bdeada91ac01ab08
SHA512 8fe28c37551ef83e06cb54250453815e3304c26a793793d8be7af8a4281b80cef9777d40257975fe5b9550d1219102fac2f47f08eab3430f97830f311cd42887

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

MD5 96b62cfb83cf0e9790a3ef939173ee31
SHA1 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1
SHA256 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23
SHA512 d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b

C:\Windows\Installer\f76d5b6.msi

MD5 1b9aac91eee54cffc5e27c374a11a99b
SHA1 dcadbc0f895816c6c403f06b3f8e12f279a6cf7c
SHA256 fb76a02ffa6e3ef8c141e7994f808e76013e4e39f03a2c2f4cffeec8fcbd6e45
SHA512 19bc82314eed220bb34c0d467185fec9ed5cda022f9efe05e56acad7bdecd33b4e3013317707911e645df44bd6c412fd1fc16dc6261ee2c7cc2dd0f747eaf36f

\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll

MD5 37a407be4d9bb791e2fa1f326c7bb961
SHA1 614fdf4b66a07cd35c42a00da48a4ed2ebc109be
SHA256 9bbbb0f33fc963ef049b8103d294de36a97c6c9393eacca16857755b2765edd5
SHA512 ac49930e57ecb496e07573ea1b3b7c28d2c26ce198db789f32a6b5c21d85a5d244b567319116416b94a53e978cdf5bb87c89d0475a7dde9d3f549ed44edc1e2f

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll

MD5 e7fcab954f116c8bb4b006145c20dd23
SHA1 91ee70a33ab12618f0f0ec229de4583d9aa52a8a
SHA256 e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2
SHA512 d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9

memory/2092-220-0x000007FEF58E0000-0x000007FEF5D60000-memory.dmp

memory/2092-221-0x000007FEF58E0000-0x000007FEF5D60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 04:58

Reported

2024-10-07 05:01

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

128s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118.msi

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\SourceHash{5D86D587-6E45-4779-B228-F0B6F5F1B880} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{5D86D587-6E45-4779-B228-F0B6F5F1B880}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5B5B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\Logo.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\Logo.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6000.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e585908.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5A7F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585908.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5F24.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58590a.msi C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Netflix Activator\Active = "Yes" C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\785D68D554E697742B820F6B5F1F8B08 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\ProductName = "Oracle Java SE" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\PackageName = "1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\785D68D554E697742B820F6B5F1F8B08 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\PackageCode = "7938FBA7517767846B9F436057651832" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\ProductIcon = "C:\\Windows\\Installer\\{5D86D587-6E45-4779-B228-F0B6F5F1B880}\\Logo.ico" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\785D68D554E697742B820F6B5F1F8B08\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\785D68D554E697742B820F6B5F1F8B08\Version = "134217999" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\syswow64\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3204 wrote to memory of 2336 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3204 wrote to memory of 2336 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3204 wrote to memory of 2336 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3204 wrote to memory of 1684 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3204 wrote to memory of 1684 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3204 wrote to memory of 1684 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1684 wrote to memory of 4068 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\syswow64\cmd.exe
PID 1684 wrote to memory of 4068 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\syswow64\cmd.exe
PID 1684 wrote to memory of 4068 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\syswow64\cmd.exe
PID 4068 wrote to memory of 4828 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4068 wrote to memory of 4828 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4068 wrote to memory of 4828 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4068 wrote to memory of 3188 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4068 wrote to memory of 3188 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4068 wrote to memory of 3188 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4068 wrote to memory of 4192 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4068 wrote to memory of 4192 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4068 wrote to memory of 4192 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4068 wrote to memory of 4628 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4068 wrote to memory of 4628 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4068 wrote to memory of 4628 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4068 wrote to memory of 4476 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4476 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4476 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4168 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4168 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4168 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 2064 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 2064 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 2064 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3556 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3556 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3556 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4824 N/A C:\Windows\syswow64\cmd.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 4068 wrote to memory of 4824 N/A C:\Windows\syswow64\cmd.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 4068 wrote to memory of 4824 N/A C:\Windows\syswow64\cmd.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 4068 wrote to memory of 656 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 656 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 656 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3208 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3208 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3208 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4700 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4700 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4700 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3480 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3480 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3480 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 1472 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 1472 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 1472 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 1708 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 1708 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 1708 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 460 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 460 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 460 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 2364 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 2364 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 2364 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4788 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1b9aac91eee54cffc5e27c374a11a99b_JaffaCakes118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 01143F2FDA5C79D5CCB5D1273349C961

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3490A9C956A4FC4C03E74238C34E96D3 E Global\MSI0000

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"

C:\Windows\syswow64\cmd.exe

"cmd.exe" /C "C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\smartscreen.exe" /a

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\smartscreen.exe" /reset

C:\Windows\SysWOW64\taskkill.exe

taskkill /im smartscreen.exe /f

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4092,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionExtension ".dll""

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell.exe -command "Set-MpPreference -MAPSReporting 0"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -MAPSReporting 0"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable"

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

Register.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"

Network

Country Destination Domain Proto
US 8.8.8.8:53 repository.certum.pl udp
GB 2.18.63.53:80 repository.certum.pl tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 5.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 websekir.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 websekir.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 websekir.com udp
US 8.8.8.8:53 websekir.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 websekir.com udp
N/A 127.0.0.1:50438 tcp
N/A 127.0.0.1:50450 tcp
N/A 127.0.0.1:50458 tcp
N/A 127.0.0.1:50461 tcp
N/A 127.0.0.1:50464 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B

MD5 04127ae9ffefef2d0c6e2b0940262e56
SHA1 78e0c8f0a65f533d0eee6c1fee555d6f5e5cc855
SHA256 e69ce4132f973abb4c4775e6c555fb88d2d1c556c0036a0a9cd4271a57294fa3
SHA512 4c2b03617a21607323c2bdab12ed012fa66e1e3fb05b3ca545e154c9d97ca03dc94c255c4bc48a4c127d714dd5b9542491b7efbaf2de3bb8a5b67edada8713ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B

MD5 e22e48cb1b26bf8dd97314b2d21676d4
SHA1 efbb1857394d1166aa0b8c71a20674cfedf9faab
SHA256 74be3f71da4c1b8ccb24a26bc1fdd42187308c7792d9aa45c4fcbcb1748afb51
SHA512 11d56e475fa986d5d0f9a8fd52b8e3197b05b7ef78b7ffb9a896e69710eaf8f34503ba39bae40c891e2c10df7cb689c285e306a18f524c67367396397dea1c6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4

MD5 7e609cb788612b7de4bfd2e19ebf6ff4
SHA1 10720164c06e6464f5c6c3c4c54f48019578633c
SHA256 7756b92245f83743c6bf5b5a82e88493f128aba60d46635e29e53c493f9a9e16
SHA512 619b2d045fe447e6661ded55dd75e78933645155422f39d63c5576c5f45fb8d90e9955d6d1afa05f82d8d5eee05ae8a6992f5f261c315354325a0709362cc17a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4

MD5 4daf20835f87faa3774a35850b921aeb
SHA1 7fbb96f3b550265619038ab14ba518c81193b156
SHA256 852b6dc61f267bf2a1f73f1b1471e3c5ef7b8052363051b9e646778b0f9f7e89
SHA512 567351176fc881faa18c2d87b20648ea03e469960340ef05576de673eb685ec6c7a1d1a2308da4bc0e4997d4d99f023013d36881f3effc41fefed06f23183504

C:\Windows\Installer\MSI5B5B.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

MD5 4fd1d700b7a3bb98e3bff8aaf3b1f26a
SHA1 031abd17460bc4330aa0f46be504969acf8f00fb
SHA256 7f42b07d07d9ad8889bfcc6fc8b49b921674d399360206c50331e269962575db
SHA512 4192f9ff958985f2bdae4f7461cdafee2956641a7c8763e999abbe6c42096698b2c7ce8da36fcf0184012820e68be0ee00ebb67d984718cd4f278a24db9c2bff

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll

MD5 e008fbfdea1bf873f3d94d74c1cf7935
SHA1 2a2af5e9084e7b55cdd5d01df342b02c1917573c
SHA256 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b
SHA512 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll

MD5 1e109b1d40efcfec81a5d43d318cbb26
SHA1 03aae193dc36d70fb34257d1276666e988b4a222
SHA256 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69
SHA512 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll

MD5 9dda681b0406c3575e666f52cbde4f80
SHA1 1951c5b2c689534cdc2fbfbc14abbf9600a66086
SHA256 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3
SHA512 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll

MD5 b3c188281aa3998f49391da0c3b52b8e
SHA1 67e6f1eb07861dddde3df9d266f683cb0331d433
SHA256 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46
SHA512 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll

MD5 888aa12cc20f645dd2fc04f52e453bc6
SHA1 b19e790c9e6ceface9cdd41a24518d6e4a953b23
SHA256 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb
SHA512 f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat

MD5 0a16033c7df6ba580e33c66fed1a12d7
SHA1 50fc0b9f740a9e82717f2370fe0a15e937a84208
SHA256 08d68557b06a5cb43ce2719bf82dd2fee6bd78a58c88a37e5ee5d54b2ea14623
SHA512 c252e11099d52bc57bd49ce5732a7cd5fcbd155b36e0b0b27a3e8a3023949708362e4156e09f467b35c27543a652173a8dbe29da13dbdb23ecd2354c95569b44

memory/4168-81-0x0000000002F80000-0x0000000002FB6000-memory.dmp

memory/4476-82-0x00000000050B0000-0x00000000056D8000-memory.dmp

memory/4168-83-0x0000000005460000-0x0000000005482000-memory.dmp

memory/4168-84-0x0000000005500000-0x0000000005566000-memory.dmp

memory/4168-85-0x0000000005570000-0x00000000055D6000-memory.dmp

memory/4136-91-0x0000000005770000-0x0000000005AC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpaqroz1.3to.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4476-115-0x0000000005E00000-0x0000000005E4C000-memory.dmp

memory/4476-114-0x0000000005DE0000-0x0000000005DFE000-memory.dmp

memory/4136-117-0x000000006FEF0000-0x000000006FF3C000-memory.dmp

memory/4476-127-0x000000006FEF0000-0x000000006FF3C000-memory.dmp

memory/4476-137-0x0000000006380000-0x000000000639E000-memory.dmp

memory/4136-116-0x0000000006D10000-0x0000000006D42000-memory.dmp

memory/4476-138-0x0000000006DD0000-0x0000000006E73000-memory.dmp

memory/4476-140-0x0000000007100000-0x000000000711A000-memory.dmp

memory/4136-139-0x00000000076C0000-0x0000000007D3A000-memory.dmp

memory/4476-141-0x0000000007160000-0x000000000716A000-memory.dmp

memory/4168-142-0x000000006FEF0000-0x000000006FF3C000-memory.dmp

memory/4476-152-0x0000000007390000-0x0000000007426000-memory.dmp

memory/4476-153-0x0000000007300000-0x0000000007311000-memory.dmp

memory/4476-154-0x0000000007330000-0x000000000733E000-memory.dmp

memory/4476-155-0x0000000007340000-0x0000000007354000-memory.dmp

memory/4136-156-0x00000000073D0000-0x00000000073EA000-memory.dmp

memory/4476-157-0x0000000007380000-0x0000000007388000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b2b9ff2c145337128f783526494c9ff9
SHA1 d47a519f1bafcf00cc4278557f10cb9ab76b71d2
SHA256 52336abbcfd8ca97c86b32016d82fe217c022410d67e870b94a1cbf992002be1
SHA512 74cd75289b081b940c54333579b62328a93421858f7e1884866f652cd796b2f8bda63d67c995c136fb08256fc73f6561c9c4f85260a1e76674c8dda6361306bb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fbe47712c0d0502f91c7e7dd597e40d8
SHA1 d1b83bc96dffe6457b5a38d616e07f249eaba862
SHA256 18dee4e21454a732c02f3fd9160097b7200fd86b2bffdc58ed8fa881a8aee07e
SHA512 b0cedc8ef7ab3c6667b9ddd82fc2e8bd36988266c2004492e9a2d54f37b4b05eec616b3dd12a0fe1152fbc3bec80b535eb9ba24135daaee0b5a728dd8ebea279

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

MD5 96b62cfb83cf0e9790a3ef939173ee31
SHA1 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1
SHA256 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23
SHA512 d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll

MD5 37a407be4d9bb791e2fa1f326c7bb961
SHA1 614fdf4b66a07cd35c42a00da48a4ed2ebc109be
SHA256 9bbbb0f33fc963ef049b8103d294de36a97c6c9393eacca16857755b2765edd5
SHA512 ac49930e57ecb496e07573ea1b3b7c28d2c26ce198db789f32a6b5c21d85a5d244b567319116416b94a53e978cdf5bb87c89d0475a7dde9d3f549ed44edc1e2f

memory/1708-172-0x0000000005820000-0x0000000005B74000-memory.dmp

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll

MD5 e7fcab954f116c8bb4b006145c20dd23
SHA1 91ee70a33ab12618f0f0ec229de4583d9aa52a8a
SHA256 e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2
SHA512 d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9

memory/3556-267-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

memory/3012-295-0x00007FFFAE850000-0x00007FFFAECD0000-memory.dmp

memory/4700-332-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/3208-352-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/3556-342-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/4700-362-0x0000000006ED0000-0x0000000006F73000-memory.dmp

memory/3480-367-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/1708-363-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/1472-383-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/460-393-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/656-403-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/4788-413-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/2364-423-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/3480-433-0x0000000007780000-0x0000000007791000-memory.dmp

memory/2768-434-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/2780-444-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/1944-454-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/4528-465-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/2648-464-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/1708-484-0x00000000075F0000-0x0000000007604000-memory.dmp

memory/2028-485-0x000000006F880000-0x000000006F8CC000-memory.dmp

memory/2888-495-0x000000006F880000-0x000000006F8CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5f6f0e0984c0b6dcec31f023737e8b5
SHA1 41b34655b06ee441e83d2e49849ae98ef25a5d9c
SHA256 f332af5214bc4b69be5b4b3630f9d9116d53ae1921bf6a529fe0f80585a6ad4f
SHA512 5a9be5c39d48aed821d4e8354595ba6092861354ce8d994887cf97bc852fc78b8d296e1b9fa9b5faa84b5fa3b272dc3d5cd9652142ee4390836deca33e124fdf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dab10d3080602098adba1e0255cf67b8
SHA1 84125cdb7e1cc1b5e78d3e9fb6cdade0b3892616
SHA256 71f1747148cc6b4d9d1f9143811f665159724e5317d61b24c64f97f72af085ba
SHA512 12aadaefcd0de0c4c38bb2ff9b46fb1320e36595c5dc5d4c03ee746f33329e68691493dd6bb48434f17916efb37e145ba998192d031f88e225bb8d036340c516

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e0cd15f84cfb0aa488291a72c078a42e
SHA1 8d323fa8b706089cbe994412b7a9679b92e9012a
SHA256 7a56c475a07fbccb1d9b47be42b55b6a4dd4868c72d2d334e293363ee2ea45c2
SHA512 8ca5187bfbf4de2e89b7c9c4c304e1b27a10bfc12d4adf8a2761bbc05e2d38bc83fdcfe207fb0677da6e372c399a3cd6d6b023714d4818c9ffe0235d49b66986

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb320cd089730e66e642d0c98b73d9f0
SHA1 b9949270e2d869c30a4d7cdc62e84a824cca9817
SHA256 d9e0684d8b45c970357d24b90ac4ff45c6377933219e27120141738a7ba4eed7
SHA512 5bd3b8b8425bb037dcab3bbdb8710be1d8ddda60adbffd64f22b6cac8a2eb4ac9e23e362098e053149fa2a330221c46a32aa8833d4c6d8a8721cf46e870b5e39

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8144d412a903bf7821b988bb2fe48f61
SHA1 d3737045e10eea75773d3e63d611e219e62498fc
SHA256 6d8144fef8c2c677ca68a0f996d5807a4cc30454868da17b542cd553133d7023
SHA512 dc7f372d5dab5d65a5f604de67c121ce3d2a66b41e6467716cad6eb749c5ee5ede04cf2658765a8b6bd2ff973a31a47fe517a02c2f828cd954d280ea85083673

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dccd5a333faf5f98ce313729f7434321
SHA1 6194fed4bf7c93281121574aff82eddc8f6b8d8e
SHA256 ab1879448b2bc67dc0d42bfb387d1124ff652fd63282a11d8bfbba1516f7bb87
SHA512 b7822244d57b47184edfccd1c96740875b65470e0d217705ea230f6bd35faf99343dca1e59a300d02526cbe902f569bfaa57cec1e1f800e9b0c4f9158d74535b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 31df5c77060be7239e4665bd8c9ab59b
SHA1 05115d49dacffd9c635c9cc40b515dcdce9394d2
SHA256 6aec21073088df33161ef3d9a1cacd117dcde172d98a14bca62bcebf0eb989f8
SHA512 95f5137ea2f6f77562ad23427156fa0f7189998905e0d6c9ac026ed392741b624055b1400657100e9a8ecb642b1dee4176416de22c51a4f0425263407d1f2d89

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a96b9095dce915a585266fc7220e983
SHA1 b49424e68db3e836bc6d5fbec446a08acddaaf6e
SHA256 7cacdb020d5ae59dec096dff0890c38c43ebda36190cda440603c1db100c8eb6
SHA512 06b34115d1011c122b8949caf69789f5057c5c7a09f47e65a61d492795da92b619d0663b9da06bea1e13e047a02ca80c5a8964e65294bae96c4ff5adb9c8a48e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a522803731bf20138335266c89589792
SHA1 eb19f8e3b770966c02c2476e536267e6dd05057f
SHA256 ad82b902b0b1e18a10302034d9ae7cd41ac925b65207290a5a4ce2a3b6dd748a
SHA512 261ebcb5f8659c06d8957a870daf7b9933619a5c535eb7a8d9fd593a6ee31437a75b7fdf64acda931e451eb54b7ea1adcf8eee5324df316336c64769b1fb2e68

C:\Config.Msi\e585909.rbs

MD5 43fef200a91829434a5cc7ac7178d13c
SHA1 0dcdefa85bad0309b183c5f5276c1031e737b687
SHA256 4dc595898010dced1a7fd6f47ac1d3bbf41fe29fa2472aed9a650ba112732c31
SHA512 13b6abb9659dd92feb96ca1ae6b8d7707909a48f11601b4d154b1f80605c59a8f5d637fe5b5eab44c4db1ceed391d2cd9f13df402726c1f434350aae0e393ba2

C:\Windows\Installer\e585908.msi

MD5 1b9aac91eee54cffc5e27c374a11a99b
SHA1 dcadbc0f895816c6c403f06b3f8e12f279a6cf7c
SHA256 fb76a02ffa6e3ef8c141e7994f808e76013e4e39f03a2c2f4cffeec8fcbd6e45
SHA512 19bc82314eed220bb34c0d467185fec9ed5cda022f9efe05e56acad7bdecd33b4e3013317707911e645df44bd6c412fd1fc16dc6261ee2c7cc2dd0f747eaf36f

memory/3012-547-0x00007FFFAE850000-0x00007FFFAECD0000-memory.dmp