Malware Analysis Report

2024-11-16 12:49

Sample ID 240811-3cm85stfmp
Target 8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118
SHA256 de932dfeffdc704b1e945b00c74792130b9c08c347ccfecf86824e7f8669be0d
Tags
defense_evasion discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

de932dfeffdc704b1e945b00c74792130b9c08c347ccfecf86824e7f8669be0d

Threat Level: Likely malicious

The file 8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit

Possible privilege escalation attempt

Loads dropped DLL

Modifies file permissions

Indicator Removal: Clear Windows Event Logs

Deletes itself

Checks computer location settings

Enumerates connected drives

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Indicator Removal: File Deletion

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 23:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 23:22

Reported

2024-08-11 23:24

Platform

win7-20240729-en

Max time kernel

122s

Max time network

123s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2300 wrote to memory of 2544 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2300 wrote to memory of 2544 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2300 wrote to memory of 2544 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2300 wrote to memory of 2544 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2300 wrote to memory of 1644 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2300 wrote to memory of 1644 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2300 wrote to memory of 1644 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2300 wrote to memory of 1644 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2300 wrote to memory of 596 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 596 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 672 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 672 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 740 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 2300 wrote to memory of 740 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 2300 wrote to memory of 816 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 2300 wrote to memory of 816 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 2300 wrote to memory of 852 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 852 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 972 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 972 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 296 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 1128 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 1128 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 2308 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 2308 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2300 wrote to memory of 2148 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2148 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2148 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2148 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76b2ac.tmp ,C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

C:\Windows\SysWOW64\cmd.exe

cmd /c del %%SystemRoot%%\system32\rpcss.dll~*

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\~~f76b2ac.tmp

MD5 500fc03795264aedebfa2f366e184b28
SHA1 f9d688da4a491223ab5dab1181f9c6290e3039ee
SHA256 27eeca39a445b0e0bcb6067a3fbb55a45963f29b84977a1987e64a7240045327
SHA512 03060c034c82f850cabfad3956be13fbaee7f4bb3583c13357bc9733218777cb29a4099bccf498457627515ef3b82da6eb300850a6bf0f5c3727411195caf5d6

memory/596-12-0x0000000000460000-0x0000000000461000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 23:22

Reported

2024-08-11 23:24

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

152s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00ED8331D0A" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133670775166853784" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133678922795557438" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133678921442432435" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133678922398214000" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133678921732276420" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133678922063995136" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133678922384151375" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133678922806651217" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133678921735713728" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133678922797901150" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133678921400514337" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133678922396651532" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133678922411494914" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133670775164822217" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133678922055713733" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133678922793994906" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133678922421182682" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4496 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4496 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 416 wrote to memory of 3124 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 416 wrote to memory of 3124 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 416 wrote to memory of 3124 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 416 wrote to memory of 532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 416 wrote to memory of 532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 416 wrote to memory of 532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 416 wrote to memory of 784 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 784 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 888 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 888 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 944 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 944 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 512 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 512 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 724 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 724 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 984 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 984 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1076 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1084 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1084 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1152 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1152 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1196 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1196 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1244 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1244 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1324 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1324 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1332 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1332 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1392 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1392 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1472 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1472 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1540 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1540 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1632 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1632 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1724 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1724 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1752 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1752 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1748 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1748 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1888 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1888 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 2000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 2000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 2008 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 2008 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1452 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1452 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1400 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1400 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\svchost.exe
PID 416 wrote to memory of 1488 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 1488 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe
PID 416 wrote to memory of 2120 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e578d3c.tmp ,C:\Users\Admin\AppData\Local\Temp\8c63e0940ad716bc2a82d6f8e034bc07_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

C:\Windows\SysWOW64\cmd.exe

cmd /c del %%SystemRoot%%\system32\rpcss.dll~*

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~~e578d3c.tmp

MD5 500fc03795264aedebfa2f366e184b28
SHA1 f9d688da4a491223ab5dab1181f9c6290e3039ee
SHA256 27eeca39a445b0e0bcb6067a3fbb55a45963f29b84977a1987e64a7240045327
SHA512 03060c034c82f850cabfad3956be13fbaee7f4bb3583c13357bc9733218777cb29a4099bccf498457627515ef3b82da6eb300850a6bf0f5c3727411195caf5d6

C:\Windows\SysWOW64\apa.dll

MD5 97b967ba3f07f91baebc4dbe9dc6d80a
SHA1 81766264d2021ec3729b4f9593b6f23747139b74
SHA256 fffc52d427a9275df40d28177dd0f03461b109ea043eb34f3d0608e17a1ad479
SHA512 7a69a4bacb8bc20b6018b573bb59e872847641b6833d06179ec83b4dbcb57f34a5753036b28200d589d9683db68b2951240d7b4a659f32a37cd3d24a3f1fab17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 8245ac6453063c1972a1c055947ac094
SHA1 daf5c3c243b748a14d791f2ee0403b6a0fa3ee63
SHA256 780bfeba4014cf846e83984342b283b7e3ea38f36eed983c60eda3a5fc0e03d6
SHA512 4469aac1909bd2b802160852220582dfaff71533f0ebcbb3de9a484a9188eaa5347db6009a1ee167256fe9c9acecddd7fc7f9b914a0eef90ef714a27611fabd1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 1e8e2076314d54dd72e7ee09ff8a52ab
SHA1 5fd0a67671430f66237f483eef39ff599b892272
SHA256 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA512 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1 a3879621f9493414d497ea6d70fbf17e283d5c08
SHA256 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA512 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 8abf2d6067c6f3191a015f84aa9b6efe
SHA1 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256 ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512 c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 c441f0379139129284e828eedc3180a1
SHA1 70934a6bd42c095e0360589a0762f0d614eeae5f
SHA256 aed375cb96ca4af405465012a548f768fb9355a7ee079d15ca5f76d1ef982357
SHA512 d5cd8b3dedd2b37aed1706afc41c396a633b4ebb4a07a2d11bc0d924b006e685c0df107fabaa717507125990f62c6ed6581f98f2db01e06489cf92978d074abc

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 762615966377f5564210c12d8e4b6509
SHA1 569215df5ed79c23962740925c28bb21c70e38dc
SHA256 7241862f4298eaaf2ef00750903f6edf487d77a077b1fbfaa9cc3a059d344d3f
SHA512 5a144ed6c1d3fae4a03e9ccc28c6564accc7a4410917b9570d72a4c3232847b9c58611667b5a2e172c3f4e9dd59a4a64d9c526260eca33855ac7413bc7ea9acb

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 9f3d78edba08af7b7ea85fa90b81c296
SHA1 a5eae02ab0fadd243081fb688d765b198910959d
SHA256 f7b6794a9a2e75d5fcab8cc7efe4f968b54a94acbd44511ccdac980d51cb6ff4
SHA512 89581cd0e4128b893e3486c7430a539971fd01d26aeb7df07f1eeb3ea67e160fcafc24d679b5cf09e87d60b8fa6a2b082502a460a351bc2144dba2ad35f832b9