Malware Analysis Report

2024-12-07 14:42

Sample ID 241011-yyplwa1fqb
Target 369b5dff03c39b93b16c8af2838a54af_JaffaCakes118
SHA256 9b3995e26d21f1eccace74b0ae1092b658f5943cdb8299f7cebc5dcd2856b60e
Tags
defense_evasion discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9b3995e26d21f1eccace74b0ae1092b658f5943cdb8299f7cebc5dcd2856b60e

Threat Level: Likely malicious

The file 369b5dff03c39b93b16c8af2838a54af_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit

Possible privilege escalation attempt

Checks computer location settings

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 20:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 20:11

Reported

2024-10-11 20:14

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor8546.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog8508.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\corecomp.ini C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuse8575.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\IScript\IScr8601.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\temp.000 C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\core8537.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\obje8565.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\ProxyStubClsid32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303} C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ = "ISetupUserInterface" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\IScript\\IScript.dll" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\ProxyStubClsid32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupFeatureLog" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ = "ISetupRegistry" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptEngine.1 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ = "ISetupFileRegistrar" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA} C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB} C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\ = "SetupLogServices Class" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptObjectWrapper.1 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\CLSID C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ = "ISetupMainWindow" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303} C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\HELPDIR C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ = "ISetupObjectHolder" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd} C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838} C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838} C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ = "ISetupFeature" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\ = "ISetupTextSubstitution" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\TypeLib\Version = "1.0" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303} C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
PID 628 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
PID 628 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
PID 628 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
PID 628 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
PID 628 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
PID 628 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
PID 628 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
PID 628 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
PID 628 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
PID 628 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
PID 1708 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe C:\Windows\SysWOW64\rundll32.exe
PID 1312 wrote to memory of 2184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\takeown.exe
PID 1312 wrote to memory of 2184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\takeown.exe
PID 1312 wrote to memory of 2184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\takeown.exe
PID 1312 wrote to memory of 2184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\takeown.exe
PID 1312 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\icacls.exe
PID 1312 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\icacls.exe
PID 1312 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\icacls.exe
PID 1312 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\icacls.exe
PID 1312 wrote to memory of 612 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 612 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 776 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1312 wrote to memory of 776 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1312 wrote to memory of 824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1312 wrote to memory of 824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1312 wrote to memory of 856 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 856 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 1068 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 1068 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1312 wrote to memory of 584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe
PID 1500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe
PID 1500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe
PID 1500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe
PID 1500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe
PID 1500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe
PID 1500 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe
PID 2532 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
PID 2532 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
PID 2532 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
PID 2532 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
PID 2532 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
PID 2532 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
PID 2532 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
PID 1812 wrote to memory of 2824 N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
PID 1812 wrote to memory of 2824 N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
PID 1812 wrote to memory of 2824 N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
PID 1812 wrote to memory of 2824 N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
PID 1812 wrote to memory of 2824 N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
PID 1812 wrote to memory of 2824 N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe

"C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe"

C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe

"C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\~f768279.~~~ Install C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe" -n Evaluation -k FFG0S-1P5W3-TC3X9-6CT9Q-3GMM5 -p "SuperCache and SuperVolume Server Edition" -b "scsv.bmp" -a 30

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe

"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe" -RegServer

C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe

C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe -Embedding

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe

"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe

"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /UNREGSERVER

Network

N/A

Files

memory/628-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe

MD5 74c87260f85dd3a5267e9e58bf9434e4
SHA1 6d9cf4190c98beb4885ef0504cdb7af693b9a70f
SHA256 f07c26ce18a0fe11ebf9f05e6636bc2264cb03070c980797cd659256c29efe6e
SHA512 bd9436844a9ed747fe8d2df1f2d795c75a29e2b524ccbe899af0ed183444bd83ef075b6575e859f77a1399f64458ca2c9d8c062c59d4864b5a9bc95776531a9a

C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe

MD5 35cb85ff694a1504c8c1681e5f49c75b
SHA1 4a0407b9e496e50cd06d198cc9d5f33f55686113
SHA256 d409c7ddbf42b27c0eae0cef7f0a26b1bc85edfcfa8bed9bba6fd1c7662d471f
SHA512 9db434a319da5805e04d2f8022b42294113bb0d2c55ea700e278db35cdc2f2effc387515f878c163b407bcba0b0c0c882c1b2afbdef93373cd11fc12196b7c2c

memory/628-17-0x0000000000400000-0x00000000004A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\plf8298.tmp

MD5 cfaec980a3639a6b33704c0db20cb812
SHA1 e9402b1deb9293d51ea7a45ff5aea0f5bff1ea8f
SHA256 55023b00e2c2401272d0ad7b4b633814869483b6d939c5d4910e4ff18eeeee6c
SHA512 72bb65180098c195ea74c7dacf24500d98bbd872149e4247bdc98b3a12fabd2fd6846a61b7d30e610748d49348c347a1cec5939276e3a0b30703aeeb591017b2

\Users\Admin\AppData\Local\Temp\~f768279.~~~

MD5 92eaf64ce3cc97c97f6c33bfcc782992
SHA1 2192b7dea17f80cd068b29189bb8c53cde62baf2
SHA256 c10d3f4c7077170216cf40dfb06b7b1cce5eb6a994f7f40041957cd734af80ff
SHA512 f2c13815502d357493d551786b066540224e8a6ec3ce095b69fa30bf8a9d55b63fb59771efb47ca6be6d1acced0f241e704757dccca826136c23d4ebbbb2dccc

C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\pftw1.pkg

MD5 6307e791403b5be273394430e7ae2a1c
SHA1 83db5ed7055bd2aa3ceb841c6bdf67fc45f439b1
SHA256 f0a732bd0c2194704dff1e2c581376f39ea5e7dbac83a73051ef3be3f9e695ec
SHA512 783bfd27e7eccda7936aadc2f2cf4cdf7c9e4874885dce3f2e7ad0f0d640bc446ba199035d576d9d519cad166cd0843733b5311a79effa27fc2b487a1f1f1a0f

\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe

MD5 b1b88b62c82475661654064c2fee6748
SHA1 a96669ddc222a5a5259b564bcc2c5b526b6832df
SHA256 85055990a4f7bca077d4b297f53a0248b0ac38fe1a491a0548b7b1bd3249d038
SHA512 e092c36c64dfdd9e2cc86b1e03745f76a49646a78bdfe1f501d784bbabc9e8f794728a490c8774cc0796eeb636132ebf86a862b0d6d36afc9036669f43419ebd

memory/612-95-0x00000000000D0000-0x00000000000D1000-memory.dmp

C:\Windows\SysWOW64\apa.dll

MD5 29024dbe8cf92a96b2ff3733c5e68a1a
SHA1 ec6cad94980078b0033d683bff93ce0a5da40b11
SHA256 02eb06e3565ad37dcc204ab2c3525eb3545d0c5085ed7f75dbc39cfec805d15a
SHA512 37351a404c93914250c8dbdded71ac9c1c4f218a25a0af1358d87442114261d68e3891033dc1a05c7f63a084419d26e65cadb61d3eb6b06f23ee5bb1b1d000b6

C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\setup.ini

MD5 8a1d003153418f4147e6ab4007fb559d
SHA1 030d627b3573ee9dbb6df201174f7150d5f94241
SHA256 e59fe4c855b31bfda9fce52cef2265075eb45aed2449198711fac96d100cb233
SHA512 a1ec01c218b847a0f7a5e4a167fc485c3e306f8223880f97e5436a5885868bbb03354fd48187c0ad7a19aa630d49fbf4c24566fee83fe2ff85d2ce0e68160f24

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe

MD5 b3fd01873bd5fd163ab465779271c58f
SHA1 e1ff9981a09ab025d69ac891bfc931a776294d4d
SHA256 985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931
SHA512 6674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43

C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\IKernel.ex_

MD5 93b63f516482715a784bbec3a0bf5f3a
SHA1 2478feca446576c33e96e708256d4c6c33e3fa68
SHA256 fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249
SHA512 2c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70

C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\setup.inx

MD5 e7ae1aa17a4a8428f363e35ab612f8e4
SHA1 313f60f47177ec28ba2b3c6be668253d419f2770
SHA256 15ba61a674f6fd088b84908abb4c7b087f81e7fcd78399979e1587c1d9ff0af3
SHA512 aaa7d93899af77542ccf4e4a379edd4ee06d7bf6a41ab45a7378a34d94fc6c0a98b6c5ffe4e0d38e9f308194eab493ed5dbd76d24164669be3ca2bba36393a56

C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\data1.cab

MD5 f849d66f74c9aaf467f2a952742ccf22
SHA1 98efcb978e4534725f680e87ec58759894c458a4
SHA256 dc26595a36b882e75afb220a85b12697e2497a76246e6ecb3d306303768c5093
SHA512 ca5253251166c6ef13551d83dd0683c316b6563245ca7dbc86bcdb6fbe2179cca4341c3695e1e56743c7ef0643980b3806fa671f0fd6b04677dcec3423148f7c

\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll

MD5 a2b4718bb69d081202af2aa317dc0c0b
SHA1 4f95adf0393890b36d6b06a0dd153506b4cd39b2
SHA256 69d84c8fe49021c1fd4e3e1678090c0517d753176ad74dbee25c053528373fb0
SHA512 d46062f756d9c128acf354a075ca82d39831b85145c94e9a816e5e2c09e5070f445f69abd2bc6028c6c45238a897fc93d7ac05d513286afb37492e938291e618

C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\layout.bin

MD5 1fb8e61eb23b1d7141c1d2bb9e4ecf2e
SHA1 0d2d0118578160bbcf4c634e7279fa649b3b8014
SHA256 b788334c1be6240e7656c45f7b14f090c095050505c08722788c48231842d185
SHA512 ff19732307f65522f9b6f850edf14230868772d18b21a59160cb682644083085561a486b1334baee31126e4a24be7355d4f7427c18d7673ff9b6eadb2dcdf934

C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\corecomp.ini

MD5 62d5f9827d867eb3e4ab9e6b338348a1
SHA1 828e72f9c845b1c0865badaef40d63fb36447293
SHA256 5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5
SHA512 b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732

\??\c:\users\admin\appdata\local\temp\pft82b9.tmp\data1.hdr

MD5 29ff043f724cb236e1ee3cd65a7d9b14
SHA1 c4e0cf963136b39361af4d3f2313ed7845355491
SHA256 6e9bf81ab44e9e3921a938d14a61661acc99953d1f684f02a553c724fa345fd9
SHA512 70628884f4e05b4a440c5d43402c81f0c8bdd04d9c6b7ae2209adabba4e65a016c4f3eb8f977e7daacdbd2c5a9ad5b2efb74cb22a72c1a9e7a4c030e17659e90

\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll

MD5 8f02b204853939f8aefe6b07b283be9a
SHA1 c161b9374e67d5fa3066ea03fc861cc0023eb3cc
SHA256 32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998
SHA512 8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll

MD5 003a6c011aac993bcde8c860988ce49b
SHA1 6d39d650dfa5ded45c4e0cb17b986893061104a7
SHA256 590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a
SHA512 032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll

MD5 377765fd4de3912c0f814ee9f182feda
SHA1 a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1
SHA256 8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb
SHA512 31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll

MD5 b2f7e6dc7e4aae3147fbfc74a2ddb365
SHA1 716301112706e93f85977d79f0e8f18f17fb32a7
SHA256 4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1
SHA512 e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\scsv.bmp

MD5 309bcd2f9f3162fb639d27a8c73f960d
SHA1 21dd5fa90318b75c2131dc4736c6db68cc9db500
SHA256 917c851cc8fb108cfee4e9c561285feb88f8b6b48482e5533bd323ece7be335b
SHA512 ca18d2cde8179b3ea5008d3096466488f9a7383867bfa4eb4530d16ece99bba178b7b1968c034465e50f134ea6b6dfc84d45227df58fe45011609459c0ffd095

memory/1812-277-0x0000000003420000-0x000000000344C000-memory.dmp

memory/1812-281-0x0000000000BC0000-0x0000000000BD8000-memory.dmp

\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\_IsUser.dll

MD5 9ac0813e2f477be98344022b4543e097
SHA1 0fc0d24d4ce7420c1cee71c0860a18f6d8f6b890
SHA256 293ea8ae72991b6ab3b35f9da32652e391cfe243b9261280f02c3a0093afa420
SHA512 1e0a01f1fb360b06442d4e709331c4efda96a04ab7ca39dc000966384f4e2ccb1fb0069bcc3e6aaaa25ef7bdc4735d21e5a25fd93274b358df5e7311c78eb762

memory/1812-287-0x0000000003CC0000-0x0000000003CDC000-memory.dmp

\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\SscVfIs.dll

MD5 e6fc79ce876c2bc0832ca9ac8198bb39
SHA1 5e843993f575902b5a4fa2eda7c28dea9c09ed23
SHA256 1bded0e854f25a516208495ec44632ecfe608ec08dbc0983a9a66bc2d96a6a8f
SHA512 546bb06548b4ba4613e8ac9cf795fd4d20413173bea4241ecb84ed6c1bbd99cba4c0c285d6e60d0bbdc62fea1d167808ab771d0a2998d29323afc12c33665957

\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\_IsRes.dll

MD5 40f51c7a52f13ecf92ac81785440e2a2
SHA1 da47b2050ee143136894a51085f0a0163a831dbe
SHA256 3a43357b59e150fe05904a8126e079cfeb0902c3738d838f81b394cee553c4bb
SHA512 b31bff56fdb9c9505a4e765ee59d977602514abaee9168a67639b166e95c412be5d6b20caae27f9aef1514f07a4998f37460bd3e5f9d901de6b313f2dab73429

memory/1812-273-0x0000000003380000-0x00000000033CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\isrt.dll

MD5 10b069f6492bf91d8ec04bef6de355dc
SHA1 5391ea593b66f357d1e24bd294d1d21da396dfa2
SHA256 d7b01c3461c9214758f777c57defd8a91a72bb357d504c4936417a407a409ef1
SHA512 88320f2895525974eeb246844e5315e509607152d317ae44e66cb5ff390db6ac57cef06f94443aa123a2962294f132263a65a7054488c69d86b4d2afe9ecc5fe

memory/1812-268-0x0000000002620000-0x0000000002658000-memory.dmp

memory/1812-265-0x00000000005D0000-0x00000000005E3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 20:11

Reported

2024-10-11 20:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

146s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
N/A N/A C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\temp.000 C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctorb8ff.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\corecomp.ini C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuseb91e.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\coreb8ff.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objeb91e.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\IScript\IScrb96d.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILogb8c1.rra C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133731511511489945" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\FLAGS C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\ProxyStubClsid32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\FLAGS\ = "0" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}\TreatAs C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA} C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303} C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\FLAGS C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA} C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupOpTypes" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83755DD1-086B-11D3-8868-00C04F72F303} C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA} C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303} C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd} C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\ = "InstallShield Runtime 1.0 Type Library" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC} C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\ProgID C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\ = "ISetupWindowBillBoards" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\0\win32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ = "ISetupDriver" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\engine\\6\\Intel 32\\" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ProxyStubClsid32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC} C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptDriverWrapper\CLSID C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
PID 2800 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
PID 2800 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
PID 2800 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
PID 2800 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
PID 2800 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
PID 3480 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe C:\Windows\SysWOW64\rundll32.exe
PID 3480 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe C:\Windows\SysWOW64\rundll32.exe
PID 3480 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe C:\Windows\SysWOW64\rundll32.exe
PID 1456 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\takeown.exe
PID 1456 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\takeown.exe
PID 1456 wrote to memory of 3128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\takeown.exe
PID 2688 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe
PID 2688 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe
PID 2688 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe
PID 1456 wrote to memory of 2908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\icacls.exe
PID 1456 wrote to memory of 2908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\icacls.exe
PID 1456 wrote to memory of 2908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\icacls.exe
PID 2368 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
PID 2368 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
PID 2368 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
PID 1456 wrote to memory of 792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 948 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 948 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 392 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 392 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1000 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1356 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1356 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1372 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1372 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1548 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\svchost.exe
PID 1456 wrote to memory of 1720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1816 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1816 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe
PID 1456 wrote to memory of 1840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe

"C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe"

C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe

"C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\~e57b4f8.~~~ Install C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe

C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe" -n Evaluation -k FFG0S-1P5W3-TC3X9-6CT9Q-3GMM5 -p "SuperCache and SuperVolume Server Edition" -b "scsv.bmp" -a 30

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe

"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe" -RegServer

C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe

C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe -Embedding

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe

"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe

"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /UNREGSERVER

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2800-0-0x0000000002100000-0x0000000002101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe

MD5 74c87260f85dd3a5267e9e58bf9434e4
SHA1 6d9cf4190c98beb4885ef0504cdb7af693b9a70f
SHA256 f07c26ce18a0fe11ebf9f05e6636bc2264cb03070c980797cd659256c29efe6e
SHA512 bd9436844a9ed747fe8d2df1f2d795c75a29e2b524ccbe899af0ed183444bd83ef075b6575e859f77a1399f64458ca2c9d8c062c59d4864b5a9bc95776531a9a

C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe

MD5 35cb85ff694a1504c8c1681e5f49c75b
SHA1 4a0407b9e496e50cd06d198cc9d5f33f55686113
SHA256 d409c7ddbf42b27c0eae0cef7f0a26b1bc85edfcfa8bed9bba6fd1c7662d471f
SHA512 9db434a319da5805e04d2f8022b42294113bb0d2c55ea700e278db35cdc2f2effc387515f878c163b407bcba0b0c0c882c1b2afbdef93373cd11fc12196b7c2c

C:\Users\Admin\AppData\Local\Temp\plfB47B.tmp

MD5 cfaec980a3639a6b33704c0db20cb812
SHA1 e9402b1deb9293d51ea7a45ff5aea0f5bff1ea8f
SHA256 55023b00e2c2401272d0ad7b4b633814869483b6d939c5d4910e4ff18eeeee6c
SHA512 72bb65180098c195ea74c7dacf24500d98bbd872149e4247bdc98b3a12fabd2fd6846a61b7d30e610748d49348c347a1cec5939276e3a0b30703aeeb591017b2

memory/2800-34-0x0000000000400000-0x00000000004A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\pftw1.pkg

MD5 6307e791403b5be273394430e7ae2a1c
SHA1 83db5ed7055bd2aa3ceb841c6bdf67fc45f439b1
SHA256 f0a732bd0c2194704dff1e2c581376f39ea5e7dbac83a73051ef3be3f9e695ec
SHA512 783bfd27e7eccda7936aadc2f2cf4cdf7c9e4874885dce3f2e7ad0f0d640bc446ba199035d576d9d519cad166cd0843733b5311a79effa27fc2b487a1f1f1a0f

C:\Users\Admin\AppData\Local\Temp\~e57b4f8.~~~

MD5 92eaf64ce3cc97c97f6c33bfcc782992
SHA1 2192b7dea17f80cd068b29189bb8c53cde62baf2
SHA256 c10d3f4c7077170216cf40dfb06b7b1cce5eb6a994f7f40041957cd734af80ff
SHA512 f2c13815502d357493d551786b066540224e8a6ec3ce095b69fa30bf8a9d55b63fb59771efb47ca6be6d1acced0f241e704757dccca826136c23d4ebbbb2dccc

C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe

MD5 b1b88b62c82475661654064c2fee6748
SHA1 a96669ddc222a5a5259b564bcc2c5b526b6832df
SHA256 85055990a4f7bca077d4b297f53a0248b0ac38fe1a491a0548b7b1bd3249d038
SHA512 e092c36c64dfdd9e2cc86b1e03745f76a49646a78bdfe1f501d784bbabc9e8f794728a490c8774cc0796eeb636132ebf86a862b0d6d36afc9036669f43419ebd

C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\setup.ini

MD5 8a1d003153418f4147e6ab4007fb559d
SHA1 030d627b3573ee9dbb6df201174f7150d5f94241
SHA256 e59fe4c855b31bfda9fce52cef2265075eb45aed2449198711fac96d100cb233
SHA512 a1ec01c218b847a0f7a5e4a167fc485c3e306f8223880f97e5436a5885868bbb03354fd48187c0ad7a19aa630d49fbf4c24566fee83fe2ff85d2ce0e68160f24

C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\IKernel.ex_

MD5 93b63f516482715a784bbec3a0bf5f3a
SHA1 2478feca446576c33e96e708256d4c6c33e3fa68
SHA256 fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249
SHA512 2c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe

MD5 b3fd01873bd5fd163ab465779271c58f
SHA1 e1ff9981a09ab025d69ac891bfc931a776294d4d
SHA256 985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931
SHA512 6674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43

C:\Windows\SysWOW64\apa.dll

MD5 29024dbe8cf92a96b2ff3733c5e68a1a
SHA1 ec6cad94980078b0033d683bff93ce0a5da40b11
SHA256 02eb06e3565ad37dcc204ab2c3525eb3545d0c5085ed7f75dbc39cfec805d15a
SHA512 37351a404c93914250c8dbdded71ac9c1c4f218a25a0af1358d87442114261d68e3891033dc1a05c7f63a084419d26e65cadb61d3eb6b06f23ee5bb1b1d000b6

\??\c:\users\admin\appdata\local\temp\pftb567.tmp\data1.hdr

MD5 29ff043f724cb236e1ee3cd65a7d9b14
SHA1 c4e0cf963136b39361af4d3f2313ed7845355491
SHA256 6e9bf81ab44e9e3921a938d14a61661acc99953d1f684f02a553c724fa345fd9
SHA512 70628884f4e05b4a440c5d43402c81f0c8bdd04d9c6b7ae2209adabba4e65a016c4f3eb8f977e7daacdbd2c5a9ad5b2efb74cb22a72c1a9e7a4c030e17659e90

C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\setup.inx

MD5 e7ae1aa17a4a8428f363e35ab612f8e4
SHA1 313f60f47177ec28ba2b3c6be668253d419f2770
SHA256 15ba61a674f6fd088b84908abb4c7b087f81e7fcd78399979e1587c1d9ff0af3
SHA512 aaa7d93899af77542ccf4e4a379edd4ee06d7bf6a41ab45a7378a34d94fc6c0a98b6c5ffe4e0d38e9f308194eab493ed5dbd76d24164669be3ca2bba36393a56

C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\data1.cab

MD5 f849d66f74c9aaf467f2a952742ccf22
SHA1 98efcb978e4534725f680e87ec58759894c458a4
SHA256 dc26595a36b882e75afb220a85b12697e2497a76246e6ecb3d306303768c5093
SHA512 ca5253251166c6ef13551d83dd0683c316b6563245ca7dbc86bcdb6fbe2179cca4341c3695e1e56743c7ef0643980b3806fa671f0fd6b04677dcec3423148f7c

C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\layout.bin

MD5 1fb8e61eb23b1d7141c1d2bb9e4ecf2e
SHA1 0d2d0118578160bbcf4c634e7279fa649b3b8014
SHA256 b788334c1be6240e7656c45f7b14f090c095050505c08722788c48231842d185
SHA512 ff19732307f65522f9b6f850edf14230868772d18b21a59160cb682644083085561a486b1334baee31126e4a24be7355d4f7427c18d7673ff9b6eadb2dcdf934

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll

MD5 a2b4718bb69d081202af2aa317dc0c0b
SHA1 4f95adf0393890b36d6b06a0dd153506b4cd39b2
SHA256 69d84c8fe49021c1fd4e3e1678090c0517d753176ad74dbee25c053528373fb0
SHA512 d46062f756d9c128acf354a075ca82d39831b85145c94e9a816e5e2c09e5070f445f69abd2bc6028c6c45238a897fc93d7ac05d513286afb37492e938291e618

C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\corecomp.ini

MD5 62d5f9827d867eb3e4ab9e6b338348a1
SHA1 828e72f9c845b1c0865badaef40d63fb36447293
SHA256 5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5
SHA512 b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll

MD5 003a6c011aac993bcde8c860988ce49b
SHA1 6d39d650dfa5ded45c4e0cb17b986893061104a7
SHA256 590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a
SHA512 032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll

MD5 8f02b204853939f8aefe6b07b283be9a
SHA1 c161b9374e67d5fa3066ea03fc861cc0023eb3cc
SHA256 32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998
SHA512 8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll

MD5 377765fd4de3912c0f814ee9f182feda
SHA1 a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1
SHA256 8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb
SHA512 31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll

MD5 b2f7e6dc7e4aae3147fbfc74a2ddb365
SHA1 716301112706e93f85977d79f0e8f18f17fb32a7
SHA256 4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1
SHA512 e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\scsv.bmp

MD5 309bcd2f9f3162fb639d27a8c73f960d
SHA1 21dd5fa90318b75c2131dc4736c6db68cc9db500
SHA256 917c851cc8fb108cfee4e9c561285feb88f8b6b48482e5533bd323ece7be335b
SHA512 ca18d2cde8179b3ea5008d3096466488f9a7383867bfa4eb4530d16ece99bba178b7b1968c034465e50f134ea6b6dfc84d45227df58fe45011609459c0ffd095

memory/2132-279-0x0000000003380000-0x00000000033B8000-memory.dmp

memory/2132-287-0x0000000003720000-0x000000000376F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\isrt.dll

MD5 10b069f6492bf91d8ec04bef6de355dc
SHA1 5391ea593b66f357d1e24bd294d1d21da396dfa2
SHA256 d7b01c3461c9214758f777c57defd8a91a72bb357d504c4936417a407a409ef1
SHA512 88320f2895525974eeb246844e5315e509607152d317ae44e66cb5ff390db6ac57cef06f94443aa123a2962294f132263a65a7054488c69d86b4d2afe9ecc5fe

memory/2132-293-0x00000000034F0000-0x000000000351C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\_IsUser.dll

MD5 9ac0813e2f477be98344022b4543e097
SHA1 0fc0d24d4ce7420c1cee71c0860a18f6d8f6b890
SHA256 293ea8ae72991b6ab3b35f9da32652e391cfe243b9261280f02c3a0093afa420
SHA512 1e0a01f1fb360b06442d4e709331c4efda96a04ab7ca39dc000966384f4e2ccb1fb0069bcc3e6aaaa25ef7bdc4735d21e5a25fd93274b358df5e7311c78eb762

memory/2132-302-0x00000000034C0000-0x00000000034D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\_IsRes.dll

MD5 40f51c7a52f13ecf92ac81785440e2a2
SHA1 da47b2050ee143136894a51085f0a0163a831dbe
SHA256 3a43357b59e150fe05904a8126e079cfeb0902c3738d838f81b394cee553c4bb
SHA512 b31bff56fdb9c9505a4e765ee59d977602514abaee9168a67639b166e95c412be5d6b20caae27f9aef1514f07a4998f37460bd3e5f9d901de6b313f2dab73429

memory/2132-273-0x00000000021B0000-0x00000000021C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\SscVfIs.dll

MD5 e6fc79ce876c2bc0832ca9ac8198bb39
SHA1 5e843993f575902b5a4fa2eda7c28dea9c09ed23
SHA256 1bded0e854f25a516208495ec44632ecfe608ec08dbc0983a9a66bc2d96a6a8f
SHA512 546bb06548b4ba4613e8ac9cf795fd4d20413173bea4241ecb84ed6c1bbd99cba4c0c285d6e60d0bbdc62fea1d167808ab771d0a2998d29323afc12c33665957

memory/2132-311-0x0000000003D60000-0x0000000003D7C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 d24b359dd15a84476a1ede3adbb70449
SHA1 368d7d8880b0d0c10d21cee010d47531e188bca6
SHA256 eeb4a10091ea365ac48d329ac8738515cfa0370c2fbdc1e5387ab275d02e18f3
SHA512 3381c75f074d4a4e0cf4dc05f7dd4fbda268b7cd42b45a0e56c8ae6dfb1990892539b101caec0dcb4fb80a17688ad8e122ec5cd1db62f3fa286c155cdbbcc3af