Analysis Overview
SHA256
9b3995e26d21f1eccace74b0ae1092b658f5943cdb8299f7cebc5dcd2856b60e
Threat Level: Likely malicious
The file 369b5dff03c39b93b16c8af2838a54af_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 20:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 20:11
Reported
2024-10-11 20:14
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| N/A | N/A | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\apa.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor8546.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog8508.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\corecomp.ini | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuse8575.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\IScript\IScr8601.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\temp.000 | C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\core8537.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\obje8565.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32 | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\ProxyStubClsid32 | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303} | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ = "ISetupUserInterface" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\IScript\\IScript.dll" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\ProxyStubClsid32 | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupFeatureLog" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ = "ISetupRegistry" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptEngine.1 | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ = "ISetupFileRegistrar" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA} | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB} | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\ = "SetupLogServices Class" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptObjectWrapper.1 | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\CLSID | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ = "ISetupMainWindow" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303} | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\HELPDIR | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ = "ISetupObjectHolder" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd} | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0 | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838} | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838} | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ = "ISetupFeature" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\ = "ISetupTextSubstitution" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\TypeLib\Version = "1.0" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303} | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
"C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe"
C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
"C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\~f768279.~~~ Install C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe" -n Evaluation -k FFG0S-1P5W3-TC3X9-6CT9Q-3GMM5 -p "SuperCache and SuperVolume Server Edition" -b "scsv.bmp" -a 30
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe" -RegServer
C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe -Embedding
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /UNREGSERVER
Network
Files
memory/628-0-0x00000000001C0000-0x00000000001C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
| MD5 | 74c87260f85dd3a5267e9e58bf9434e4 |
| SHA1 | 6d9cf4190c98beb4885ef0504cdb7af693b9a70f |
| SHA256 | f07c26ce18a0fe11ebf9f05e6636bc2264cb03070c980797cd659256c29efe6e |
| SHA512 | bd9436844a9ed747fe8d2df1f2d795c75a29e2b524ccbe899af0ed183444bd83ef075b6575e859f77a1399f64458ca2c9d8c062c59d4864b5a9bc95776531a9a |
C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
| MD5 | 35cb85ff694a1504c8c1681e5f49c75b |
| SHA1 | 4a0407b9e496e50cd06d198cc9d5f33f55686113 |
| SHA256 | d409c7ddbf42b27c0eae0cef7f0a26b1bc85edfcfa8bed9bba6fd1c7662d471f |
| SHA512 | 9db434a319da5805e04d2f8022b42294113bb0d2c55ea700e278db35cdc2f2effc387515f878c163b407bcba0b0c0c882c1b2afbdef93373cd11fc12196b7c2c |
memory/628-17-0x0000000000400000-0x00000000004A7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\plf8298.tmp
| MD5 | cfaec980a3639a6b33704c0db20cb812 |
| SHA1 | e9402b1deb9293d51ea7a45ff5aea0f5bff1ea8f |
| SHA256 | 55023b00e2c2401272d0ad7b4b633814869483b6d939c5d4910e4ff18eeeee6c |
| SHA512 | 72bb65180098c195ea74c7dacf24500d98bbd872149e4247bdc98b3a12fabd2fd6846a61b7d30e610748d49348c347a1cec5939276e3a0b30703aeeb591017b2 |
\Users\Admin\AppData\Local\Temp\~f768279.~~~
| MD5 | 92eaf64ce3cc97c97f6c33bfcc782992 |
| SHA1 | 2192b7dea17f80cd068b29189bb8c53cde62baf2 |
| SHA256 | c10d3f4c7077170216cf40dfb06b7b1cce5eb6a994f7f40041957cd734af80ff |
| SHA512 | f2c13815502d357493d551786b066540224e8a6ec3ce095b69fa30bf8a9d55b63fb59771efb47ca6be6d1acced0f241e704757dccca826136c23d4ebbbb2dccc |
C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\pftw1.pkg
| MD5 | 6307e791403b5be273394430e7ae2a1c |
| SHA1 | 83db5ed7055bd2aa3ceb841c6bdf67fc45f439b1 |
| SHA256 | f0a732bd0c2194704dff1e2c581376f39ea5e7dbac83a73051ef3be3f9e695ec |
| SHA512 | 783bfd27e7eccda7936aadc2f2cf4cdf7c9e4874885dce3f2e7ad0f0d640bc446ba199035d576d9d519cad166cd0843733b5311a79effa27fc2b487a1f1f1a0f |
\Users\Admin\AppData\Local\Temp\pft82B9.tmp\Setup.exe
| MD5 | b1b88b62c82475661654064c2fee6748 |
| SHA1 | a96669ddc222a5a5259b564bcc2c5b526b6832df |
| SHA256 | 85055990a4f7bca077d4b297f53a0248b0ac38fe1a491a0548b7b1bd3249d038 |
| SHA512 | e092c36c64dfdd9e2cc86b1e03745f76a49646a78bdfe1f501d784bbabc9e8f794728a490c8774cc0796eeb636132ebf86a862b0d6d36afc9036669f43419ebd |
memory/612-95-0x00000000000D0000-0x00000000000D1000-memory.dmp
C:\Windows\SysWOW64\apa.dll
| MD5 | 29024dbe8cf92a96b2ff3733c5e68a1a |
| SHA1 | ec6cad94980078b0033d683bff93ce0a5da40b11 |
| SHA256 | 02eb06e3565ad37dcc204ab2c3525eb3545d0c5085ed7f75dbc39cfec805d15a |
| SHA512 | 37351a404c93914250c8dbdded71ac9c1c4f218a25a0af1358d87442114261d68e3891033dc1a05c7f63a084419d26e65cadb61d3eb6b06f23ee5bb1b1d000b6 |
C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\setup.ini
| MD5 | 8a1d003153418f4147e6ab4007fb559d |
| SHA1 | 030d627b3573ee9dbb6df201174f7150d5f94241 |
| SHA256 | e59fe4c855b31bfda9fce52cef2265075eb45aed2449198711fac96d100cb233 |
| SHA512 | a1ec01c218b847a0f7a5e4a167fc485c3e306f8223880f97e5436a5885868bbb03354fd48187c0ad7a19aa630d49fbf4c24566fee83fe2ff85d2ce0e68160f24 |
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
| MD5 | b3fd01873bd5fd163ab465779271c58f |
| SHA1 | e1ff9981a09ab025d69ac891bfc931a776294d4d |
| SHA256 | 985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931 |
| SHA512 | 6674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43 |
C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\IKernel.ex_
| MD5 | 93b63f516482715a784bbec3a0bf5f3a |
| SHA1 | 2478feca446576c33e96e708256d4c6c33e3fa68 |
| SHA256 | fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249 |
| SHA512 | 2c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70 |
C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\setup.inx
| MD5 | e7ae1aa17a4a8428f363e35ab612f8e4 |
| SHA1 | 313f60f47177ec28ba2b3c6be668253d419f2770 |
| SHA256 | 15ba61a674f6fd088b84908abb4c7b087f81e7fcd78399979e1587c1d9ff0af3 |
| SHA512 | aaa7d93899af77542ccf4e4a379edd4ee06d7bf6a41ab45a7378a34d94fc6c0a98b6c5ffe4e0d38e9f308194eab493ed5dbd76d24164669be3ca2bba36393a56 |
C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\data1.cab
| MD5 | f849d66f74c9aaf467f2a952742ccf22 |
| SHA1 | 98efcb978e4534725f680e87ec58759894c458a4 |
| SHA256 | dc26595a36b882e75afb220a85b12697e2497a76246e6ecb3d306303768c5093 |
| SHA512 | ca5253251166c6ef13551d83dd0683c316b6563245ca7dbc86bcdb6fbe2179cca4341c3695e1e56743c7ef0643980b3806fa671f0fd6b04677dcec3423148f7c |
\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll
| MD5 | a2b4718bb69d081202af2aa317dc0c0b |
| SHA1 | 4f95adf0393890b36d6b06a0dd153506b4cd39b2 |
| SHA256 | 69d84c8fe49021c1fd4e3e1678090c0517d753176ad74dbee25c053528373fb0 |
| SHA512 | d46062f756d9c128acf354a075ca82d39831b85145c94e9a816e5e2c09e5070f445f69abd2bc6028c6c45238a897fc93d7ac05d513286afb37492e938291e618 |
C:\Users\Admin\AppData\Local\Temp\pft82B9.tmp\layout.bin
| MD5 | 1fb8e61eb23b1d7141c1d2bb9e4ecf2e |
| SHA1 | 0d2d0118578160bbcf4c634e7279fa649b3b8014 |
| SHA256 | b788334c1be6240e7656c45f7b14f090c095050505c08722788c48231842d185 |
| SHA512 | ff19732307f65522f9b6f850edf14230868772d18b21a59160cb682644083085561a486b1334baee31126e4a24be7355d4f7427c18d7673ff9b6eadb2dcdf934 |
C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\corecomp.ini
| MD5 | 62d5f9827d867eb3e4ab9e6b338348a1 |
| SHA1 | 828e72f9c845b1c0865badaef40d63fb36447293 |
| SHA256 | 5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5 |
| SHA512 | b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732 |
\??\c:\users\admin\appdata\local\temp\pft82b9.tmp\data1.hdr
| MD5 | 29ff043f724cb236e1ee3cd65a7d9b14 |
| SHA1 | c4e0cf963136b39361af4d3f2313ed7845355491 |
| SHA256 | 6e9bf81ab44e9e3921a938d14a61661acc99953d1f684f02a553c724fa345fd9 |
| SHA512 | 70628884f4e05b4a440c5d43402c81f0c8bdd04d9c6b7ae2209adabba4e65a016c4f3eb8f977e7daacdbd2c5a9ad5b2efb74cb22a72c1a9e7a4c030e17659e90 |
\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
| MD5 | 8f02b204853939f8aefe6b07b283be9a |
| SHA1 | c161b9374e67d5fa3066ea03fc861cc0023eb3cc |
| SHA256 | 32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998 |
| SHA512 | 8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59 |
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
| MD5 | 003a6c011aac993bcde8c860988ce49b |
| SHA1 | 6d39d650dfa5ded45c4e0cb17b986893061104a7 |
| SHA256 | 590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a |
| SHA512 | 032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7 |
\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
| MD5 | 377765fd4de3912c0f814ee9f182feda |
| SHA1 | a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1 |
| SHA256 | 8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb |
| SHA512 | 31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710 |
\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll
| MD5 | b2f7e6dc7e4aae3147fbfc74a2ddb365 |
| SHA1 | 716301112706e93f85977d79f0e8f18f17fb32a7 |
| SHA256 | 4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1 |
| SHA512 | e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83 |
C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\scsv.bmp
| MD5 | 309bcd2f9f3162fb639d27a8c73f960d |
| SHA1 | 21dd5fa90318b75c2131dc4736c6db68cc9db500 |
| SHA256 | 917c851cc8fb108cfee4e9c561285feb88f8b6b48482e5533bd323ece7be335b |
| SHA512 | ca18d2cde8179b3ea5008d3096466488f9a7383867bfa4eb4530d16ece99bba178b7b1968c034465e50f134ea6b6dfc84d45227df58fe45011609459c0ffd095 |
memory/1812-277-0x0000000003420000-0x000000000344C000-memory.dmp
memory/1812-281-0x0000000000BC0000-0x0000000000BD8000-memory.dmp
\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\_IsUser.dll
| MD5 | 9ac0813e2f477be98344022b4543e097 |
| SHA1 | 0fc0d24d4ce7420c1cee71c0860a18f6d8f6b890 |
| SHA256 | 293ea8ae72991b6ab3b35f9da32652e391cfe243b9261280f02c3a0093afa420 |
| SHA512 | 1e0a01f1fb360b06442d4e709331c4efda96a04ab7ca39dc000966384f4e2ccb1fb0069bcc3e6aaaa25ef7bdc4735d21e5a25fd93274b358df5e7311c78eb762 |
memory/1812-287-0x0000000003CC0000-0x0000000003CDC000-memory.dmp
\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\SscVfIs.dll
| MD5 | e6fc79ce876c2bc0832ca9ac8198bb39 |
| SHA1 | 5e843993f575902b5a4fa2eda7c28dea9c09ed23 |
| SHA256 | 1bded0e854f25a516208495ec44632ecfe608ec08dbc0983a9a66bc2d96a6a8f |
| SHA512 | 546bb06548b4ba4613e8ac9cf795fd4d20413173bea4241ecb84ed6c1bbd99cba4c0c285d6e60d0bbdc62fea1d167808ab771d0a2998d29323afc12c33665957 |
\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\_IsRes.dll
| MD5 | 40f51c7a52f13ecf92ac81785440e2a2 |
| SHA1 | da47b2050ee143136894a51085f0a0163a831dbe |
| SHA256 | 3a43357b59e150fe05904a8126e079cfeb0902c3738d838f81b394cee553c4bb |
| SHA512 | b31bff56fdb9c9505a4e765ee59d977602514abaee9168a67639b166e95c412be5d6b20caae27f9aef1514f07a4998f37460bd3e5f9d901de6b313f2dab73429 |
memory/1812-273-0x0000000003380000-0x00000000033CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\isrt.dll
| MD5 | 10b069f6492bf91d8ec04bef6de355dc |
| SHA1 | 5391ea593b66f357d1e24bd294d1d21da396dfa2 |
| SHA256 | d7b01c3461c9214758f777c57defd8a91a72bb357d504c4936417a407a409ef1 |
| SHA512 | 88320f2895525974eeb246844e5315e509607152d317ae44e66cb5ff390db6ac57cef06f94443aa123a2962294f132263a65a7054488c69d86b4d2afe9ecc5fe |
memory/1812-268-0x0000000002620000-0x0000000002658000-memory.dmp
memory/1812-265-0x00000000005D0000-0x00000000005E3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 20:11
Reported
2024-10-11 20:14
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| N/A | N/A | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\apa.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\temp.000 | C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctorb8ff.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\corecomp.ini | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuseb91e.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\coreb8ff.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objeb91e.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\IScript\IScrb96d.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILogb8c1.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133731511511489945" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\FLAGS | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\ProxyStubClsid32 | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\FLAGS\ = "0" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}\TreatAs | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA} | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303} | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\FLAGS | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA} | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupOpTypes" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83755DD1-086B-11D3-8868-00C04F72F303} | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA} | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303} | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd} | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\ = "InstallShield Runtime 1.0 Type Library" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC} | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\ProgID | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\ = "ISetupWindowBillBoards" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\0\win32 | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ = "ISetupDriver" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\engine\\6\\Intel 32\\" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ProxyStubClsid32 | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC} | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptDriverWrapper\CLSID | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" | C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\369b5dff03c39b93b16c8af2838a54af_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
"C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe"
C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
"C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\~e57b4f8.~~~ Install C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe" -n Evaluation -k FFG0S-1P5W3-TC3X9-6CT9Q-3GMM5 -p "SuperCache and SuperVolume Server Edition" -b "scsv.bmp" -a 30
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe" -RegServer
C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe -Embedding
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /UNREGSERVER
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2800-0-0x0000000002100000-0x0000000002101000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scsv-3.0.2-server.exe
| MD5 | 74c87260f85dd3a5267e9e58bf9434e4 |
| SHA1 | 6d9cf4190c98beb4885ef0504cdb7af693b9a70f |
| SHA256 | f07c26ce18a0fe11ebf9f05e6636bc2264cb03070c980797cd659256c29efe6e |
| SHA512 | bd9436844a9ed747fe8d2df1f2d795c75a29e2b524ccbe899af0ed183444bd83ef075b6575e859f77a1399f64458ca2c9d8c062c59d4864b5a9bc95776531a9a |
C:\Users\Admin\AppData\Local\Temp\20100113-8080-shwglm.exe
| MD5 | 35cb85ff694a1504c8c1681e5f49c75b |
| SHA1 | 4a0407b9e496e50cd06d198cc9d5f33f55686113 |
| SHA256 | d409c7ddbf42b27c0eae0cef7f0a26b1bc85edfcfa8bed9bba6fd1c7662d471f |
| SHA512 | 9db434a319da5805e04d2f8022b42294113bb0d2c55ea700e278db35cdc2f2effc387515f878c163b407bcba0b0c0c882c1b2afbdef93373cd11fc12196b7c2c |
C:\Users\Admin\AppData\Local\Temp\plfB47B.tmp
| MD5 | cfaec980a3639a6b33704c0db20cb812 |
| SHA1 | e9402b1deb9293d51ea7a45ff5aea0f5bff1ea8f |
| SHA256 | 55023b00e2c2401272d0ad7b4b633814869483b6d939c5d4910e4ff18eeeee6c |
| SHA512 | 72bb65180098c195ea74c7dacf24500d98bbd872149e4247bdc98b3a12fabd2fd6846a61b7d30e610748d49348c347a1cec5939276e3a0b30703aeeb591017b2 |
memory/2800-34-0x0000000000400000-0x00000000004A7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\pftw1.pkg
| MD5 | 6307e791403b5be273394430e7ae2a1c |
| SHA1 | 83db5ed7055bd2aa3ceb841c6bdf67fc45f439b1 |
| SHA256 | f0a732bd0c2194704dff1e2c581376f39ea5e7dbac83a73051ef3be3f9e695ec |
| SHA512 | 783bfd27e7eccda7936aadc2f2cf4cdf7c9e4874885dce3f2e7ad0f0d640bc446ba199035d576d9d519cad166cd0843733b5311a79effa27fc2b487a1f1f1a0f |
C:\Users\Admin\AppData\Local\Temp\~e57b4f8.~~~
| MD5 | 92eaf64ce3cc97c97f6c33bfcc782992 |
| SHA1 | 2192b7dea17f80cd068b29189bb8c53cde62baf2 |
| SHA256 | c10d3f4c7077170216cf40dfb06b7b1cce5eb6a994f7f40041957cd734af80ff |
| SHA512 | f2c13815502d357493d551786b066540224e8a6ec3ce095b69fa30bf8a9d55b63fb59771efb47ca6be6d1acced0f241e704757dccca826136c23d4ebbbb2dccc |
C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\Setup.exe
| MD5 | b1b88b62c82475661654064c2fee6748 |
| SHA1 | a96669ddc222a5a5259b564bcc2c5b526b6832df |
| SHA256 | 85055990a4f7bca077d4b297f53a0248b0ac38fe1a491a0548b7b1bd3249d038 |
| SHA512 | e092c36c64dfdd9e2cc86b1e03745f76a49646a78bdfe1f501d784bbabc9e8f794728a490c8774cc0796eeb636132ebf86a862b0d6d36afc9036669f43419ebd |
C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\setup.ini
| MD5 | 8a1d003153418f4147e6ab4007fb559d |
| SHA1 | 030d627b3573ee9dbb6df201174f7150d5f94241 |
| SHA256 | e59fe4c855b31bfda9fce52cef2265075eb45aed2449198711fac96d100cb233 |
| SHA512 | a1ec01c218b847a0f7a5e4a167fc485c3e306f8223880f97e5436a5885868bbb03354fd48187c0ad7a19aa630d49fbf4c24566fee83fe2ff85d2ce0e68160f24 |
C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\IKernel.ex_
| MD5 | 93b63f516482715a784bbec3a0bf5f3a |
| SHA1 | 2478feca446576c33e96e708256d4c6c33e3fa68 |
| SHA256 | fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249 |
| SHA512 | 2c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70 |
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
| MD5 | b3fd01873bd5fd163ab465779271c58f |
| SHA1 | e1ff9981a09ab025d69ac891bfc931a776294d4d |
| SHA256 | 985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931 |
| SHA512 | 6674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43 |
C:\Windows\SysWOW64\apa.dll
| MD5 | 29024dbe8cf92a96b2ff3733c5e68a1a |
| SHA1 | ec6cad94980078b0033d683bff93ce0a5da40b11 |
| SHA256 | 02eb06e3565ad37dcc204ab2c3525eb3545d0c5085ed7f75dbc39cfec805d15a |
| SHA512 | 37351a404c93914250c8dbdded71ac9c1c4f218a25a0af1358d87442114261d68e3891033dc1a05c7f63a084419d26e65cadb61d3eb6b06f23ee5bb1b1d000b6 |
\??\c:\users\admin\appdata\local\temp\pftb567.tmp\data1.hdr
| MD5 | 29ff043f724cb236e1ee3cd65a7d9b14 |
| SHA1 | c4e0cf963136b39361af4d3f2313ed7845355491 |
| SHA256 | 6e9bf81ab44e9e3921a938d14a61661acc99953d1f684f02a553c724fa345fd9 |
| SHA512 | 70628884f4e05b4a440c5d43402c81f0c8bdd04d9c6b7ae2209adabba4e65a016c4f3eb8f977e7daacdbd2c5a9ad5b2efb74cb22a72c1a9e7a4c030e17659e90 |
C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\setup.inx
| MD5 | e7ae1aa17a4a8428f363e35ab612f8e4 |
| SHA1 | 313f60f47177ec28ba2b3c6be668253d419f2770 |
| SHA256 | 15ba61a674f6fd088b84908abb4c7b087f81e7fcd78399979e1587c1d9ff0af3 |
| SHA512 | aaa7d93899af77542ccf4e4a379edd4ee06d7bf6a41ab45a7378a34d94fc6c0a98b6c5ffe4e0d38e9f308194eab493ed5dbd76d24164669be3ca2bba36393a56 |
C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\data1.cab
| MD5 | f849d66f74c9aaf467f2a952742ccf22 |
| SHA1 | 98efcb978e4534725f680e87ec58759894c458a4 |
| SHA256 | dc26595a36b882e75afb220a85b12697e2497a76246e6ecb3d306303768c5093 |
| SHA512 | ca5253251166c6ef13551d83dd0683c316b6563245ca7dbc86bcdb6fbe2179cca4341c3695e1e56743c7ef0643980b3806fa671f0fd6b04677dcec3423148f7c |
C:\Users\Admin\AppData\Local\Temp\pftB567.tmp\layout.bin
| MD5 | 1fb8e61eb23b1d7141c1d2bb9e4ecf2e |
| SHA1 | 0d2d0118578160bbcf4c634e7279fa649b3b8014 |
| SHA256 | b788334c1be6240e7656c45f7b14f090c095050505c08722788c48231842d185 |
| SHA512 | ff19732307f65522f9b6f850edf14230868772d18b21a59160cb682644083085561a486b1334baee31126e4a24be7355d4f7427c18d7673ff9b6eadb2dcdf934 |
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll
| MD5 | a2b4718bb69d081202af2aa317dc0c0b |
| SHA1 | 4f95adf0393890b36d6b06a0dd153506b4cd39b2 |
| SHA256 | 69d84c8fe49021c1fd4e3e1678090c0517d753176ad74dbee25c053528373fb0 |
| SHA512 | d46062f756d9c128acf354a075ca82d39831b85145c94e9a816e5e2c09e5070f445f69abd2bc6028c6c45238a897fc93d7ac05d513286afb37492e938291e618 |
C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\corecomp.ini
| MD5 | 62d5f9827d867eb3e4ab9e6b338348a1 |
| SHA1 | 828e72f9c845b1c0865badaef40d63fb36447293 |
| SHA256 | 5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5 |
| SHA512 | b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732 |
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
| MD5 | 003a6c011aac993bcde8c860988ce49b |
| SHA1 | 6d39d650dfa5ded45c4e0cb17b986893061104a7 |
| SHA256 | 590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a |
| SHA512 | 032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7 |
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
| MD5 | 8f02b204853939f8aefe6b07b283be9a |
| SHA1 | c161b9374e67d5fa3066ea03fc861cc0023eb3cc |
| SHA256 | 32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998 |
| SHA512 | 8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59 |
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
| MD5 | 377765fd4de3912c0f814ee9f182feda |
| SHA1 | a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1 |
| SHA256 | 8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb |
| SHA512 | 31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710 |
C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll
| MD5 | b2f7e6dc7e4aae3147fbfc74a2ddb365 |
| SHA1 | 716301112706e93f85977d79f0e8f18f17fb32a7 |
| SHA256 | 4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1 |
| SHA512 | e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83 |
C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\scsv.bmp
| MD5 | 309bcd2f9f3162fb639d27a8c73f960d |
| SHA1 | 21dd5fa90318b75c2131dc4736c6db68cc9db500 |
| SHA256 | 917c851cc8fb108cfee4e9c561285feb88f8b6b48482e5533bd323ece7be335b |
| SHA512 | ca18d2cde8179b3ea5008d3096466488f9a7383867bfa4eb4530d16ece99bba178b7b1968c034465e50f134ea6b6dfc84d45227df58fe45011609459c0ffd095 |
memory/2132-279-0x0000000003380000-0x00000000033B8000-memory.dmp
memory/2132-287-0x0000000003720000-0x000000000376F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\isrt.dll
| MD5 | 10b069f6492bf91d8ec04bef6de355dc |
| SHA1 | 5391ea593b66f357d1e24bd294d1d21da396dfa2 |
| SHA256 | d7b01c3461c9214758f777c57defd8a91a72bb357d504c4936417a407a409ef1 |
| SHA512 | 88320f2895525974eeb246844e5315e509607152d317ae44e66cb5ff390db6ac57cef06f94443aa123a2962294f132263a65a7054488c69d86b4d2afe9ecc5fe |
memory/2132-293-0x00000000034F0000-0x000000000351C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\_IsUser.dll
| MD5 | 9ac0813e2f477be98344022b4543e097 |
| SHA1 | 0fc0d24d4ce7420c1cee71c0860a18f6d8f6b890 |
| SHA256 | 293ea8ae72991b6ab3b35f9da32652e391cfe243b9261280f02c3a0093afa420 |
| SHA512 | 1e0a01f1fb360b06442d4e709331c4efda96a04ab7ca39dc000966384f4e2ccb1fb0069bcc3e6aaaa25ef7bdc4735d21e5a25fd93274b358df5e7311c78eb762 |
memory/2132-302-0x00000000034C0000-0x00000000034D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\_IsRes.dll
| MD5 | 40f51c7a52f13ecf92ac81785440e2a2 |
| SHA1 | da47b2050ee143136894a51085f0a0163a831dbe |
| SHA256 | 3a43357b59e150fe05904a8126e079cfeb0902c3738d838f81b394cee553c4bb |
| SHA512 | b31bff56fdb9c9505a4e765ee59d977602514abaee9168a67639b166e95c412be5d6b20caae27f9aef1514f07a4998f37460bd3e5f9d901de6b313f2dab73429 |
memory/2132-273-0x00000000021B0000-0x00000000021C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{5b14e06B-97a1-11d3-b2c8-00c0f014c0f2}\SscVfIs.dll
| MD5 | e6fc79ce876c2bc0832ca9ac8198bb39 |
| SHA1 | 5e843993f575902b5a4fa2eda7c28dea9c09ed23 |
| SHA256 | 1bded0e854f25a516208495ec44632ecfe608ec08dbc0983a9a66bc2d96a6a8f |
| SHA512 | 546bb06548b4ba4613e8ac9cf795fd4d20413173bea4241ecb84ed6c1bbd99cba4c0c285d6e60d0bbdc62fea1d167808ab771d0a2998d29323afc12c33665957 |
memory/2132-311-0x0000000003D60000-0x0000000003D7C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
| MD5 | d24b359dd15a84476a1ede3adbb70449 |
| SHA1 | 368d7d8880b0d0c10d21cee010d47531e188bca6 |
| SHA256 | eeb4a10091ea365ac48d329ac8738515cfa0370c2fbdc1e5387ab275d02e18f3 |
| SHA512 | 3381c75f074d4a4e0cf4dc05f7dd4fbda268b7cd42b45a0e56c8ae6dfb1990892539b101caec0dcb4fb80a17688ad8e122ec5cd1db62f3fa286c155cdbbcc3af |