onlylogger | 20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49

Analysis

max time kernel
143s
max time network
158s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-06-2022 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
Size

3.6MB
MD5

d1d52827f917a0ac5604e6d32835093c
SHA1

6e615f013f5ccda98199eadfd8cef500e58d1fc0
SHA256

20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49
SHA512

0f3aeb8c1951c2548b16433037e11a22cb3119567a8ad1477a19ab57105e201736fdf749dc13d387e9a874acef313ddcaf5942cbc3a4f81037a0e95db31a82ce

Score

10^/10

onlylogger redline socelars vidar 933 update discovery infostealer loader persistence spyware stealer

Malware Config

Extracted

Family

socelars

http://www.chosenncrowned.com/

Extracted

Family

redline

Botnet

Update

185.215.113.10:32605

Attributes

auth_value
910ca2116f2e220a6801edd5a725ab65

Extracted

Family

vidar

Version

49.4

Botnet

933

https://mastodon.online/@banda1ker

https://koyu.space/@banda2ker

Attributes

profile_id
933

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2116 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2116	rundll32.exe

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1712-97-0x00000000007E0000-0x0000000000814000-memory.dmp	family_redline
behavioral1/memory/1712-110-0x0000000000A20000-0x0000000000A52000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\askinstall25.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/308-142-0x00000000007A0000-0x00000000007E3000-memory.dmp	family_onlylogger
behavioral1/memory/308-143-0x0000000000400000-0x0000000000798000-memory.dmp	family_onlylogger
behavioral1/memory/308-175-0x0000000000400000-0x0000000000798000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1552-139-0x00000000002D0000-0x00000000003A6000-memory.dmp	family_vidar
behavioral1/memory/1552-140-0x0000000000400000-0x00000000007EE000-memory.dmp	family_vidar
behavioral1/memory/1552-173-0x0000000000400000-0x00000000007EE000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 26 IoCs

Processes:

RobCleanerInstll33132.exelijia.exeProxyupd.exelijia.exeFixfile01.exeinst.exesetup.exeaskinstall25.exeMyNotes Installation.exemyfile.exeanytime1.exeanytime2.exeanytime3.exeanytime4.exelogger.exeMyNotes License Agreement.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exe

pid	process
840	RobCleanerInstll33132.exe
1288	lijia.exe
1712	Proxyupd.exe
272	lijia.exe
1552	Fixfile01.exe
360	inst.exe
308	setup.exe
1920	askinstall25.exe
1488	MyNotes Installation.exe
1640	myfile.exe
1832	anytime1.exe
1808	anytime2.exe
1496	anytime3.exe
636	anytime4.exe
2068	logger.exe
2480	MyNotes License Agreement.exe
2760	MyNotes.exe
2924	MyNotes.exe
3068	MyNotes.exe
3048	MyNotes.exe
672	MyNotes.exe
2188	MyNotes.exe
2180	MyNotes.exe
2628	MyNotes.exe
2676	MyNotes.exe
2848	MyNotes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MyNotes.exeMyNotes.exeMyNotes.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	MyNotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	MyNotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	MyNotes.exe

Loads dropped DLL 64 IoCs

Processes:

20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exelijia.exesetup.exeMyNotes Installation.exeMyNotes License Agreement.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exe

pid	process
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1288	lijia.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
308	setup.exe
308	setup.exe
308	setup.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1488	MyNotes Installation.exe
1488	MyNotes Installation.exe
1488	MyNotes Installation.exe
1488	MyNotes Installation.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
1488	MyNotes Installation.exe
1488	MyNotes Installation.exe
2480	MyNotes License Agreement.exe
2480	MyNotes License Agreement.exe
2480	MyNotes License Agreement.exe
2480	MyNotes License Agreement.exe
2760	MyNotes.exe
2480	MyNotes License Agreement.exe
2480	MyNotes License Agreement.exe
2760	MyNotes.exe
2760	MyNotes.exe
2480	MyNotes License Agreement.exe
1488	MyNotes Installation.exe
2924	MyNotes.exe
3048	MyNotes.exe
3068	MyNotes.exe
3068	MyNotes.exe
3068	MyNotes.exe
3048	MyNotes.exe
3048	MyNotes.exe
672	MyNotes.exe
2188	MyNotes.exe
3048	MyNotes.exe
2188	MyNotes.exe
2188	MyNotes.exe
672	MyNotes.exe
3048	MyNotes.exe
672	MyNotes.exe
3048	MyNotes.exe
2188	MyNotes.exe
2180	MyNotes.exe
2180	MyNotes.exe
2180	MyNotes.exe
2180	MyNotes.exe
2628	MyNotes.exe
2628	MyNotes.exe
2628	MyNotes.exe
2628	MyNotes.exe
2676	MyNotes.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MyNotes License Agreement.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	MyNotes License Agreement.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyNotes = "C:\\Users\\Admin\\AppData\\Roaming\\MyNotes\\MyNotes.exe --Vk93vNV"	MyNotes License Agreement.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe	nsis_installer_2

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2356 taskkill.exe

pid	process
2356	taskkill.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

askinstall25.exeMyNotes License Agreement.exeRobCleanerInstll33132.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	askinstall25.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02401800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	askinstall25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	MyNotes License Agreement.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	RobCleanerInstll33132.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	MyNotes License Agreement.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	RobCleanerInstll33132.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	RobCleanerInstll33132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	MyNotes License Agreement.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	MyNotes License Agreement.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	MyNotes License Agreement.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	MyNotes License Agreement.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	RobCleanerInstll33132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	RobCleanerInstll33132.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	RobCleanerInstll33132.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	MyNotes License Agreement.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

MyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exeMyNotes.exe

pid	process
2760	MyNotes.exe
2760	MyNotes.exe
3068	MyNotes.exe
3048	MyNotes.exe
2188	MyNotes.exe
672	MyNotes.exe
2180	MyNotes.exe
2628	MyNotes.exe
2676	MyNotes.exe
2848	MyNotes.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

RobCleanerInstll33132.exeaskinstall25.exeProxyupd.exeanytime1.exemyfile.exeanytime2.exeanytime3.exeanytime4.exelogger.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	840	RobCleanerInstll33132.exe
Token: SeCreateTokenPrivilege	1920	askinstall25.exe
Token: SeAssignPrimaryTokenPrivilege	1920	askinstall25.exe
Token: SeLockMemoryPrivilege	1920	askinstall25.exe
Token: SeIncreaseQuotaPrivilege	1920	askinstall25.exe
Token: SeMachineAccountPrivilege	1920	askinstall25.exe
Token: SeTcbPrivilege	1920	askinstall25.exe
Token: SeSecurityPrivilege	1920	askinstall25.exe
Token: SeTakeOwnershipPrivilege	1920	askinstall25.exe
Token: SeLoadDriverPrivilege	1920	askinstall25.exe
Token: SeSystemProfilePrivilege	1920	askinstall25.exe
Token: SeSystemtimePrivilege	1920	askinstall25.exe
Token: SeProfSingleProcessPrivilege	1920	askinstall25.exe
Token: SeIncBasePriorityPrivilege	1920	askinstall25.exe
Token: SeCreatePagefilePrivilege	1920	askinstall25.exe
Token: SeCreatePermanentPrivilege	1920	askinstall25.exe
Token: SeBackupPrivilege	1920	askinstall25.exe
Token: SeRestorePrivilege	1920	askinstall25.exe
Token: SeShutdownPrivilege	1920	askinstall25.exe
Token: SeDebugPrivilege	1920	askinstall25.exe
Token: SeAuditPrivilege	1920	askinstall25.exe
Token: SeSystemEnvironmentPrivilege	1920	askinstall25.exe
Token: SeChangeNotifyPrivilege	1920	askinstall25.exe
Token: SeRemoteShutdownPrivilege	1920	askinstall25.exe
Token: SeUndockPrivilege	1920	askinstall25.exe
Token: SeSyncAgentPrivilege	1920	askinstall25.exe
Token: SeEnableDelegationPrivilege	1920	askinstall25.exe
Token: SeManageVolumePrivilege	1920	askinstall25.exe
Token: SeImpersonatePrivilege	1920	askinstall25.exe
Token: SeCreateGlobalPrivilege	1920	askinstall25.exe
Token: 31	1920	askinstall25.exe
Token: 32	1920	askinstall25.exe
Token: 33	1920	askinstall25.exe
Token: 34	1920	askinstall25.exe
Token: 35	1920	askinstall25.exe
Token: SeDebugPrivilege	1712	Proxyupd.exe
Token: SeDebugPrivilege	1832	anytime1.exe
Token: SeDebugPrivilege	1640	myfile.exe
Token: SeDebugPrivilege	1808	anytime2.exe
Token: SeDebugPrivilege	1496	anytime3.exe
Token: SeDebugPrivilege	636	anytime4.exe
Token: SeDebugPrivilege	2068	logger.exe
Token: SeDebugPrivilege	2356	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

MyNotes.exe

pid process

2760 MyNotes.exe
2760 MyNotes.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exelijia.exe

description	pid	process	target process
PID 1644 wrote to memory of 840	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	RobCleanerInstll33132.exe
PID 1644 wrote to memory of 840	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	RobCleanerInstll33132.exe
PID 1644 wrote to memory of 840	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	RobCleanerInstll33132.exe
PID 1644 wrote to memory of 840	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	RobCleanerInstll33132.exe
PID 1644 wrote to memory of 1288	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	lijia.exe
PID 1644 wrote to memory of 1288	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	lijia.exe
PID 1644 wrote to memory of 1288	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	lijia.exe
PID 1644 wrote to memory of 1288	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	lijia.exe
PID 1644 wrote to memory of 1712	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Proxyupd.exe
PID 1644 wrote to memory of 1712	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Proxyupd.exe
PID 1644 wrote to memory of 1712	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Proxyupd.exe
PID 1644 wrote to memory of 1712	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Proxyupd.exe
PID 1288 wrote to memory of 272	1288	lijia.exe	lijia.exe
PID 1288 wrote to memory of 272	1288	lijia.exe	lijia.exe
PID 1288 wrote to memory of 272	1288	lijia.exe	lijia.exe
PID 1288 wrote to memory of 272	1288	lijia.exe	lijia.exe
PID 1644 wrote to memory of 1552	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Fixfile01.exe
PID 1644 wrote to memory of 1552	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Fixfile01.exe
PID 1644 wrote to memory of 1552	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Fixfile01.exe
PID 1644 wrote to memory of 1552	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	Fixfile01.exe
PID 1644 wrote to memory of 360	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	inst.exe
PID 1644 wrote to memory of 360	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	inst.exe
PID 1644 wrote to memory of 360	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	inst.exe
PID 1644 wrote to memory of 360	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	inst.exe
PID 1644 wrote to memory of 308	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	setup.exe
PID 1644 wrote to memory of 308	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	setup.exe
PID 1644 wrote to memory of 308	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	setup.exe
PID 1644 wrote to memory of 308	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	setup.exe
PID 1644 wrote to memory of 308	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	setup.exe
PID 1644 wrote to memory of 308	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	setup.exe
PID 1644 wrote to memory of 308	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	setup.exe
PID 1644 wrote to memory of 1920	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	askinstall25.exe
PID 1644 wrote to memory of 1920	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	askinstall25.exe
PID 1644 wrote to memory of 1920	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	askinstall25.exe
PID 1644 wrote to memory of 1920	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	askinstall25.exe
PID 1644 wrote to memory of 1920	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	askinstall25.exe
PID 1644 wrote to memory of 1920	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	askinstall25.exe
PID 1644 wrote to memory of 1920	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	askinstall25.exe
PID 1644 wrote to memory of 1488	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	MyNotes Installation.exe
PID 1644 wrote to memory of 1488	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	MyNotes Installation.exe
PID 1644 wrote to memory of 1488	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	MyNotes Installation.exe
PID 1644 wrote to memory of 1488	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	MyNotes Installation.exe
PID 1644 wrote to memory of 1488	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	MyNotes Installation.exe
PID 1644 wrote to memory of 1488	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	MyNotes Installation.exe
PID 1644 wrote to memory of 1488	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	MyNotes Installation.exe
PID 1644 wrote to memory of 1640	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	myfile.exe
PID 1644 wrote to memory of 1640	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	myfile.exe
PID 1644 wrote to memory of 1640	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	myfile.exe
PID 1644 wrote to memory of 1640	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	myfile.exe
PID 1644 wrote to memory of 1832	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime1.exe
PID 1644 wrote to memory of 1832	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime1.exe
PID 1644 wrote to memory of 1832	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime1.exe
PID 1644 wrote to memory of 1832	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime1.exe
PID 1644 wrote to memory of 1808	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime2.exe
PID 1644 wrote to memory of 1808	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime2.exe
PID 1644 wrote to memory of 1808	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime2.exe
PID 1644 wrote to memory of 1808	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime2.exe
PID 1644 wrote to memory of 1496	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime3.exe
PID 1644 wrote to memory of 1496	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime3.exe
PID 1644 wrote to memory of 1496	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime3.exe
PID 1644 wrote to memory of 1496	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime3.exe
PID 1644 wrote to memory of 636	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime4.exe
PID 1644 wrote to memory of 636	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime4.exe
PID 1644 wrote to memory of 636	1644	20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe	anytime4.exe

C:\Users\Admin\AppData\Local\Temp\20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe
"C:\Users\Admin\AppData\Local\Temp\20fee4355bf909eb904b31ce96c328d8965b71daf0b8ef255f6278c8b5ddfe49.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll33132.exe
"C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll33132.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Users\Admin\AppData\Local\Temp\lijia.exe
"C:\Users\Admin\AppData\Local\Temp\lijia.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\lijia.exe
"C:\Users\Admin\AppData\Local\Temp\lijia.exe" -u
3⤵
- Executes dropped EXE
PID:272

C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe
"C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\AppData\Local\Temp\Fixfile01.exe
"C:\Users\Admin\AppData\Local\Temp\Fixfile01.exe"
2⤵
- Executes dropped EXE
PID:1552

C:\Users\Admin\AppData\Local\Temp\inst.exe
"C:\Users\Admin\AppData\Local\Temp\inst.exe"
2⤵
- Executes dropped EXE
PID:360

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308

C:\Users\Admin\AppData\Local\Temp\askinstall25.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:2328

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488

C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe
"C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
PID:2480

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" "--Vk93vNV"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2760

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\MyNotes\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\MyNotes\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\MyNotes\User Data" --annotation=plat=Win64 --annotation=prod=MyNotes --annotation=ver=0.0.13 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0x7fef22bdec0,0x7fef22bded0,0x7fef22bdee0
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=gpu-process --field-trial-handle=1056,8786774664189635311,2437055985382072244,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2760_380099634" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1144 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3048

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1056,8786774664189635311,2437055985382072244,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2760_380099634" --mojo-platform-channel-handle=1284 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1056,8786774664189635311,2437055985382072244,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2760_380099634" --mojo-platform-channel-handle=1636 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:672

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\MyNotes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1056,8786774664189635311,2437055985382072244,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2760_380099634" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=1796 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\MyNotes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1056,8786774664189635311,2437055985382072244,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2760_380099634" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=1820 /prefetch:1
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2180

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=gpu-process --field-trial-handle=1056,8786774664189635311,2437055985382072244,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2760_380099634" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2996 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1056,8786774664189635311,2437055985382072244,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2760_380099634" --mojo-platform-channel-handle=1312 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe
"C:\Users\Admin\AppData\Roaming\MyNotes\MyNotes.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,8786774664189635311,2437055985382072244,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\MyNotes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2760_380099634" --mojo-platform-channel-handle=1340 /prefetch:8
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Users\Admin\AppData\Local\Temp\myfile.exe
"C:\Users\Admin\AppData\Local\Temp\myfile.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Users\Admin\AppData\Local\Temp\anytime4.exe
"C:\Users\Admin\AppData\Local\Temp\anytime4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Users\Admin\AppData\Local\Temp\logger.exe
"C:\Users\Admin\AppData\Local\Temp\logger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
345d8fee483a5ff6878988b4b1ee6c41

SHA1
77d189eaac0b1fb46fa6e956ba1eaf9582988c40

SHA256
eaa3b99e11626388b90769a66a0b27b5eb1b1bd1f057f44ad42cb75dc4bc4e41

SHA512
50f818048e27cf5b3b7440d53aafcb68182840b84b8a7bb84dbf8d48bdb724093fdc5a3822610056a2509f18be265cf0efc1df9dd54228ab4b58bf3b0096e81c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
051227ddb11eafdd173b61ac6874e5a2

SHA1
e26b4c9401573598cfe0b97c21c2d734628509f5

SHA256
e5b16bc63f83651dc6293a97cacfd48012c9b285324745c5c098000442010a4e

SHA512
9160643cbdf48b9daf83723d4b39484b4d53ebc807892d56aa2d6dbff1e65d3361f8e78cd205656900a955a48af24c964c9d17f5e9a2424cc820e24e76618ed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3bb19d28e68c7ecd1b0e72ca5ed15b15

SHA1
98759be05cea2f299486f3afb3d2f92d3c7511dd

SHA256
b30d0f9364c99889113331655fc010da4bdb1f0c3e3643967bd74b1126c850d4

SHA512
31d89f651d6f0d0606e4b182f93c7b743d18ed0c4c9c4a0f1db28d697db9801c86917f641d982bc0bf06f52348a237d8ac859ad161defa9e6254fad9a85990b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d4d564d8b316a0dbf92649b8aeda6d22

SHA1
bb93635412afb397ff89f9f6209f0babae4f9ae3

SHA256
e3dd0271d02b0d9fbb4c49886c9a36b5846dba1687698979a2cf82fd18ed9e97

SHA512
8e983022c5495008e770fad30533c06267be9ab10ce6c45604b91888a934c0623f44158c457708b4dcbcd59e2311f2f982df4ed88ef99a7a6a3544de29f7928e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fixfile01.exe
Filesize
772KB

MD5
b72f4123ea6aa6642c9d1034000433ab

SHA1
bb5a30a3678d6a1f8b2039586851e9d68ccb219c

SHA256
330faa980d2fd8657640ec01e6a5a6817f69f5b4d991b5ca57f4e4651f60883b

SHA512
4eb110428c3d87ce3ee5b5611e8a60bf8968ec2213864cbc72b7e667a4f916bfd3c7c2e6a770cc0bf2dde5457a24e942d57a9a85f9eed5357399d30923724a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe
Filesize
63KB

MD5
c86e4abc50245fbaf26940ee41147aac

SHA1
192abcee47b4abdad18b28180dc6c2db2b8a4518

SHA256
001ae53802f44523369deedeaa13844a986aa5d78af893dd31269bcdd0f477af

SHA512
b61d3fb879c86270cf84446e5cfa5029c5641eaa319ed113c95e949321e001a5366985500ee6a1f46ed93e9b14ca7e69a2d4c3b31a2e16b1896f0a8da946da04

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe
Filesize
63KB

MD5
c86e4abc50245fbaf26940ee41147aac

SHA1
192abcee47b4abdad18b28180dc6c2db2b8a4518

SHA256
001ae53802f44523369deedeaa13844a986aa5d78af893dd31269bcdd0f477af

SHA512
b61d3fb879c86270cf84446e5cfa5029c5641eaa319ed113c95e949321e001a5366985500ee6a1f46ed93e9b14ca7e69a2d4c3b31a2e16b1896f0a8da946da04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe
Filesize
449KB

MD5
e410813ea373a6000039bfc0edcebfe9

SHA1
9b50aee9726646524641489909a6dbabf01368d9

SHA256
4c01e5deb0f6d8a207fbe08db8381035db4f330da5a4a8fc7ebf1ced2e557b3c

SHA512
25f6e73b27a22ec1186cc646f5a4a868c33f7674dd35a74e56fa6a55f9f86c4a4f2028188fbc5c90231981a588b4b7686e441ce8e0a963d318edee5fe133b7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll33132.exe
Filesize
169KB

MD5
be79990f9dd3d0060dea338d061aa75b

SHA1
24debc89aa5620dce31d4136f3ec6ec0431c868e

SHA256
047b8a17a9a36dcd25c01357ac1673b5c36e0b907f1b6df1edb194dc7f923243

SHA512
77ca6f2defa934ace8df4babc0748a66258ef9df355f0795cc11c9daa1b3b8b99980fad26c03f4ba14313cc7912bee99db4498b6490cdba0264c15d0130d4300

Download Submit
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll33132.exe
Filesize
169KB

MD5
be79990f9dd3d0060dea338d061aa75b

SHA1
24debc89aa5620dce31d4136f3ec6ec0431c868e

SHA256
047b8a17a9a36dcd25c01357ac1673b5c36e0b907f1b6df1edb194dc7f923243

SHA512
77ca6f2defa934ace8df4babc0748a66258ef9df355f0795cc11c9daa1b3b8b99980fad26c03f4ba14313cc7912bee99db4498b6490cdba0264c15d0130d4300

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe
Filesize
64.1MB

MD5
aa7be87e0a1f332e24c8a6de57afb9e9

SHA1
a9bbc9e63ad2ac532219a403d16049c1e4219d90

SHA256
a8cdc463db7356fb7bbd0de9481ba17bc7b0347759c0cd054ae2cae224d7a8f7

SHA512
a71ab1483a5795fe37f6046d1022cfdda5a89529dd77e342e12ee14cd6fc9fd37eefb6b238f5a70ba314ed25561cc90614048b4a367a1085366ea8dc417b34a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe
Filesize
64.1MB

MD5
aa7be87e0a1f332e24c8a6de57afb9e9

SHA1
a9bbc9e63ad2ac532219a403d16049c1e4219d90

SHA256
a8cdc463db7356fb7bbd0de9481ba17bc7b0347759c0cd054ae2cae224d7a8f7

SHA512
a71ab1483a5795fe37f6046d1022cfdda5a89529dd77e342e12ee14cd6fc9fd37eefb6b238f5a70ba314ed25561cc90614048b4a367a1085366ea8dc417b34a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime1.exe
Filesize
8KB

MD5
6b128da42b0d62ae341c3d301e93e96e

SHA1
7329a598d29a90aac156e8fe859d416adce95a8e

SHA256
d3d232021f35066443f9a29d6788fdd418985d0b2e297403541856d919d8b926

SHA512
198528bf110cd5555e2c543815b51e1a384a8b30cba1e7a950ca8100b2419aa42884d8f893efd564798de1cde40297e5cb74a1c81abbb88f858872ae299f42f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime1.exe
Filesize
8KB

MD5
6b128da42b0d62ae341c3d301e93e96e

SHA1
7329a598d29a90aac156e8fe859d416adce95a8e

SHA256
d3d232021f35066443f9a29d6788fdd418985d0b2e297403541856d919d8b926

SHA512
198528bf110cd5555e2c543815b51e1a384a8b30cba1e7a950ca8100b2419aa42884d8f893efd564798de1cde40297e5cb74a1c81abbb88f858872ae299f42f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime2.exe
Filesize
8KB

MD5
057507de65c02632dee1155973a7712a

SHA1
030d236098fd4151d14181deb76a8b6cc20b10fb

SHA256
092d0d40364c03fe5c8c2bc91fc8413b3b94da7f1d71ffde2aa1900c3eaff497

SHA512
a0249c67350387b2a60e281fac905e33707480e15ba853bbea9d34350e7c87e75a92ed1a82f287f9b4b8183bd0b4b0e505e31bf195b6b1fdd26eb77cefd81c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime2.exe
Filesize
8KB

MD5
057507de65c02632dee1155973a7712a

SHA1
030d236098fd4151d14181deb76a8b6cc20b10fb

SHA256
092d0d40364c03fe5c8c2bc91fc8413b3b94da7f1d71ffde2aa1900c3eaff497

SHA512
a0249c67350387b2a60e281fac905e33707480e15ba853bbea9d34350e7c87e75a92ed1a82f287f9b4b8183bd0b4b0e505e31bf195b6b1fdd26eb77cefd81c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime3.exe
Filesize
8KB

MD5
b3ee17b56ec9c3904dbc883037a87b8d

SHA1
6f7a393cbee3dece9e60521db2021e996c3c9300

SHA256
46021db002a4cc166c3597de2c11352e941dcdaf60eb2153b4c9d0991556d453

SHA512
30d1e749d7212cf10e04a74c2e3c3a10eaa8c10dd8de747c2f650b3a65cfb2bc0c34d85f03eb6cb7431b9a2738eda2a8a984ba7f00b495959ebd18eaf50eab26

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime3.exe
Filesize
8KB

MD5
b3ee17b56ec9c3904dbc883037a87b8d

SHA1
6f7a393cbee3dece9e60521db2021e996c3c9300

SHA256
46021db002a4cc166c3597de2c11352e941dcdaf60eb2153b4c9d0991556d453

SHA512
30d1e749d7212cf10e04a74c2e3c3a10eaa8c10dd8de747c2f650b3a65cfb2bc0c34d85f03eb6cb7431b9a2738eda2a8a984ba7f00b495959ebd18eaf50eab26

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime4.exe
Filesize
8KB

MD5
a5cacfa7c39d4ce8432137f1075f0f56

SHA1
d6af8309619325e8ed38a191d815a532b5eae516

SHA256
2cf3c0332ed6d69f46c59fe16270028d736e8b13d65c2879393f7e0413c9568b

SHA512
485e1fd8fc471883bed69963c34bc801e67c1ddcec0af779ff1c11c059b7d60bdfb4c6157a4263c77406898935290e376757d3978fd8f86894b3cfadcfd89456

Download Submit
C:\Users\Admin\AppData\Local\Temp\anytime4.exe
Filesize
8KB

MD5
a5cacfa7c39d4ce8432137f1075f0f56

SHA1
d6af8309619325e8ed38a191d815a532b5eae516

SHA256
2cf3c0332ed6d69f46c59fe16270028d736e8b13d65c2879393f7e0413c9568b

SHA512
485e1fd8fc471883bed69963c34bc801e67c1ddcec0af779ff1c11c059b7d60bdfb4c6157a4263c77406898935290e376757d3978fd8f86894b3cfadcfd89456

Download Submit
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe
Filesize
1.4MB

MD5
137f82a54e84059b950097227c2d5c36

SHA1
2dd708f95c2d0554b0e32e6992668c8aa9f331b3

SHA256
ae7e206a0865d3995978fb71d8d02e48087b5afeae159df69961a6e95a5e3a67

SHA512
f0c6dc477a737211b573796ba4c6b2874a3d73b10b0dea6a5440895939eb1751522250220385c2fd08246a9f065cf836ba364afaab1b214222653c5c8c9bd295

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst.exe
Filesize
199KB

MD5
19c8232614d6fd85f6c52a6bee5b9824

SHA1
b668ac3272ef3568f73c9358a0c356511a547910

SHA256
a97a1b445e1f96e32737820f680da2e22634d8ae245d987b17543ba14ccc0b80

SHA512
da6cfe543319e1352590bd41c02fb1269748af73be558414123bdbf53d85849835d3e70a73f5f7e4b4930ccb5e2cb976ee859510a032218807717a51ef95ea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\lijia.exe
Filesize
124KB

MD5
78208d28e4db9d7116eda398cb4451d2

SHA1
c10edeb3977e465960c27238da2e37cb9f725a7e

SHA256
3c2ce304f7de730c825e745878e818e6318178e4e9a89e83e16c100ed71ec956

SHA512
8d0b8f86167d7ebadfe7abcdebee306f06229eeb04c3302b3cdacb71b7d58018ccea5c9431f7f7c83452321ea3fd201ec6401f98c20086175ee06122d3a1fc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lijia.exe
Filesize
124KB

MD5
78208d28e4db9d7116eda398cb4451d2

SHA1
c10edeb3977e465960c27238da2e37cb9f725a7e

SHA256
3c2ce304f7de730c825e745878e818e6318178e4e9a89e83e16c100ed71ec956

SHA512
8d0b8f86167d7ebadfe7abcdebee306f06229eeb04c3302b3cdacb71b7d58018ccea5c9431f7f7c83452321ea3fd201ec6401f98c20086175ee06122d3a1fc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lijia.exe
Filesize
124KB

MD5
78208d28e4db9d7116eda398cb4451d2

SHA1
c10edeb3977e465960c27238da2e37cb9f725a7e

SHA256
3c2ce304f7de730c825e745878e818e6318178e4e9a89e83e16c100ed71ec956

SHA512
8d0b8f86167d7ebadfe7abcdebee306f06229eeb04c3302b3cdacb71b7d58018ccea5c9431f7f7c83452321ea3fd201ec6401f98c20086175ee06122d3a1fc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\logger.exe
Filesize
8KB

MD5
2621f6175b7ced85dcdbe5a4d2bccbe4

SHA1
5ea5119401dc5ea536ddfaf7f72b77b30b791fff

SHA256
4bc9024c38abfa5cfcd37e53994b5e2ec00758791ea1e56a3087e8ecd2388287

SHA512
4a613ee77d697394545ab2312641be945e7963ba0c0e0149e86b7fe6b9c0954b1d4dcce9c4f92d6308d8e1c616382e479de06d28e790f1c65afa3e8aeafed72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\logger.exe
Filesize
8KB

MD5
2621f6175b7ced85dcdbe5a4d2bccbe4

SHA1
5ea5119401dc5ea536ddfaf7f72b77b30b791fff

SHA256
4bc9024c38abfa5cfcd37e53994b5e2ec00758791ea1e56a3087e8ecd2388287

SHA512
4a613ee77d697394545ab2312641be945e7963ba0c0e0149e86b7fe6b9c0954b1d4dcce9c4f92d6308d8e1c616382e479de06d28e790f1c65afa3e8aeafed72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\myfile.exe
Filesize
8KB

MD5
2b2003ab612e0dc72ca77dbdc4b4230c

SHA1
91bdd8411f5fcc88614efda436b86dc977f468c8

SHA256
69d9e4854e11ae89810f86745c1e3fa2f31a56a2c8510113f6a14728927b07de

SHA512
386696e7d0d43506f5da3d9a0403b979229b23793c8944acc453b2f8b5c86bd0635587b7e3bce36b65b155a74c37ff145895fc8db637a285723eb47a2fed5dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\myfile.exe
Filesize
8KB

MD5
2b2003ab612e0dc72ca77dbdc4b4230c

SHA1
91bdd8411f5fcc88614efda436b86dc977f468c8

SHA256
69d9e4854e11ae89810f86745c1e3fa2f31a56a2c8510113f6a14728927b07de

SHA512
386696e7d0d43506f5da3d9a0403b979229b23793c8944acc453b2f8b5c86bd0635587b7e3bce36b65b155a74c37ff145895fc8db637a285723eb47a2fed5dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
429KB

MD5
b7bb39edc90d4b1130b4af547687073c

SHA1
6a04f421fe87f23995f2f352b562b26fcc05499e

SHA256
838979fac0dec9e9be3c5aa603668560a6864cef242af9498e3d3b452eabd85e

SHA512
606c04663ce01aaa368350c273d98eb7193b1df7c0254bde53aa9fa80b070a2b31c63131735dcbd8d46547a6ba5adbddbe762317e64e2938f3ddf747c14b7ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
429KB

MD5
b7bb39edc90d4b1130b4af547687073c

SHA1
6a04f421fe87f23995f2f352b562b26fcc05499e

SHA256
838979fac0dec9e9be3c5aa603668560a6864cef242af9498e3d3b452eabd85e

SHA512
606c04663ce01aaa368350c273d98eb7193b1df7c0254bde53aa9fa80b070a2b31c63131735dcbd8d46547a6ba5adbddbe762317e64e2938f3ddf747c14b7ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
4KB

MD5
0e31339a74a3ba88daee4ca57464142c

SHA1
f7ab0183c802dcd153f9a328b321095d835e0504

SHA256
8384a0fc412248d8761c289114e75c8a27e405f4b1e1686a947488cde7b22c5d

SHA512
6daafb8b57077f6b66d71feb500d4aed3233c72f5b85c30df654f007b0d04a3ba1e778f0d60b6196b2f5aa456cf590c17283d7f37b558ce380f45b0af0e25c1f

Download Submit
\Users\Admin\AppData\Local\Temp\Fixfile01.exe
Filesize
772KB

MD5
b72f4123ea6aa6642c9d1034000433ab

SHA1
bb5a30a3678d6a1f8b2039586851e9d68ccb219c

SHA256
330faa980d2fd8657640ec01e6a5a6817f69f5b4d991b5ca57f4e4651f60883b

SHA512
4eb110428c3d87ce3ee5b5611e8a60bf8968ec2213864cbc72b7e667a4f916bfd3c7c2e6a770cc0bf2dde5457a24e942d57a9a85f9eed5357399d30923724a51

Download Submit
\Users\Admin\AppData\Local\Temp\Fixfile01.exe
Filesize
772KB

MD5
b72f4123ea6aa6642c9d1034000433ab

SHA1
bb5a30a3678d6a1f8b2039586851e9d68ccb219c

SHA256
330faa980d2fd8657640ec01e6a5a6817f69f5b4d991b5ca57f4e4651f60883b

SHA512
4eb110428c3d87ce3ee5b5611e8a60bf8968ec2213864cbc72b7e667a4f916bfd3c7c2e6a770cc0bf2dde5457a24e942d57a9a85f9eed5357399d30923724a51

Download Submit
\Users\Admin\AppData\Local\Temp\MyNotes Installation.exe
Filesize
63KB

MD5
c86e4abc50245fbaf26940ee41147aac

SHA1
192abcee47b4abdad18b28180dc6c2db2b8a4518

SHA256
001ae53802f44523369deedeaa13844a986aa5d78af893dd31269bcdd0f477af

SHA512
b61d3fb879c86270cf84446e5cfa5029c5641eaa319ed113c95e949321e001a5366985500ee6a1f46ed93e9b14ca7e69a2d4c3b31a2e16b1896f0a8da946da04

Download Submit
\Users\Admin\AppData\Local\Temp\Proxyupd.exe
Filesize
449KB

MD5
e410813ea373a6000039bfc0edcebfe9

SHA1
9b50aee9726646524641489909a6dbabf01368d9

SHA256
4c01e5deb0f6d8a207fbe08db8381035db4f330da5a4a8fc7ebf1ced2e557b3c

SHA512
25f6e73b27a22ec1186cc646f5a4a868c33f7674dd35a74e56fa6a55f9f86c4a4f2028188fbc5c90231981a588b4b7686e441ce8e0a963d318edee5fe133b7b0

Download Submit
\Users\Admin\AppData\Local\Temp\Proxyupd.exe
Filesize
449KB

MD5
e410813ea373a6000039bfc0edcebfe9

SHA1
9b50aee9726646524641489909a6dbabf01368d9

SHA256
4c01e5deb0f6d8a207fbe08db8381035db4f330da5a4a8fc7ebf1ced2e557b3c

SHA512
25f6e73b27a22ec1186cc646f5a4a868c33f7674dd35a74e56fa6a55f9f86c4a4f2028188fbc5c90231981a588b4b7686e441ce8e0a963d318edee5fe133b7b0

Download Submit
\Users\Admin\AppData\Local\Temp\RobCleanerInstll33132.exe
Filesize
169KB

MD5
be79990f9dd3d0060dea338d061aa75b

SHA1
24debc89aa5620dce31d4136f3ec6ec0431c868e

SHA256
047b8a17a9a36dcd25c01357ac1673b5c36e0b907f1b6df1edb194dc7f923243

SHA512
77ca6f2defa934ace8df4babc0748a66258ef9df355f0795cc11c9daa1b3b8b99980fad26c03f4ba14313cc7912bee99db4498b6490cdba0264c15d0130d4300

Download Submit
\Users\Admin\AppData\Local\Temp\SKfJPz8D7ef4g\MyNotes License Agreement.exe
Filesize
64.1MB

MD5
aa7be87e0a1f332e24c8a6de57afb9e9

SHA1
a9bbc9e63ad2ac532219a403d16049c1e4219d90

SHA256
a8cdc463db7356fb7bbd0de9481ba17bc7b0347759c0cd054ae2cae224d7a8f7

SHA512
a71ab1483a5795fe37f6046d1022cfdda5a89529dd77e342e12ee14cd6fc9fd37eefb6b238f5a70ba314ed25561cc90614048b4a367a1085366ea8dc417b34a4

Download Submit
\Users\Admin\AppData\Local\Temp\anytime1.exe
Filesize
8KB

MD5
6b128da42b0d62ae341c3d301e93e96e

SHA1
7329a598d29a90aac156e8fe859d416adce95a8e

SHA256
d3d232021f35066443f9a29d6788fdd418985d0b2e297403541856d919d8b926

SHA512
198528bf110cd5555e2c543815b51e1a384a8b30cba1e7a950ca8100b2419aa42884d8f893efd564798de1cde40297e5cb74a1c81abbb88f858872ae299f42f5

Download Submit
\Users\Admin\AppData\Local\Temp\anytime2.exe
Filesize
8KB

MD5
057507de65c02632dee1155973a7712a

SHA1
030d236098fd4151d14181deb76a8b6cc20b10fb

SHA256
092d0d40364c03fe5c8c2bc91fc8413b3b94da7f1d71ffde2aa1900c3eaff497

SHA512
a0249c67350387b2a60e281fac905e33707480e15ba853bbea9d34350e7c87e75a92ed1a82f287f9b4b8183bd0b4b0e505e31bf195b6b1fdd26eb77cefd81c9f

Download Submit
\Users\Admin\AppData\Local\Temp\anytime3.exe
Filesize
8KB

MD5
b3ee17b56ec9c3904dbc883037a87b8d

SHA1
6f7a393cbee3dece9e60521db2021e996c3c9300

SHA256
46021db002a4cc166c3597de2c11352e941dcdaf60eb2153b4c9d0991556d453

SHA512
30d1e749d7212cf10e04a74c2e3c3a10eaa8c10dd8de747c2f650b3a65cfb2bc0c34d85f03eb6cb7431b9a2738eda2a8a984ba7f00b495959ebd18eaf50eab26

Download Submit
\Users\Admin\AppData\Local\Temp\anytime4.exe
Filesize
8KB

MD5
a5cacfa7c39d4ce8432137f1075f0f56

SHA1
d6af8309619325e8ed38a191d815a532b5eae516

SHA256
2cf3c0332ed6d69f46c59fe16270028d736e8b13d65c2879393f7e0413c9568b

SHA512
485e1fd8fc471883bed69963c34bc801e67c1ddcec0af779ff1c11c059b7d60bdfb4c6157a4263c77406898935290e376757d3978fd8f86894b3cfadcfd89456

Download Submit
\Users\Admin\AppData\Local\Temp\askinstall25.exe
Filesize
1.4MB

MD5
137f82a54e84059b950097227c2d5c36

SHA1
2dd708f95c2d0554b0e32e6992668c8aa9f331b3

SHA256
ae7e206a0865d3995978fb71d8d02e48087b5afeae159df69961a6e95a5e3a67

SHA512
f0c6dc477a737211b573796ba4c6b2874a3d73b10b0dea6a5440895939eb1751522250220385c2fd08246a9f065cf836ba364afaab1b214222653c5c8c9bd295

Download Submit
\Users\Admin\AppData\Local\Temp\inst.exe
Filesize
199KB

MD5
19c8232614d6fd85f6c52a6bee5b9824

SHA1
b668ac3272ef3568f73c9358a0c356511a547910

SHA256
a97a1b445e1f96e32737820f680da2e22634d8ae245d987b17543ba14ccc0b80

SHA512
da6cfe543319e1352590bd41c02fb1269748af73be558414123bdbf53d85849835d3e70a73f5f7e4b4930ccb5e2cb976ee859510a032218807717a51ef95ea20

Download Submit
\Users\Admin\AppData\Local\Temp\lijia.exe
Filesize
124KB

MD5
78208d28e4db9d7116eda398cb4451d2

SHA1
c10edeb3977e465960c27238da2e37cb9f725a7e

SHA256
3c2ce304f7de730c825e745878e818e6318178e4e9a89e83e16c100ed71ec956

SHA512
8d0b8f86167d7ebadfe7abcdebee306f06229eeb04c3302b3cdacb71b7d58018ccea5c9431f7f7c83452321ea3fd201ec6401f98c20086175ee06122d3a1fc8b

Download Submit
\Users\Admin\AppData\Local\Temp\lijia.exe
Filesize
124KB

MD5
78208d28e4db9d7116eda398cb4451d2

SHA1
c10edeb3977e465960c27238da2e37cb9f725a7e

SHA256
3c2ce304f7de730c825e745878e818e6318178e4e9a89e83e16c100ed71ec956

SHA512
8d0b8f86167d7ebadfe7abcdebee306f06229eeb04c3302b3cdacb71b7d58018ccea5c9431f7f7c83452321ea3fd201ec6401f98c20086175ee06122d3a1fc8b

Download Submit
\Users\Admin\AppData\Local\Temp\lijia.exe
Filesize
124KB

MD5
78208d28e4db9d7116eda398cb4451d2

SHA1
c10edeb3977e465960c27238da2e37cb9f725a7e

SHA256
3c2ce304f7de730c825e745878e818e6318178e4e9a89e83e16c100ed71ec956

SHA512
8d0b8f86167d7ebadfe7abcdebee306f06229eeb04c3302b3cdacb71b7d58018ccea5c9431f7f7c83452321ea3fd201ec6401f98c20086175ee06122d3a1fc8b

Download Submit
\Users\Admin\AppData\Local\Temp\logger.exe
Filesize
8KB

MD5
2621f6175b7ced85dcdbe5a4d2bccbe4

SHA1
5ea5119401dc5ea536ddfaf7f72b77b30b791fff

SHA256
4bc9024c38abfa5cfcd37e53994b5e2ec00758791ea1e56a3087e8ecd2388287

SHA512
4a613ee77d697394545ab2312641be945e7963ba0c0e0149e86b7fe6b9c0954b1d4dcce9c4f92d6308d8e1c616382e479de06d28e790f1c65afa3e8aeafed72b

Download Submit
\Users\Admin\AppData\Local\Temp\myfile.exe
Filesize
8KB

MD5
2b2003ab612e0dc72ca77dbdc4b4230c

SHA1
91bdd8411f5fcc88614efda436b86dc977f468c8

SHA256
69d9e4854e11ae89810f86745c1e3fa2f31a56a2c8510113f6a14728927b07de

SHA512
386696e7d0d43506f5da3d9a0403b979229b23793c8944acc453b2f8b5c86bd0635587b7e3bce36b65b155a74c37ff145895fc8db637a285723eb47a2fed5dd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsd205E.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsd205E.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsd205E.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Users\Admin\AppData\Local\Temp\nsd205E.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Users\Admin\AppData\Local\Temp\nsd205E.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Users\Admin\AppData\Local\Temp\nso6616.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nso6616.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
\Users\Admin\AppData\Local\Temp\nso6616.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
429KB

MD5
b7bb39edc90d4b1130b4af547687073c

SHA1
6a04f421fe87f23995f2f352b562b26fcc05499e

SHA256
838979fac0dec9e9be3c5aa603668560a6864cef242af9498e3d3b452eabd85e

SHA512
606c04663ce01aaa368350c273d98eb7193b1df7c0254bde53aa9fa80b070a2b31c63131735dcbd8d46547a6ba5adbddbe762317e64e2938f3ddf747c14b7ad4

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
429KB

MD5
b7bb39edc90d4b1130b4af547687073c

SHA1
6a04f421fe87f23995f2f352b562b26fcc05499e

SHA256
838979fac0dec9e9be3c5aa603668560a6864cef242af9498e3d3b452eabd85e

SHA512
606c04663ce01aaa368350c273d98eb7193b1df7c0254bde53aa9fa80b070a2b31c63131735dcbd8d46547a6ba5adbddbe762317e64e2938f3ddf747c14b7ad4

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
429KB

MD5
b7bb39edc90d4b1130b4af547687073c

SHA1
6a04f421fe87f23995f2f352b562b26fcc05499e

SHA256
838979fac0dec9e9be3c5aa603668560a6864cef242af9498e3d3b452eabd85e

SHA512
606c04663ce01aaa368350c273d98eb7193b1df7c0254bde53aa9fa80b070a2b31c63131735dcbd8d46547a6ba5adbddbe762317e64e2938f3ddf747c14b7ad4

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
429KB

MD5
b7bb39edc90d4b1130b4af547687073c

SHA1
6a04f421fe87f23995f2f352b562b26fcc05499e

SHA256
838979fac0dec9e9be3c5aa603668560a6864cef242af9498e3d3b452eabd85e

SHA512
606c04663ce01aaa368350c273d98eb7193b1df7c0254bde53aa9fa80b070a2b31c63131735dcbd8d46547a6ba5adbddbe762317e64e2938f3ddf747c14b7ad4

Download Submit
memory/272-72-0x0000000000000000-mapping.dmp

Download
memory/308-141-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/308-174-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/308-175-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/308-89-0x0000000000000000-mapping.dmp

Download
memory/308-143-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/308-142-0x00000000007A0000-0x00000000007E3000-memory.dmp

Filesize
268KB

Download
memory/360-82-0x0000000000000000-mapping.dmp

Download
memory/360-85-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/360-87-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/636-148-0x0000000000040000-0x0000000000048000-memory.dmp

Filesize
32KB

Download
memory/636-145-0x0000000000000000-mapping.dmp

Download
memory/672-182-0x0000000000000000-mapping.dmp

Download
memory/840-57-0x0000000000000000-mapping.dmp

Download
memory/840-75-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/840-60-0x0000000001380000-0x00000000013B4000-memory.dmp

Filesize
208KB

Download
memory/1288-63-0x0000000000000000-mapping.dmp

Download
memory/1488-105-0x0000000000000000-mapping.dmp

Download
memory/1496-137-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1496-133-0x0000000000000000-mapping.dmp

Download
memory/1552-173-0x0000000000400000-0x00000000007EE000-memory.dmp

Filesize
3.9MB

Download
memory/1552-172-0x0000000000878000-0x00000000008F5000-memory.dmp

Filesize
500KB

Download
memory/1552-106-0x0000000000878000-0x00000000008F5000-memory.dmp

Filesize
500KB

Download
memory/1552-138-0x0000000000878000-0x00000000008F5000-memory.dmp

Filesize
500KB

Download
memory/1552-140-0x0000000000400000-0x00000000007EE000-memory.dmp

Filesize
3.9MB

Download
memory/1552-79-0x0000000000000000-mapping.dmp

Download
memory/1552-139-0x00000000002D0000-0x00000000003A6000-memory.dmp

Filesize
856KB

Download
memory/1640-117-0x0000000000000000-mapping.dmp

Download
memory/1640-125-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/1644-55-0x0000000076781000-0x0000000076783000-memory.dmp

Filesize
8KB

Download
memory/1644-54-0x0000000000880000-0x0000000000C28000-memory.dmp

Filesize
3.7MB

Download
memory/1712-110-0x0000000000A20000-0x0000000000A52000-memory.dmp

Filesize
200KB

Download
memory/1712-99-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1712-68-0x0000000000000000-mapping.dmp

Download
memory/1712-97-0x00000000007E0000-0x0000000000814000-memory.dmp

Filesize
208KB

Download
memory/1712-104-0x0000000000400000-0x000000000079D000-memory.dmp

Filesize
3.6MB

Download
memory/1712-168-0x00000000008F8000-0x0000000000924000-memory.dmp

Filesize
176KB

Download
memory/1712-98-0x00000000008F8000-0x0000000000924000-memory.dmp

Filesize
176KB

Download
memory/1712-88-0x00000000008F8000-0x0000000000924000-memory.dmp

Filesize
176KB

Download
memory/1808-128-0x0000000000000000-mapping.dmp

Download
memory/1808-131-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/1832-121-0x0000000000000000-mapping.dmp

Download
memory/1832-124-0x0000000000F80000-0x0000000000F88000-memory.dmp

Filesize
32KB

Download
memory/1920-94-0x0000000000000000-mapping.dmp

Download
memory/2068-150-0x0000000000000000-mapping.dmp

Download
memory/2068-153-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2180-184-0x0000000000000000-mapping.dmp

Download
memory/2188-183-0x0000000000000000-mapping.dmp

Download
memory/2328-159-0x0000000000000000-mapping.dmp

Download
memory/2356-160-0x0000000000000000-mapping.dmp

Download
memory/2480-162-0x0000000000000000-mapping.dmp

Download
memory/2628-185-0x0000000000000000-mapping.dmp

Download
memory/2676-186-0x0000000000000000-mapping.dmp

Download
memory/2760-179-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/2760-177-0x0000000000000000-mapping.dmp

Download
memory/2848-187-0x0000000000000000-mapping.dmp

Download
memory/2924-178-0x0000000000000000-mapping.dmp

Download
memory/3048-180-0x0000000000000000-mapping.dmp

Download
memory/3068-181-0x0000000000000000-mapping.dmp

Download