Malware Analysis Report

2024-11-30 07:50

Sample ID 240603-gp2reafb69
Target 90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118
SHA256 3d966ba83a832ae1c76ff14716925e6895777001064d42404fb86494571309ce
Tags
persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3d966ba83a832ae1c76ff14716925e6895777001064d42404fb86494571309ce

Threat Level: Likely malicious

The file 90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

persistence spyware stealer

Drops file in Drivers directory

Sets DLL path for service in the registry

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:59

Reported

2024-06-03 06:02

Platform

win7-20240221-en

Max time kernel

130s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\SET28A6.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRIVERS\SET28A6.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\teamviewervpn.sys C:\Windows\system32\DrvInst.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\usbhubsvc3\Parameters\ServiceDLL = "C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\MSIMG32.dll" C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update Manager.lnk C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkypeC0SvcService.exe = "\"C:\\Windows\\SysWOW64\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\MSIMG32.dll\" C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\SkypeC0SvcService.exe" C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\teamviewervpn.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279E.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279E.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\teamviewervpn.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279D.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279D.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_neutral_5e1dcb6f86e23dcd\teamviewervpn.PNF C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_neutral_5e1dcb6f86e23dcd\teamviewervpn.PNF C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\INFCACHE.0 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\teamviewervpn.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstor.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279F.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279F.tmp C:\Windows\system32\DrvInst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\oem2.PNF C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev2 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tcpipcfg.dll,-50001 = "Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\drivers\pacer.sys,-100 = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sstpsvc.dll,-203 = "Allows you to securely connect to a private network using the Internet." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-4 = "Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth." C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50002 = "Allows your computer to access resources on a Microsoft network." C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50003 = "Allows other computers to access resources on your computer using a Microsoft network." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
PID 1848 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
PID 1848 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
PID 1848 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
PID 1848 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
PID 1848 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
PID 1848 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
PID 2876 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
PID 2876 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
PID 2876 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
PID 2876 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
PID 2492 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
PID 2492 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
PID 2492 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
PID 2492 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
PID 2492 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
PID 2492 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
PID 2492 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
PID 2492 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
PID 2816 wrote to memory of 452 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
PID 2816 wrote to memory of 452 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
PID 2816 wrote to memory of 452 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
PID 2816 wrote to memory of 452 N/A C:\Windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp" /SL5="$400F4,3400720,135680,C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe" /verysilent /password=none

C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe

"C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe"

C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe

C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe install C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewerVPN.inf teamviewervpn

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k MsHubSvc -svcr C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{11564226-9660-62d6-6a23-3f1e3d76f239}\teamviewervpn.inf" "9" "6b0706d3f" "0000000000000524" "WinSta0\Default" "0000000000000384" "208" "c:\users\admin\appdata\roaming\abodeupdate"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "teamviewervpn.inf:teamviewervpn.NTamd64:teamviewervpn.ndi:2.10.0.0:teamviewervpn" "6b0706d3f" "0000000000000524" "00000000000005B8" "00000000000005BC"

C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe

C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe restart teamviewervpn

C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe

C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

Network

Country Destination Domain Proto
N/A 255.255.255.255:67 udp
US 8.8.8.8:53 ping3.teamviewer.com udp
DE 213.227.168.190:5938 ping3.teamviewer.com tcp
US 8.8.8.8:53 master3.teamviewer.com udp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 213.227.168.190:5938 ping3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp

Files

memory/1848-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1848-2-0x0000000000401000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp

MD5 86c17be77f3ea314eb1c43fb46ec2ee9
SHA1 57e664459585cb739e1ee278ff62ac25bd0fe0c0
SHA256 67668d64d65f1f39d37f9f02643ef07e0f1da8599a48796967a9ebbbcee9efa2
SHA512 320c17430584ee127c50ba3d8618dde649f97abea550f3f213a6637d48ffd21ce83103ed34c9ac2e5eb769b839293ddcb6e465d16a8ff876bae3a8bd58b2d787

memory/2876-8-0x0000000000400000-0x0000000000530000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-5O9VU.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe

MD5 f5fe906f801d99fafa8a9e0584a37008
SHA1 a80175b91e3f9606e63dd0d9a9271e23bbe10321
SHA256 10b12825603dc3f1946bfd4e7cbebda5885fe4fccaeb0df8b6e862ad3dad720b
SHA512 ae149680b212cf0b7f11d841cede275d8e510d3af86c96d75ff75802a8543773a5b7fc9d4c84d4d5fa486d2ddf27129cc42e70d0ea34ca2624f14152ba7497de

\Users\Admin\AppData\Roaming\AbodeUpdate\msimg32.dll

MD5 7be8e8b6eb0a7b3e4d02bd1e1c0694d3
SHA1 e8eab9de90873e267d63636fd269561ea7fb6d77
SHA256 e89d182578568985c7524f1a0c221a1b46b515ac3036de356f5066d9f7a41b90
SHA512 ed08a7ba3cbd974898577ed9ca9a6eab90dfdd124d0b2321a5e02ed40c3e47c2bd57f2c132ed7cb5b55e8f5b7036e7fa733dbb4049226a8dc4ec5d1154bb9cd4

memory/1848-48-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2876-46-0x0000000000400000-0x0000000000530000-memory.dmp

memory/2492-49-0x0000000010000000-0x0000000010026000-memory.dmp

memory/2492-54-0x0000000010000000-0x0000000010026000-memory.dmp

C:\Users\Admin\AppData\Roaming\AbodeUpdate\tvr.cfg

MD5 c355c34a3f8e355aa20eaaaa9bbdffe5
SHA1 3b13ae21d7cdbe427a9367761b590bfb3a1e04c0
SHA256 5fca1c7124684f5c3a8a2ce9caab53da751c76d0db8b538cc0b812d7f8dda110
SHA512 b665b65c1023b5f9f255388963245f0efa913d5b89024fa2eb03d164eb63d5334addf1a67b9db1a6ad8ef685c3d614d87225db1ec59b9c99459bc5f0b81d29ad

C:\Users\Admin\AppData\Roaming\AbodeUpdate\vpn86.cab

MD5 c7549d78f082a6cf81ba2c27f6c6a38f
SHA1 ea39fbc80cc62c11ace1ef495c856f3bc6c775a7
SHA256 240b9ee414817f500c18bffaba787c6f7b5e67a0e46d82cbbce02cb956073be3
SHA512 ffa75d64446b227642af964c6d5a8e1a14493b56d598b52cbd842cf22a9396eddde716effc431d25b21a26741bdaf9e2b509821099a5eb3e01bfc2343816fc2f

C:\Users\Admin\AppData\Roaming\AbodeUpdate\vpn64.cab

MD5 d4fe3ae6d05b2d4cb52484e2718ab390
SHA1 8da95d697c578c8d12e02c53fb185cb5825c4f63
SHA256 0fc7396c9eb14f764b18400f95c66fd168ec0626d455b48167119227b3b98c1e
SHA512 03a253bbc1663b7c03632c4a265195e2d668da5a0b3c6144ed2006fdffe50e131bb2a589aa41304e20979fa9a27e2acdbe8860916219d8ee265ebc185ef60fdd

C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_x64.exe

MD5 8e50a67752bd070fec717216b9376a7f
SHA1 19c776fd0fe89d6cb3f372d89cac4adf65dabe24
SHA256 f7b239c4101db7c974eef31ba2dd42fba0e898cfa762b1e969f76a7a37aa3d8b
SHA512 be16f2fc675d1231275fd618ea101bfafa71c31b2cea92c5fb1197384bd0ea764e4567350bc1309d9d83439a977ed7600c57c4f5be81bf7170b2d5e59fe1ef46

memory/2492-67-0x0000000010000000-0x0000000010026000-memory.dmp

C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_x64.dll

MD5 6f68147027ba59a8af86ffe1b8fc6899
SHA1 99bb32e1d752a2b93bcd9db36b8a4f3c01ba6458
SHA256 07413a73f7566173b462d7a4de2ca74d211f0872682160afafa618e656cfe9e6
SHA512 5011e05ebcf6e86a988ba79e3f0aec2f240b14c5a602260edc53fa1c4b11c23495171213fe30ab8bf53f9e0c15e6dffa6a463105d1d558a3def50fdc28e571d2

C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_w32.exe

MD5 c16719e5c670b7c18aab69dea8ea8c66
SHA1 95c9c3b44dcca278b42cb20b1e27d88ae4006f39
SHA256 c23d33f637c3c90ce0e3fc366fce034c5592dd80b660f469619e38b255532689
SHA512 9bae42f6e6ace1e1f0d923894399817a017a1e52e2b01bb780d2a7be20f82ac341b1c9f6de680f16a0b8d5532c0f77f495dde2ad0c95ff85118021785dcd3b3b

C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_w32.dll

MD5 55b4875e6dd84b1a547a91a789515dfb
SHA1 ad598670ced636134f85c744f6283a16e3766d1f
SHA256 a0791b2f732fdd0c26483d9ef2d77e720d9ba267f887eccadff227bcf247a0a9
SHA512 d9dc737c25a56503bba8f3a2fa030c3dc1fe62f4313cb307203cdcac164fd6bb2fa2ab87be6806d4cf3d1ed1ec880a1c7f3d866e61c3a6005ca400ff9f99459a

C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_StaticRes.dll

MD5 4202e46ac536822fd7043c38e66d0ec8
SHA1 c8908477b539931168e9437d4e17e7c33fb10141
SHA256 542075ba11aaa6c1961985818dc4bb9e1a13afffeaef3514389444db18938fb4
SHA512 20210b8dd54b7ca527e69699ae02d6b1c1733e8e3c8ae797994d24b2134e91d4dbc8345b9a4757ded6a34f460d9ec88b1c133202718e342c9045c77de2bd784d

C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_Resource_en.dll

MD5 5850b0e30cb6493170ea8d073f34766c
SHA1 d80b0181edca5be738f8c1c4355c4785d0360d06
SHA256 97f8b0f6307156c0c74f3309195c376e5d816b3dbd65048c241a8b7e9233eeda
SHA512 a1a8ee334ef763a78214fbc6a915e9adbf0cdbafb6694fac6e70cb68f2aacfcad945c7b4629bf3b729e8b9b3fcd7956c04a63c89fb6bda7111f41f9c8cb96144

C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_Desktop.exe

MD5 36738935b6eadbdf570002ee44990360
SHA1 2621f86a0307a6be7032266db868c7af981bc016
SHA256 46aa5507bf0866d924a7974e7dc9255db21efb8ba5dc15e3c1a19c5b408ad29c
SHA512 5737edd344008832b1925972913cb2ba49d1e177a331a5419c5f6cb966f7da735fff1722acf59d5514cf63c2834a5f49d9784b70996fb0186cbbab6de3835f14

\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe

MD5 112b0c8b6b0c0a6c24f90081cc8a77d0
SHA1 1776a73316baeeb818884196a54f49d1385c06c8
SHA256 f627380e9de14af3eb5331bb9a4d559b2c970abacff038ea464044ca1ef62163
SHA512 1552b267931004d8936058f5cac49dc618eae2224ea3b082f1d899cd1b2c1cb7eaa98ac7653740fd07b2df40abbdd2d6318a9bed8794bb7a8872e379a50ef585

C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewerVPN.inf

MD5 447fc733747db11cd4492ae01c5652fe
SHA1 2a70dcd391464cb8d3736322e07e966e105d396e
SHA256 a817b0e8a669d5acaf2ddfbc95acf2a1213b092b44dc896a0ee4a5301d06ebc3
SHA512 238099db072af55445d421e941944abe8a6f52a124a26cae84c1dd52fffafc4dac5586d0c7407b461cd0db8e771e1dbb6ca34aee84581b24347f401410b2afe5

\??\c:\users\admin\appdata\roaming\abodeupdate\teamviewervpn.cat

MD5 5cffe65f36b60bc151486c90382f1627
SHA1 f2a66eae89b4b19d4cab2ac630536af5eeeef121
SHA256 aa7c09a817eb54e3cc5c342454608364a679e231824f83ba5a2d0278edcc1851
SHA512 1bd48ef66f8714e7e9591043d03bd69a30881ed3d0f2463b15750a3282df667ffb076b3a92358eecedae0e54485b07d702667e8fe0af64c52be04db47145920b

\??\c:\users\admin\appdata\roaming\ABODEU~1\TEAMVI~1.SYS

MD5 f5520dbb47c60ee83024b38720abda24
SHA1 bc355c14a2b22712b91ff43cd4e046489a91cae5
SHA256 b8e555d92440bf93e3b55a66e27cef936477ef7528f870d3b78bd3b294a05cc0
SHA512 3c5bb212467d932f5eaa17a2346ef8f401a49760c9c6c89c6318a1313fcbabb1d43b1054692c01738ea6a3648cc57e06845b81becb3069f478d5b1a7cbcb0e66

C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_neutral_5e1dcb6f86e23dcd\teamviewervpn.PNF

MD5 9b4fad40d315b21af46a49f511b78265
SHA1 670ad6753fc5323959d72a046abbd249e390edc7
SHA256 b9638e8d344bb3810d0890ec3565c0a92d7ee99b9f6da10db25c5c6ef9e2dd75
SHA512 f4c67626c7964239e98622bb11cf67e9d9a1f897d63b174a69ad27d469ae7a70bf49725b04944b0ac21d3d8a0c5739f276914ac389eefab38a5f498d2ea14251

C:\Windows\System32\DriverStore\INFCACHE.1

MD5 5af9ef18c2e552db86e52c4e7de3eda3
SHA1 962245763d189c29916f0e5b51115f6b08db7a97
SHA256 f90d8fcb0931fe82326608ccf680c4d3ca110d0df0b13b95aa3bc2cd21ec2e8d
SHA512 6b095bf73e1eb6f3b79a06b0ea2f66565e7823ef2e40ff05bf21a5647c42d9163aa79eb1d50e5df42a0eaebe5699e26463043719b5d78f160b18dd20a2f96467

C:\Windows\inf\oem2.PNF

MD5 34bd933808aa2bcb35f3b6d3cfa37427
SHA1 176b2193c74f647fa034407dfe637896f5e1ffa0
SHA256 689d08a1e8dfeb2e74d8265c03b5f0dc678245e952abc2ec67beb531ea64a0f2
SHA512 1b52ad9735b4fe9d5306597c37ea6bc988356a3d8f9bf4ac5349686e844dd89737569595ebe8947979707c1dd79b26a4e0552046d1a4fb4b52193af0f7860197

memory/2688-169-0x0000000001140000-0x0000000001166000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar2EC3.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab2E91.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer.ini

MD5 8fc2e199aa5721f837d2ce2766a5860d
SHA1 3a09dfa5e28a2044cd99388bf1265927c1444a94
SHA256 044f6e06ced9cdaff36795408e5e3046b290367bc88f0708b2b5bd1b91bfbad5
SHA512 a8ca2f66f7b8cfb7ff67cfcec35848c7c2f29bc8b26d1239622a61a779b67d7af829699207f18dab8c9294dd9226943dac47ef8aeedfd90dfb733c13f1f218b5

memory/2492-232-0x0000000010000000-0x0000000010026000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:59

Reported

2024-06-03 06:02

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\SET1BFF.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\drivers\SET1BFF.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\teamviewervpn.sys C:\Windows\system32\DrvInst.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\usbhubsvc3\Parameters\ServiceDLL = "C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\MSIMG32.dll" C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update Manager.lnk C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkypeC0SvcService.exe = "\"C:\\Windows\\SysWOW64\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\MSIMG32.dll\" C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\SkypeC0SvcService.exe" C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1623.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1635.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1635.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1624.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\teamviewervpn.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\teamviewervpn.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1623.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\teamviewervpn.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.PNF C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1624.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.inf C:\Windows\system32\DrvInst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
PID 1844 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
PID 1844 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
PID 2344 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
PID 2344 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
PID 2344 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
PID 5072 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
PID 5072 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
PID 3724 wrote to memory of 3184 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3724 wrote to memory of 3184 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3724 wrote to memory of 1000 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3724 wrote to memory of 1000 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 5072 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
PID 5072 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp" /SL5="$90030,3400720,135680,C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe" /verysilent /password=none

C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe

"C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k MsHubSvc -svcr C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe

C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe

C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe install C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewerVPN.inf teamviewervpn

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{47e8e878-4cc8-304f-be08-8b37cf2bb6e9}\teamviewervpn.inf" "9" "4b0706d3f" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "c:\users\admin\appdata\roaming\abodeupdate"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:teamviewervpn.ndi:2.10.0.0:teamviewervpn," "4b0706d3f" "0000000000000160"

C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe

C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe restart teamviewervpn

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4008 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 ping3.teamviewer.com udp
SG 188.172.203.62:5938 ping3.teamviewer.com tcp
US 8.8.8.8:53 master3.teamviewer.com udp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
US 8.8.8.8:53 62.203.172.188.in-addr.arpa udp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
US 8.8.8.8:53 3.32.188.185.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
US 20.231.121.79:80 tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
DE 185.188.32.3:5938 master3.teamviewer.com tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/1844-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1844-2-0x0000000000401000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp

MD5 86c17be77f3ea314eb1c43fb46ec2ee9
SHA1 57e664459585cb739e1ee278ff62ac25bd0fe0c0
SHA256 67668d64d65f1f39d37f9f02643ef07e0f1da8599a48796967a9ebbbcee9efa2
SHA512 320c17430584ee127c50ba3d8618dde649f97abea550f3f213a6637d48ffd21ce83103ed34c9ac2e5eb769b839293ddcb6e465d16a8ff876bae3a8bd58b2d787

memory/2344-6-0x0000000000400000-0x0000000000530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0RPST.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe

MD5 f5fe906f801d99fafa8a9e0584a37008
SHA1 a80175b91e3f9606e63dd0d9a9271e23bbe10321
SHA256 10b12825603dc3f1946bfd4e7cbebda5885fe4fccaeb0df8b6e862ad3dad720b
SHA512 ae149680b212cf0b7f11d841cede275d8e510d3af86c96d75ff75802a8543773a5b7fc9d4c84d4d5fa486d2ddf27129cc42e70d0ea34ca2624f14152ba7497de

C:\Users\Admin\AppData\Roaming\AbodeUpdate\MSIMG32.dll

MD5 7be8e8b6eb0a7b3e4d02bd1e1c0694d3
SHA1 e8eab9de90873e267d63636fd269561ea7fb6d77
SHA256 e89d182578568985c7524f1a0c221a1b46b515ac3036de356f5066d9f7a41b90
SHA512 ed08a7ba3cbd974898577ed9ca9a6eab90dfdd124d0b2321a5e02ed40c3e47c2bd57f2c132ed7cb5b55e8f5b7036e7fa733dbb4049226a8dc4ec5d1154bb9cd4

memory/2344-42-0x0000000000400000-0x0000000000530000-memory.dmp

memory/5072-44-0x0000000010000000-0x0000000010026000-memory.dmp

memory/1844-49-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5072-50-0x0000000075880000-0x0000000075881000-memory.dmp

C:\Users\Admin\AppData\Roaming\AbodeUpdate\tvr.cfg

MD5 c355c34a3f8e355aa20eaaaa9bbdffe5
SHA1 3b13ae21d7cdbe427a9367761b590bfb3a1e04c0
SHA256 5fca1c7124684f5c3a8a2ce9caab53da751c76d0db8b538cc0b812d7f8dda110
SHA512 b665b65c1023b5f9f255388963245f0efa913d5b89024fa2eb03d164eb63d5334addf1a67b9db1a6ad8ef685c3d614d87225db1ec59b9c99459bc5f0b81d29ad

memory/5072-51-0x0000000010000000-0x0000000010026000-memory.dmp

C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_Desktop.exe

MD5 36738935b6eadbdf570002ee44990360
SHA1 2621f86a0307a6be7032266db868c7af981bc016
SHA256 46aa5507bf0866d924a7974e7dc9255db21efb8ba5dc15e3c1a19c5b408ad29c
SHA512 5737edd344008832b1925972913cb2ba49d1e177a331a5419c5f6cb966f7da735fff1722acf59d5514cf63c2834a5f49d9784b70996fb0186cbbab6de3835f14

C:\Users\Admin\AppData\Roaming\AbodeUpdate\vpn86.cab

MD5 c7549d78f082a6cf81ba2c27f6c6a38f
SHA1 ea39fbc80cc62c11ace1ef495c856f3bc6c775a7
SHA256 240b9ee414817f500c18bffaba787c6f7b5e67a0e46d82cbbce02cb956073be3
SHA512 ffa75d64446b227642af964c6d5a8e1a14493b56d598b52cbd842cf22a9396eddde716effc431d25b21a26741bdaf9e2b509821099a5eb3e01bfc2343816fc2f

C:\Users\Admin\AppData\Roaming\AbodeUpdate\vpn64.cab

MD5 d4fe3ae6d05b2d4cb52484e2718ab390
SHA1 8da95d697c578c8d12e02c53fb185cb5825c4f63
SHA256 0fc7396c9eb14f764b18400f95c66fd168ec0626d455b48167119227b3b98c1e
SHA512 03a253bbc1663b7c03632c4a265195e2d668da5a0b3c6144ed2006fdffe50e131bb2a589aa41304e20979fa9a27e2acdbe8860916219d8ee265ebc185ef60fdd

memory/5072-64-0x0000000010000000-0x0000000010026000-memory.dmp

C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_x64.exe

MD5 8e50a67752bd070fec717216b9376a7f
SHA1 19c776fd0fe89d6cb3f372d89cac4adf65dabe24
SHA256 f7b239c4101db7c974eef31ba2dd42fba0e898cfa762b1e969f76a7a37aa3d8b
SHA512 be16f2fc675d1231275fd618ea101bfafa71c31b2cea92c5fb1197384bd0ea764e4567350bc1309d9d83439a977ed7600c57c4f5be81bf7170b2d5e59fe1ef46

C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_x64.dll

MD5 6f68147027ba59a8af86ffe1b8fc6899
SHA1 99bb32e1d752a2b93bcd9db36b8a4f3c01ba6458
SHA256 07413a73f7566173b462d7a4de2ca74d211f0872682160afafa618e656cfe9e6
SHA512 5011e05ebcf6e86a988ba79e3f0aec2f240b14c5a602260edc53fa1c4b11c23495171213fe30ab8bf53f9e0c15e6dffa6a463105d1d558a3def50fdc28e571d2

C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_w32.exe

MD5 c16719e5c670b7c18aab69dea8ea8c66
SHA1 95c9c3b44dcca278b42cb20b1e27d88ae4006f39
SHA256 c23d33f637c3c90ce0e3fc366fce034c5592dd80b660f469619e38b255532689
SHA512 9bae42f6e6ace1e1f0d923894399817a017a1e52e2b01bb780d2a7be20f82ac341b1c9f6de680f16a0b8d5532c0f77f495dde2ad0c95ff85118021785dcd3b3b

C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_w32.dll

MD5 55b4875e6dd84b1a547a91a789515dfb
SHA1 ad598670ced636134f85c744f6283a16e3766d1f
SHA256 a0791b2f732fdd0c26483d9ef2d77e720d9ba267f887eccadff227bcf247a0a9
SHA512 d9dc737c25a56503bba8f3a2fa030c3dc1fe62f4313cb307203cdcac164fd6bb2fa2ab87be6806d4cf3d1ed1ec880a1c7f3d866e61c3a6005ca400ff9f99459a

C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_StaticRes.dll

MD5 4202e46ac536822fd7043c38e66d0ec8
SHA1 c8908477b539931168e9437d4e17e7c33fb10141
SHA256 542075ba11aaa6c1961985818dc4bb9e1a13afffeaef3514389444db18938fb4
SHA512 20210b8dd54b7ca527e69699ae02d6b1c1733e8e3c8ae797994d24b2134e91d4dbc8345b9a4757ded6a34f460d9ec88b1c133202718e342c9045c77de2bd784d

C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_Resource_en.dll

MD5 5850b0e30cb6493170ea8d073f34766c
SHA1 d80b0181edca5be738f8c1c4355c4785d0360d06
SHA256 97f8b0f6307156c0c74f3309195c376e5d816b3dbd65048c241a8b7e9233eeda
SHA512 a1a8ee334ef763a78214fbc6a915e9adbf0cdbafb6694fac6e70cb68f2aacfcad945c7b4629bf3b729e8b9b3fcd7956c04a63c89fb6bda7111f41f9c8cb96144

memory/5072-65-0x0000000075860000-0x0000000075950000-memory.dmp

C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe

MD5 112b0c8b6b0c0a6c24f90081cc8a77d0
SHA1 1776a73316baeeb818884196a54f49d1385c06c8
SHA256 f627380e9de14af3eb5331bb9a4d559b2c970abacff038ea464044ca1ef62163
SHA512 1552b267931004d8936058f5cac49dc618eae2224ea3b082f1d899cd1b2c1cb7eaa98ac7653740fd07b2df40abbdd2d6318a9bed8794bb7a8872e379a50ef585

C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewerVPN.inf

MD5 447fc733747db11cd4492ae01c5652fe
SHA1 2a70dcd391464cb8d3736322e07e966e105d396e
SHA256 a817b0e8a669d5acaf2ddfbc95acf2a1213b092b44dc896a0ee4a5301d06ebc3
SHA512 238099db072af55445d421e941944abe8a6f52a124a26cae84c1dd52fffafc4dac5586d0c7407b461cd0db8e771e1dbb6ca34aee84581b24347f401410b2afe5

\??\c:\users\admin\appdata\roaming\abodeupdate\teamviewervpn.cat

MD5 5cffe65f36b60bc151486c90382f1627
SHA1 f2a66eae89b4b19d4cab2ac630536af5eeeef121
SHA256 aa7c09a817eb54e3cc5c342454608364a679e231824f83ba5a2d0278edcc1851
SHA512 1bd48ef66f8714e7e9591043d03bd69a30881ed3d0f2463b15750a3282df667ffb076b3a92358eecedae0e54485b07d702667e8fe0af64c52be04db47145920b

\??\c:\users\admin\appdata\roaming\ABODEU~1\TEAMVI~1.SYS

MD5 f5520dbb47c60ee83024b38720abda24
SHA1 bc355c14a2b22712b91ff43cd4e046489a91cae5
SHA256 b8e555d92440bf93e3b55a66e27cef936477ef7528f870d3b78bd3b294a05cc0
SHA512 3c5bb212467d932f5eaa17a2346ef8f401a49760c9c6c89c6318a1313fcbabb1d43b1054692c01738ea6a3648cc57e06845b81becb3069f478d5b1a7cbcb0e66

C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer.ini

MD5 8fc2e199aa5721f837d2ce2766a5860d
SHA1 3a09dfa5e28a2044cd99388bf1265927c1444a94
SHA256 044f6e06ced9cdaff36795408e5e3046b290367bc88f0708b2b5bd1b91bfbad5
SHA512 a8ca2f66f7b8cfb7ff67cfcec35848c7c2f29bc8b26d1239622a61a779b67d7af829699207f18dab8c9294dd9226943dac47ef8aeedfd90dfb733c13f1f218b5

memory/5072-164-0x0000000004850000-0x0000000004877000-memory.dmp

memory/5072-168-0x0000000010000000-0x0000000010026000-memory.dmp

memory/5072-170-0x0000000075860000-0x0000000075950000-memory.dmp