Malware Analysis Report

2025-01-03 09:11

Sample ID 240620-mrrxwashqa
Target 053dc777d5280a3defe694134f3bc322_JaffaCakes118
SHA256 46511fa93f305cffd06debc2b1ff789ecbe8cfd3a10a2fe6ac23d37987cec00d
Tags
bootkit evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46511fa93f305cffd06debc2b1ff789ecbe8cfd3a10a2fe6ac23d37987cec00d

Threat Level: Known bad

The file 053dc777d5280a3defe694134f3bc322_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

bootkit evasion persistence

Modifies security service

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 10:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 10:42

Reported

2024-06-20 10:44

Platform

win7-20240220-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2220 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2220 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2220 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2860 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cPaner.com
PID 2860 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cPaner.com
PID 2860 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cPaner.com
PID 2860 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cPaner.com
PID 1448 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1448 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1448 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1448 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 2488 wrote to memory of 524 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 524 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 524 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 524 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 524 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 524 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 524 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2488 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 2488 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 2488 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 2488 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1716 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1668 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1668 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1668 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1716 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1716 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1716 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1716 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 2636 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1900 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1900 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1900 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2636 wrote to memory of 708 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 2636 wrote to memory of 708 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 2636 wrote to memory of 708 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 2636 wrote to memory of 708 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 708 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 708 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 708 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 708 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1292 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1292 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1292 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 708 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 708 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 708 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 708 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com

Processes

C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 548 "C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe"

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 556 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 560 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 568 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 564 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 576 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 572 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 584 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 580 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 588 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

memory/2860-0-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2860-1-0x00000000004F0000-0x0000000000534000-memory.dmp

memory/2860-42-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2860-41-0x0000000002530000-0x0000000002531000-memory.dmp

memory/2860-40-0x0000000002500000-0x0000000002501000-memory.dmp

memory/2860-39-0x0000000002510000-0x0000000002511000-memory.dmp

memory/2860-38-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/2860-37-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/2860-36-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/2860-35-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/2860-34-0x0000000002490000-0x0000000002491000-memory.dmp

memory/2860-33-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/2860-32-0x0000000002470000-0x0000000002471000-memory.dmp

memory/2860-31-0x0000000002480000-0x0000000002481000-memory.dmp

memory/2860-30-0x0000000002450000-0x0000000002451000-memory.dmp

memory/2860-29-0x0000000002460000-0x0000000002461000-memory.dmp

memory/2860-28-0x0000000002430000-0x0000000002431000-memory.dmp

memory/2860-27-0x0000000002440000-0x0000000002441000-memory.dmp

memory/2860-26-0x0000000002000000-0x0000000002001000-memory.dmp

memory/2860-25-0x0000000002010000-0x0000000002011000-memory.dmp

memory/2860-24-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

memory/2860-23-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

memory/2860-22-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/2860-21-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

memory/2860-20-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/2860-19-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

memory/2860-18-0x0000000001F80000-0x0000000001F81000-memory.dmp

memory/2860-17-0x0000000001F90000-0x0000000001F91000-memory.dmp

memory/2860-16-0x0000000000720000-0x0000000000721000-memory.dmp

C:\acx.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

memory/2860-15-0x0000000000730000-0x0000000000731000-memory.dmp

memory/2860-14-0x0000000000700000-0x0000000000701000-memory.dmp

memory/2860-13-0x0000000000710000-0x0000000000711000-memory.dmp

memory/2860-12-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2860-11-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2860-10-0x0000000000570000-0x0000000000571000-memory.dmp

memory/2860-9-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/2860-8-0x0000000000590000-0x0000000000591000-memory.dmp

memory/2860-7-0x00000000005A0000-0x00000000005A4000-memory.dmp

memory/2860-6-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2860-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2860-4-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2860-3-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 752fd85212d47da8f0adc29004a573b2
SHA1 fa8fe3ff766601db46412879dc13dbec8d055965
SHA256 9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e
SHA512 d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 ff6c57e8ec2b96b8da7fe900f1f3da1c
SHA1 a6f0dc2e2a0a46e1031017b81825173054bf76ae
SHA256 ad103027edabf24721c50018ae32c2b34872f7f63a352d31591a2cd7174008d6
SHA512 c0069e816bdf494c149e6bc278dc63ad58e348ec90d9bf161f2558bea03e9622e4b0c03b1a6b2517e87ef4e748d4aac36fb853f70180b55521e56c9c4960babc

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/2860-180-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/2860-179-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/2860-178-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/2860-177-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

memory/2860-176-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/2860-175-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/2860-174-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/2860-173-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/2860-172-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/2860-171-0x0000000002B40000-0x0000000002B41000-memory.dmp

memory/2860-170-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/2860-169-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/2860-168-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/2860-167-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/2860-166-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/2860-165-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/2860-164-0x0000000002970000-0x0000000002971000-memory.dmp

memory/2860-163-0x0000000002980000-0x0000000002981000-memory.dmp

memory/2860-162-0x0000000002950000-0x0000000002951000-memory.dmp

memory/2860-161-0x0000000002960000-0x0000000002961000-memory.dmp

memory/2860-160-0x0000000002930000-0x0000000002931000-memory.dmp

memory/2860-159-0x0000000002940000-0x0000000002941000-memory.dmp

\Windows\SysWOW64\cPaner.com

MD5 053dc777d5280a3defe694134f3bc322
SHA1 a29c67a666c2783f550abb83217f29b1b76795f5
SHA256 46511fa93f305cffd06debc2b1ff789ecbe8cfd3a10a2fe6ac23d37987cec00d
SHA512 8b34af804389bb0d1fa45fb44c7075759df8b654e9cc149cd45dc5f1a44a9cd8d73418ec889ef16f956e445c64a4b5a6a5ab9fb1b9aaf590dfadfd94f87d3487

memory/2860-183-0x0000000002DE0000-0x0000000002E71000-memory.dmp

memory/1448-190-0x00000000002C0000-0x0000000000304000-memory.dmp

memory/1448-191-0x0000000000500000-0x0000000000501000-memory.dmp

memory/1448-192-0x0000000000510000-0x0000000000511000-memory.dmp

memory/2860-194-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2860-195-0x00000000004F0000-0x0000000000534000-memory.dmp

memory/1448-196-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1448-200-0x00000000002C0000-0x0000000000304000-memory.dmp

memory/2488-202-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1448-201-0x0000000002E80000-0x0000000002F11000-memory.dmp

memory/1448-319-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1448-320-0x00000000002C0000-0x0000000000304000-memory.dmp

memory/2488-321-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a5d4cddfecf34e5391a7a3df62312327
SHA1 04a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA256 8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA512 48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c93c561465db53bf9a99759de9d25f07
SHA1 5386934828e2c2589bfe394ac1f03ffbfba93bfa
SHA256 32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851
SHA512 bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

memory/1716-325-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2488-441-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1716-442-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2636-447-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1716-446-0x0000000002DE0000-0x0000000002E71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5020988c301a6bf0c54a293ddf64837c
SHA1 5b65e689a2988b9a739d53565b2a847f20d70f09
SHA256 a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d
SHA512 921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 558ce6da965ba1758d112b22e15aa5a2
SHA1 a365542609e4d1dc46be62928b08612fcabe2ede
SHA256 c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA512 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 294976e85ad11a45853f99c1b208723f
SHA1 8d83101d69420b5af97ec517165d849d3ab498fc
SHA256 04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff
SHA512 e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6

memory/1716-563-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2636-564-0x0000000000400000-0x0000000000491000-memory.dmp

memory/708-568-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 4be01c629881eddccb675ba267a66899
SHA1 23324e7814bcd157b27e810f4c786b0c39bfc9b1
SHA256 39c14522925e5e55bf1eefcd5beb8b7aae687158163082aac7ef5690c3524a30
SHA512 7c3063badaa57e3a39eea5d87e6bdbeec00793f9afd2bea52d3aa354e0bbd83e2a63966438fe7305f29a0ee6f45cb77d4613fe2d3b4f6719e16860deae764d55

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 908860a865f8ed2e14085e35256578dd
SHA1 7ff5ee35cc7e96a661848eb95a70d0b8d2d78603
SHA256 d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f
SHA512 a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 614dc91c25423b19711b270e1e5a49ad
SHA1 f66496dcf9047ae934bdc4a65f697be55980b169
SHA256 cd2b70a70c7da79d5136e4268d6c685e81d925b9387b9ed9e1b3189118e2de5e
SHA512 27a8649bb02ab6a67a1f2482662a6c690aefca551eec3575ea9aeee645d318b23d0dc6d5d2db239583ddb5f04ba13d94e5180a184566416291b7180fab0029e7

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a84d46ef81c793a90a80bc806cffdcf
SHA1 02fac9db9330040ffc613a325686ddca2678a7c5
SHA256 201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4
SHA512 b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a437192517c26d96c8cee8d5a27dd560
SHA1 f665a3e5e5c141e4527509dffd30b0320aa8df6f
SHA256 d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23
SHA512 f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5da7efcc8d0fcdf2bad7890c3f8a27ca
SHA1 681788d5a3044eee8426d431bd786375cd32bf13
SHA256 7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8
SHA512 6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 b79d7c7385eb2936ecd5681762227a9b
SHA1 c2a21fb49bd3cc8be9baac1bf6f6389453ad785d
SHA256 fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019
SHA512 7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

memory/2636-684-0x0000000000400000-0x0000000000491000-memory.dmp

memory/708-685-0x0000000000400000-0x0000000000491000-memory.dmp

memory/708-689-0x0000000002E70000-0x0000000002F01000-memory.dmp

memory/2700-690-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 0d1e5715cf04d212bcd7c9dea5f7ab72
SHA1 a8add44bf542e4d22260a13de6a35704fb7f3bfb
SHA256 5d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473
SHA512 89da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a57e37dfb6f88b2d04424936ed0b4afb
SHA1 35e2f81486b8420b88b7693ad3e92f846367cb12
SHA256 411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d
SHA512 41f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 bef09dc596b7b91eec4f38765e0965b7
SHA1 b8bb8d2eb918e0979b08fd1967dac127874b9de5
SHA256 8dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265
SHA512 0bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a

memory/708-806-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2700-807-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2904-811-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d67d51b859c99a46a906a4c3a6ff6560
SHA1 b685cc703a1c86ba8ad681b545a6f3014b80d585
SHA256 33d0a27d49cd3cfa5a4ef5027d3defe60a3f7be1a3914870390b9829d360937a
SHA512 c986416a115ca162ee28d5dfd1159538d81a751e4961340415718c0d1f0ffa4d80675b4b698ed039eef86cbe1b2c0b01a0004dea39111056013d3e0a0179cedd

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5088b4be1b90717121e76c1fc33c033a
SHA1 090676b012c30e6b0d6493ca1e9a31f3093cad6f
SHA256 d1d8c8ac4136082ac60938e8148c43d81fa91a124eccf34048e629d22daeef3a
SHA512 0cac2dcf138b1a66f857a54c92afe467ef7544655cd1c4aec3b4084c92c9186d9ba10e0e74a54a6e43e676068d3747f668f7286d44fcefce7ee4d385a3a96962

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 b99b0dc7cab4e69d365783a5c4273a83
SHA1 5fcc44aa2631c923e9961266a2e0dbeaaabe84da
SHA256 1fc967a5c8f7859ba0c410978d165085f241195fe4a31d61a127e38c30d435e4
SHA512 495474416f5eccd40829d42f050464903273d564cb862b1bd0657262485e634b5d466363cac085406c6d830f42a2f7b5648818b2efe6db1a90833a4b90a6a14d

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a920eceddece6cf7f3487fd8e919af34
SHA1 a6dee2d31d4cbd1b18f5d3bc971521411a699889
SHA256 ec2d3952154412db3202f5c95e4d1b02c40a7f71f4458898ddc36e827a7b32d6
SHA512 a4700af2ce477c7ce33f434cdddd4031e88c3926d05475f522a753063269fe8b6e50b649c3e939272240194951cb70ac05df533978c19839e381141535275ecc

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 748bce4dacebbbd388af154a1df22078
SHA1 0eeeb108678f819cd437d53b927feedf36aabc64
SHA256 1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a
SHA512 d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 82fb85e6f9058c36d57abc2350ffee7e
SHA1 f52708d066380d42924513f697ab4ed5492f78b8
SHA256 0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6
SHA512 27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f1cbbc2ce0d93c45a92edcc86780e9f0
SHA1 d893306caae2584cdeba4c80c3bfe18548fa227a
SHA256 6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7
SHA512 b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5002319f56002f8d7ceacecf8672ce25
SHA1 3b26b6801be4768cc7582e29bc93facdf2a74be3
SHA256 f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c
SHA512 8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 3bd23392c6fcc866c4561388c1dc72ac
SHA1 c4b1462473f1d97fed434014532ea344b8fc05c1
SHA256 696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43
SHA512 15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f31b2aa720a1c523c1e36a40ef21ee0d
SHA1 9c8089896c55e6e6a9cca99b1b98c544723d314e
SHA256 cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716
SHA512 a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 bf7ee07851e04b2a0dbe554db62dc3aa
SHA1 cad155b66053cd7ce2b969a0eb20a8f4812b1f46
SHA256 13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9
SHA512 9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2b307765b7465ef5e4935f0ed7307c01
SHA1 c46a1947f8b2785114891f7905f663d9ae517f1b
SHA256 a3f77536a922968bc49827a6c8553ed6b74eafd52e6c1fcfd62bfa20a83efc85
SHA512 fce4fbf9900f50368cb35ac40e60b54835912921848a45b196c6f68ad66a07549f27237956c751f511d2589cf91980658d4f1b743dd2c9c9506102da3be4bae2

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 47985593a44ee38c64665b04cbd4b84c
SHA1 84900c2b2e116a7b744730733f63f2a38b4eb76e
SHA256 4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70
SHA512 abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2299014e9ce921b7045e958d39d83e74
SHA1 26ed64f84417eb05d1d9d48441342ca1363084da
SHA256 ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57
SHA512 0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 54ca6e3ef1c12b994043e85a8c9895f0
SHA1 5eaccfb482cbe24cf5c3203ffdc926184097427e
SHA256 0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0
SHA512 925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 501effddf60a974e98b67dc8921aa7e8
SHA1 734dfe4b508dbc1527ec92e91821a1251aec5b2e
SHA256 672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06
SHA512 28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d8be0d42e512d922804552250f01eb90
SHA1 cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3
SHA256 901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82
SHA512 f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5855edf3afa67e11de78af0389880d18
SHA1 c43fcd36d70a6ffcd41fbb48c1d0c406fd00286f
SHA256 c7798759a159989611cdf47f702c8813ad0f029b52f18af573f383859a8bfaaa
SHA512 5be99a55f86486c04bda0a089571c296d041dae337321578c0f8d19d7bd2e51802aafbc8716753b6191b8e5ced782a5bc7d44bdd4995ab8e6ac1f7cd4b0f91ee

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 63ff40a70037650fd0acfd68314ffc94
SHA1 1ab29adec6714edf286485ac5889fddb1d092e93
SHA256 1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b
SHA512 2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5e073629d751540b3512a229a7c56baf
SHA1 8d384f06bf3fe00d178514990ae39fc54d4e3941
SHA256 2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e
SHA512 84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

memory/2700-927-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2904-928-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2904-1047-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2076-1048-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2076-1167-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2452-1168-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2452-1287-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1916-1288-0x0000000000400000-0x0000000000491000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 10:42

Reported

2024-06-20 10:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4672 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4672 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3592 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cPaner.com
PID 3592 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cPaner.com
PID 3592 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe C:\Windows\SysWOW64\cPaner.com
PID 3440 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3440 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3440 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4512 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4564 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4564 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4512 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4512 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4512 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4432 wrote to memory of 900 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 900 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 900 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 900 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 900 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4432 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4432 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4432 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 5004 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2688 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2688 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5004 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 5004 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 5004 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4088 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4584 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4584 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4088 wrote to memory of 212 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4088 wrote to memory of 212 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4088 wrote to memory of 212 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 212 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3528 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3528 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 212 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 212 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 212 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3956 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1088 "C:\Users\Admin\AppData\Local\Temp\053dc777d5280a3defe694134f3bc322_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1208 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1184 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1180 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1188 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1192 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1196 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1204 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1212 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1216 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Files

memory/3592-1-0x0000000000940000-0x0000000000984000-memory.dmp

memory/3592-0-0x0000000000400000-0x0000000000491000-memory.dmp

memory/3592-32-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/3592-42-0x0000000002640000-0x0000000002641000-memory.dmp

memory/3592-41-0x0000000002650000-0x0000000002651000-memory.dmp

memory/3592-40-0x0000000002620000-0x0000000002621000-memory.dmp

memory/3592-39-0x0000000002630000-0x0000000002631000-memory.dmp

memory/3592-38-0x0000000002600000-0x0000000002601000-memory.dmp

memory/3592-37-0x0000000002610000-0x0000000002611000-memory.dmp

memory/3592-36-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/3592-35-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/3592-34-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/3592-33-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/3592-31-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/3592-30-0x0000000002580000-0x0000000002581000-memory.dmp

memory/3592-29-0x0000000002590000-0x0000000002591000-memory.dmp

memory/3592-28-0x0000000002560000-0x0000000002561000-memory.dmp

memory/3592-27-0x0000000002570000-0x0000000002571000-memory.dmp

memory/3592-26-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3592-25-0x0000000002550000-0x0000000002551000-memory.dmp

memory/3592-24-0x0000000002410000-0x0000000002411000-memory.dmp

memory/3592-23-0x0000000002530000-0x0000000002531000-memory.dmp

memory/3592-22-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/3592-21-0x0000000002400000-0x0000000002401000-memory.dmp

memory/3592-20-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/3592-19-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/3592-17-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/3592-16-0x0000000002380000-0x0000000002381000-memory.dmp

memory/3592-15-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3592-14-0x0000000002360000-0x0000000002361000-memory.dmp

memory/3592-13-0x0000000002370000-0x0000000002371000-memory.dmp

memory/3592-12-0x0000000002330000-0x0000000002331000-memory.dmp

memory/3592-11-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/3592-10-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/3592-9-0x0000000002320000-0x0000000002321000-memory.dmp

memory/3592-8-0x0000000002300000-0x0000000002301000-memory.dmp

memory/3592-7-0x0000000002310000-0x0000000002314000-memory.dmp

memory/3592-6-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/3592-5-0x0000000000700000-0x0000000000701000-memory.dmp

memory/3592-4-0x0000000000710000-0x0000000000711000-memory.dmp

memory/3592-3-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/3592-18-0x00000000023B0000-0x00000000023B1000-memory.dmp

\??\c:\acx.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 61ec72543aaac5c7b336d2b22f919c07
SHA1 5bddb1f73b24c2113e9bf8268640f75fb0f3bd8d
SHA256 088881ff28ef1240847decd884be366614865bf9660f862dbffa64d504467aea
SHA512 e8ed6c1813218a542e0449f6bcda47b9464f2445a5d4b20e20b657d5328eb9fd5ddf859e61794a0b3d32057590ac029064c078d5743fe1a316ca8fdf254f7f62

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 0a839c0e3eb1ed25e6211159e43f4df1
SHA1 a227a9322f58b8f40b2f6f326dca58145f599587
SHA256 717a2b81d076586548a0387c97d2dc31337a03763c6e7acb642c3e46ec94d6f0
SHA512 bd2b99fb43ccd1676f69752c1a295d1da0db2cb0310c8b097b4b5b91d76cff12b433f47af02b5f7d0dd5f8f16624b0c20294eebf5c6a7959b2b5d6fe2b34e508

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f5fa5178657d29a36c5dc4ac9445cbdc
SHA1 4be1a87a89715d24d52b23c59006f9cb74437ba0
SHA256 f5df5a0913b98b4c5ef35c76ba8c7601adb2698300bef0a47f23845a95942114
SHA512 54272b6eaead06588ac6605a5d995c928f2270c2bccb18891f83dc5cae98eb2c88a98b49bd553f6305659cbf51c36842840dd98fa0b44a3b693de8c7af1f6b6f

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/3592-154-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/3592-158-0x00000000031F0000-0x00000000031F1000-memory.dmp

memory/3592-163-0x0000000003220000-0x0000000003221000-memory.dmp

memory/3592-164-0x0000000003240000-0x0000000003241000-memory.dmp

C:\Windows\SysWOW64\cPaner.com

MD5 053dc777d5280a3defe694134f3bc322
SHA1 a29c67a666c2783f550abb83217f29b1b76795f5
SHA256 46511fa93f305cffd06debc2b1ff789ecbe8cfd3a10a2fe6ac23d37987cec00d
SHA512 8b34af804389bb0d1fa45fb44c7075759df8b654e9cc149cd45dc5f1a44a9cd8d73418ec889ef16f956e445c64a4b5a6a5ab9fb1b9aaf590dfadfd94f87d3487

memory/3592-176-0x0000000003250000-0x0000000003251000-memory.dmp

memory/3592-175-0x00000000032E0000-0x00000000032E1000-memory.dmp

memory/3592-174-0x00000000032F0000-0x00000000032F1000-memory.dmp

memory/3592-173-0x00000000032C0000-0x00000000032C1000-memory.dmp

memory/3592-172-0x00000000032D0000-0x00000000032D1000-memory.dmp

memory/3440-179-0x0000000000400000-0x0000000000491000-memory.dmp

memory/3440-180-0x0000000000810000-0x0000000000854000-memory.dmp

memory/3592-171-0x00000000032A0000-0x00000000032A1000-memory.dmp

memory/3592-170-0x00000000032B0000-0x00000000032B1000-memory.dmp

memory/3440-185-0x0000000002380000-0x0000000002381000-memory.dmp

memory/3440-184-0x0000000002370000-0x0000000002371000-memory.dmp

memory/3592-169-0x0000000003280000-0x0000000003281000-memory.dmp

memory/3592-168-0x0000000003290000-0x0000000003291000-memory.dmp

memory/3592-162-0x0000000003230000-0x0000000003231000-memory.dmp

memory/3592-161-0x0000000003200000-0x0000000003201000-memory.dmp

memory/3592-160-0x0000000003210000-0x0000000003211000-memory.dmp

memory/3592-159-0x00000000031E0000-0x00000000031E1000-memory.dmp

memory/3592-157-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/3592-156-0x00000000031D0000-0x00000000031D1000-memory.dmp

memory/3592-155-0x00000000031A0000-0x00000000031A1000-memory.dmp

memory/3592-167-0x0000000003260000-0x0000000003261000-memory.dmp

memory/3592-166-0x0000000003270000-0x0000000003271000-memory.dmp

memory/3592-187-0x0000000000400000-0x0000000000491000-memory.dmp

memory/3592-188-0x0000000000940000-0x0000000000984000-memory.dmp

memory/3440-189-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4512-191-0x0000000000400000-0x0000000000491000-memory.dmp

memory/3440-304-0x0000000000810000-0x0000000000854000-memory.dmp

memory/3440-303-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4512-305-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4512-418-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4432-419-0x0000000000400000-0x0000000000491000-memory.dmp

memory/5004-421-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2d9f1ff716273d19e3f0d10a3cd8736f
SHA1 b4ca02834dd3f3489c5088d2157279d2be90f5ff
SHA256 9acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623
SHA512 1d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025

memory/4432-533-0x0000000000400000-0x0000000000491000-memory.dmp

memory/5004-534-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4088-536-0x0000000000400000-0x0000000000491000-memory.dmp

memory/5004-648-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4088-649-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 4cee92ad10b11dbf325a40c64ff7d745
SHA1 b395313d0e979fede2261f8cc558fcebfefcae33
SHA256 eaeac48f16abac608c9bb5b8d0d363b2ca27708b262c1de41ab0f163c39a2fb1
SHA512 3f11992b0c8f7c6f0180f984392f86ea8eb1859be236e2bbfbc863226d3cac67b06700561f27fb673e2955c6ebc5b168dd28ca704de57c4f6c07bdbf14f75ec9

memory/4088-762-0x0000000000400000-0x0000000000491000-memory.dmp

memory/212-763-0x0000000000400000-0x0000000000491000-memory.dmp

memory/212-876-0x0000000000400000-0x0000000000491000-memory.dmp

memory/3956-877-0x0000000000400000-0x0000000000491000-memory.dmp

memory/3956-990-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4588-991-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4588-1104-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4120-1105-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4120-1217-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2668-1218-0x0000000000400000-0x0000000000491000-memory.dmp